Complete guide to using SocketZero.
SocketZero creates secure tunnels from your local machine to services running in remote networks. Unlike traditional VPNs that give you network-wide access, SocketZero uses a Zero Trust model where each service requires explicit authorization.
- Profile - A saved connection to a SocketZero receiver
- Receiver - Server running inside the remote network
- Service - A remote application or resource (SSH server, database, web app, etc.)
- Tunnel - An encrypted connection from your machine to a specific service
Profiles store your receiver connection details. You can have multiple profiles for different networks (work, staging, production, etc.).
- Click "Add Profile"
- Fill in:
- Hostname: Your receiver URL (with or without port)
- Label: Friendly name for this profile
- Click "Add"
- Select the profile in the sidebar
- Click the edit icon (✏️)
- Update the label or hostname
- Click "Save"
- Select the profile
- Click the delete icon (🗑️)
- Confirm deletion
Drag and drop profiles in the sidebar to change their order.
- Select a profile from the sidebar
- Click "Connect"
- Authenticate when prompted
- Wait for the connection to establish
Status indicators:
- 🟢 Green: Connected
- 🟡 Yellow: Connecting
- 🔴 Red: Disconnected
⚠️ Orange: Authentication required
Click "Disconnect" in the profile panel. This closes all active tunnels for that profile.
SocketZero automatically reconnects if:
- Your network connection drops briefly
- The receiver restarts
- Your laptop wakes from sleep
If reconnection fails, you'll need to click "Connect" manually.
Once connected, you'll see available services as tiles in the main panel.
SocketZero supports multiple service types:
| Type | Icon | Description | Example |
|---|---|---|---|
| SSH | 🖥️ | SSH access to remote servers | ssh dev.internal |
| HTTP | 🌐 | Web applications | Open in browser |
| Database | 🗄️ | MySQL, PostgreSQL, etc. | Connect via client |
| Custom | 🔧 | Any TCP/UDP service | Custom port forwarding |
Click on any service tile. The tunnel details will appear:
Service: Dev Server
Local: ssh dev.internal
Status: Connected
ssh username@dev.internalThe hostname dev.internal is made available by SocketZero. It resolves to 127.0.0.1 with the tunnel active.
Click the service tile and a browser window opens automatically. The URL will look like:
http://myapp.local:8080
Connect using your database client with the tunnel hostname:
Host: postgres.internal
Port: 5432
User: your_username
Tunnels close automatically when:
- You disconnect from the receiver
- You quit SocketZero
- The receiver shuts down the service
You can also close individual tunnels by clicking the "X" icon on the service tile.
SocketZero uses OAuth 2.0 for authentication. Your organization configures the identity provider (Keycloak, Okta, etc.).
- Click "Connect" on a profile
- Your browser opens to the login page
- Enter your credentials
- Grant SocketZero access
- Return to the app (it detects authentication automatically)
Authentication sessions last 24 hours by default. After expiration, you'll need to re-authenticate.
Click "Logout" in the profile menu to clear your session. You'll need to re-authenticate on the next connection.
Some services allow custom local port mapping. Check the service configuration to see if this is available.
You can connect to multiple profiles simultaneously. Each profile maintains its own set of tunnels.
Enable debug mode to see detailed connection logs:
macOS:
export SOCKETZERO_DEBUG=1
./Applications/SocketZero.app/Contents/MacOS/SocketZeroWindows:
set SOCKETZERO_DEBUG=1
socketzero.exeLinux:
SOCKETZERO_DEBUG=1 socketzeroLogs are written to:
- macOS:
~/Library/Logs/SocketZero/ - Windows:
%APPDATA%\SocketZero\logs\ - Linux:
~/.config/socketzero/logs/
Advanced users can edit the SocketZero config directly:
Location:
- Default:
~/socketzero.config - Override: Set
SOCKETZERO_CONFIG_FILEenvironment variable
Format: JSON
{
"profiles": [
{
"id": "uuid-here",
"hostname": "receiver.example.com:9997",
"label": "Production",
"index": 0
}
],
"lastSelectedProfileId": "uuid-here"
}