Skip to main content

Standalone, split-tunnel Python client for UniFi Teleport (SSH/HTTP/SOCKS, no admin required)

Project description

telepy

A standalone, split-tunnel UniFi Teleport client - in pure Python.

telepy connects to your UniFi consoles over Teleport (the same NAT-traversed WireGuard path the official WiFiman app uses) and lets you SSH in, hit the local web UI/API, or proxy traffic to the LAN - without routing your whole machine through the remote site. Only the subnets you choose go over the tunnel; everything else stays on your normal connection.

No kernel WireGuard. No bundled binaries. No admin required for the everyday commands. Works where a self-hosted VPN can't (the official Teleport relay does the NAT traversal for you).

Built because WiFiman is full-tunnel only: the moment you connect, all your traffic goes through the remote console and you lose everything else - your other networks, your video call, the SSH session you were already in. telepy routes only what you ask it to.


Why

  • Split tunnel. Reach 10.13.0.1 on a remote console while your internet, LAN, and existing sessions stay exactly where they are.
  • No admin for daily use. ssh, http, and proxy run entirely in userspace (a small WireGuard + TCP/IP stack) - no network adapter, no routes, no root.
  • Scriptable. A clean Python API for automation: with telepy.open(name) as t: t.ssh("uptime").
  • Cross-platform. Linux, macOS, Windows. Great on a headless box.
  • Standalone. Doesn't need WiFiman installed; logs in with your UI account.

Install

# recommended for the CLI — isolated, puts the `telepy` command on your PATH:
uv tool install telepy-cli      # or:  pipx install telepy-cli

# or into the current environment (e.g. to use telepy as a library):
pip install telepy-cli

# or run it once without installing:
uvx --from telepy-cli telepy ls

The bare name telepy was already taken on PyPI, so the distribution is telepy-cli, while the installed command and the Python import are both telepy.

Requires Python 3.11+. First run, authenticate once (cached for later, including headless):

telepy login                # UI SSO + MFA (push "Yes, that's me" or a 6-digit code)

Usage

telepy ls                   # list your consoles

# userspace, no admin:
telepy ssh                  # pick a console, then host/user/password -> a shell
telepy ssh "My Console" --host 10.13.0.1 -- "uptime"     # one-off command
telepy http https://10.13.0.1/ --console "My Console"    # one-off HTTP(S) to the LAN
telepy proxy "My Console"   # local SOCKS5 (point your browser at 127.0.0.1:1080)

# system-wide TUN, needs admin/root:
sudo telepy tunnel "My Console"          # split: route only the safe subnets
sudo telepy tunnel "My Console" --full   # route ALL traffic (like WiFiman)

Omit the console name and telepy lists them interactively, automatically hiding the console you're physically behind.

As a library

from telepy import Telepy

tp = Telepy()
with tp.open("My Console") as t:           # userspace, no admin
    rc, out, err = t.ssh("uptime", host="10.13.0.1")
    sock = t.dial("192.168.1.1", 443)      # raw TCP to a LAN host
    status, headers, body = t.request("https://10.13.0.1/")
    srv = t.serve_socks(port=1080)         # local SOCKS5 over the tunnel

Two modes

ssh / http / proxy tunnel
Mechanism userspace WireGuard + TCP/IP stack OS TUN device + routes
Admin/root no yes
Scope per-connection (you choose targets) system-wide (any app)
Best for automation, headless boxes, quick access "make this machine feel on the LAN"

How it works

telepy is a clean-room reimplementation of the Teleport client protocol, built by observing my own network traffic, to consoles I administer, with my own credentials - no decompilation, no proprietary code, no DRM circumvention. It speaks the same wire formats the official client does:

  1. UI SSO login (+MFA) → short-lived cloud credentials.
  2. Cloud directory of your consoles and their LAN subnets.
  3. Teleport signaling (AWS IoT MQTT + cloud HTTPS) to exchange keys + ICE candidates.
  4. ICE/STUN NAT traversal, then a from-scratch WireGuard data plane (Noise handshake + ChaCha20-Poly1305 transport + rekey).
  5. A small userspace TCP/IP stack (with userspace TLS) for the no-admin path, or a TUN device for the system-wide path.

It deliberately routes only the subnets you select - subtracting the subnets of the site you're currently behind so local and remote addresses never collide.

Documentation

The docs/ directory explains, with genuine appreciation, how UniFi Teleport works end to end - and how telepy speaks the same protocol:

⚠️ Disclaimer

telepy is an independent, unofficial interoperability project. It is not affiliated with, authorized, or endorsed by Ubiquiti Inc. "UniFi", "WiFiman", and "Teleport" are trademarks of Ubiquiti Inc., used here only to describe what this software interoperates with.

Use it only with consoles you own or administer, and with your own account. Doing so may violate Ubiquiti's Terms of Service / EULA; that's between you and Ubiquiti. This software is provided as-is, with no warranty - it can change network routing and you use it entirely at your own risk.

No Ubiquiti code, binaries, or assets are included in this repository.

💌 A note to Ubiquiti

I genuinely love your gear - the hardware is gorgeous, the ecosystem is a joy, and Teleport's zero-config NAT traversal is honestly magic. This whole project exists for one reason:

Please, just add split tunneling to WiFiman. 🙏

That's it. That's the feature. The moment WiFiman lets me route a couple of subnets instead of my entire machine, I will happily archive this repo and go back to clicking your lovely button. Until then - here's a polite, clean-room, bring-your-own-credentials way to have it both ways.

(And if you'd rather I take this down, reach out - I'd much rather have the feature than the repo.)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

telepy_cli-0.1.0.tar.gz (177.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

telepy_cli-0.1.0-py3-none-any.whl (107.7 kB view details)

Uploaded Python 3

File details

Details for the file telepy_cli-0.1.0.tar.gz.

File metadata

  • Download URL: telepy_cli-0.1.0.tar.gz
  • Upload date:
  • Size: 177.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for telepy_cli-0.1.0.tar.gz
Algorithm Hash digest
SHA256 4d8e2779cfa49ed54529a3d0642c964afb35b119bc137d477efc64532fca7138
MD5 2521d1c71468d78cd6dbc75b7023e8f7
BLAKE2b-256 8c2481ce305ebcca23b904282195ebf74a53c3e8cbba15ba1aadc5d5388fd5c3

See more details on using hashes here.

Provenance

The following attestation bundles were made for telepy_cli-0.1.0.tar.gz:

Publisher: release.yml on darki73/telepy-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file telepy_cli-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: telepy_cli-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 107.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for telepy_cli-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b4ad68b92b64aaf25bf0e89e000a268f29a0b08fd8a5d8117069ffe3e66fa833
MD5 dda0c42bff589b77d917da4c1f90fb36
BLAKE2b-256 59fe419743524d6cd493c6fbca361bed1db379b6e19f206203eb20b1ec9facdc

See more details on using hashes here.

Provenance

The following attestation bundles were made for telepy_cli-0.1.0-py3-none-any.whl:

Publisher: release.yml on darki73/telepy-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page