Remote Access

NetDefense provides secure remote access to your devices through the NDPathFinder relay. This works even when the device is behind NAT or a firewall, because NDAgent creates an on-demand outbound WebSocket connection to NDPathFinder, which is then used as a secure relay channel.

Tip

No port forwarding or firewall rules are required on the device side. NDAgent initiates an outbound connection to NDPathFinder, so the relay works from any network — even behind strict NAT or CGNAT.

Connect to a Device

ndcli device connect fw-hq-primary

View in NDWeb

This command establishes a WebSocket tunnel through NDPathFinder to the device’s NDAgent and automatically launches an interactive shell session on the firewall.

In addition to terminal access, the same command also creates a local port-forwarding tunnel to the device’s web administration interface. You can open your browser and connect to the assigned local port to interact with the firewall’s web UI as if you were directly connected to the local network. The web administration tunnel establishes an automatically authenticated session, so no additional credentials are required.

If you only need terminal access and want to prevent the web administration tunnel from being created, use the --no-webadmin flag:

ndcli device connect fw-hq-primary --no-webadmin

You can select your preferred terminal session (the default OPNsense terminal menu or any available shell such as sh, csh, tcsh, etc.) by configuring the PathFinder options in the Advanced section of the OPNsense plugin.