Web Tunnel Browser
Web Tunnel Browser lets a Codux Desktop controller open web apps that are running on a paired remote host. It is designed for dev servers such as Vite, Next.js, Astro, Rails, Laravel, or any other HTTP app that binds to the host machine.
When you click the globe Web Tunnel Browser button in a remote project, Codux opens a proxy-isolated Chromium browser. That browser sends HTTP, HTTPS, WebSocket, and HMR traffic through the encrypted Iroh link to the host.
What it solves
Section titled “What it solves”If the host runs a dev server at:
http://127.0.0.1:5173/that address is the host’s localhost, not the desktop controller’s localhost. Open the same URL in Web Tunnel Browser and Codux resolves it on the host side.
The same tunnel also works for:
localhostand127.0.0.1services running on the host- LAN addresses reachable from the host
.localnames- VPN routes visible to the host
- development domains bound by the host’s DNS or
/etc/hosts - HTTPS, WebSocket, and HMR upgrade traffic
Open the diagnostic page
Section titled “Open the diagnostic page”Every codux-agent 2.0+ host serves a built-in diagnostic page:
http://127.0.0.1:8765/Click the globe Web Tunnel Browser button. Codux opens this page by default so you can verify:
- tunnel health
- live round-trip latency
- whether the browser is actually using the Web Tunnel proxy
Testing on one computer still exercises the same tunnel path. To verify real
cross-machine reachability, run codux-agent on a different machine and connect
to it from Codux Desktop.
Browser behavior
Section titled “Browser behavior”Codux intentionally opens a Chromium-based browser with a temporary, proxy-isolated profile. This keeps the Web Tunnel proxy separate from your normal browser session and avoids changing your system browser proxy settings.
Codux tries installed Chromium browsers in this order on macOS:
- Google Chrome
- Chromium
- Microsoft Edge
- Brave Browser
If none is available, Codux shows an error instead of falling back to Safari or the system default browser, because Safari cannot reliably launch a per-window proxy-isolated session.
Security boundary
Section titled “Security boundary”The local 127.0.0.1 proxy listener on the controller is only the browser entry
point into the encrypted tunnel. It is not the target server and does not mean
the requested URL is resolved on the controller. The target host, DNS, and
network reachability are evaluated by the paired Codux host.