Documentation
Complete reference for the Vemari CLI binary and all its features.
Overview
Vemari is a lightweight TCP tunneling system that enables secure access to remote services through a central proxy server. It operates in two modes:
Producer Mode
Expose a local service (database, web server, etc.) to be accessible through the proxy.
Consumer Mode
Access a remote service through a local port, as if it were running on your machine.
Quick Start
$ vemari -proxy proxy.example.com:8080 -produce mydb -target localhost:5432
$ vemari -proxy proxy.example.com:8080 -consume mydb -local 15432
Now connect to localhost:15432
and traffic will be tunneled to the remote database.
Produce Command
The -produce flag
exposes a local service to be accessible through the proxy server.
Syntax
vemari -proxy <server:port> -produce <service-name> -target <local-address>
Parameters
| Flag | Description | Example |
|---|---|---|
-proxy |
Proxy server address | proxy.example.com:8080 |
-produce |
Unique name for the service | mydb, webapp |
-target |
Local address to expose | localhost:5432 |
Service Names Must Be Unique
Each service name must be unique across all connected producers. If a name is already taken, registration will fail.
Consume Command
The -consume flag
creates a local listener that tunnels connections to a remote service.
Syntax
vemari -proxy <server:port> -consume <service-name> -local <port>
Parameters
| Flag | Description | Example |
|---|---|---|
-proxy |
Proxy server address | proxy.example.com:8080 |
-consume |
Name of service to connect to | mydb |
-local |
Local port to listen on | 15432 |
First-Time Identity Setup
On first use, you'll be prompted to enter a client name. This name identifies you to service producers for access control purposes.
List Services
Use the -list flag to
discover available services on the proxy.
$ vemari -proxy proxy.example.com:8080 -list
This will display all registered services, their producers, and whether access control is enabled.
Access Control
Producers can enable access control to approve or deny connection requests from consumers. When enabled, each consumer must be approved before they can connect to the service.
How It Works
Consumer tries to connect to a protected service
Producer receives a notification with the consumer's name
Producer approves or denies the request
Decision is persisted - approved clients are remembered
Access Modes
Per-Client
Approve a client once, and all future connections from that client are automatically allowed.
Per-Connection
Each new TCP connection requires explicit approval, even from previously approved clients.
Revoking Access
Producers can revoke access from previously approved clients. When access is revoked:
- The client is moved to the denied list
- All active tunnels for that client are terminated immediately
- Future connection attempts will be denied
Encryption
All communication between clients and the proxy server is encrypted end-to-end using AES-256-GCM.
Confidentiality
Data is unreadable to eavesdroppers
Integrity
Tampering is detected
Authenticity
Only authorized clients can connect
Client Identity
When consuming services, Vemari requires a client identity. This name is sent to producers so they know who is requesting access.
Configuration Location
~/.vemari/config
Config Format
{
"client_name": "alice"
}
On first use, you'll be prompted to enter a name. This is then saved and used for all future connections.
Example: Database Access
Access a remote PostgreSQL database through Vemari:
On the database server:
vemari -proxy proxy:8080 -produce postgres -target localhost:5432
On your local machine:
vemari -proxy proxy:8080 -consume postgres -local 5433
Connect using psql:
psql -h localhost -p 5433 -U myuser -d mydb
Example: Web Services
Access a remote web application or API:
On the server running the web app:
vemari -proxy proxy:8080 -produce webapp -target localhost:3000
On your local machine:
vemari -proxy proxy:8080 -consume webapp -local 8080
Access the app:
curl http://localhost:8080