- 20.7k stars, sub-300ms WebRTC, Apache-2.0.
- Neko runs a real browser in a Docker container and streams it to your team — perfect for OSINT link analysis, jump-host access, and collaborative work without leaking a single cookie to the endpoint.
TL;DR
Neko (m1k1o/neko) is a self-hosted virtual browser that runs in Docker and streams over WebRTC at under 300ms latency. One container, many users, full mouse/keyboard sharing. It started as a watch-party tool to replace rabb.it — but in 2026 it's become a quiet favorite for OSINT investigators, red teamers, and ops teams who need a disposable browser that leaks nothing to the endpoint. 20.7k stars, Apache-2.0, runs on a Raspberry Pi or an NVIDIA box.
What it is, in one paragraph
Neko boots Firefox, Chrome, Brave, Tor, Vivaldi, Edge, Waterfox, Opera, or Ungoogled-Chromium — or a full XFCE/KDE desktop, or VLC, or Remmina — inside a Linux container, then streams the desktop to your browser via WebRTC with synchronized audio. Multiple participants can join the same room and the host hands out control like a remote presenter. Because only video and audio leave the container, nothing the browser does ever touches the client machine: no cookies, no cache, no history, no fingerprint.
Why it matters
Most “remote browser” stories you've seen are paid SaaS (Hyperbeam, Mighty, Browserless cloud). Neko is the open-source equivalent that you run yourself — on a $40 Raspberry Pi if you want, or an NVIDIA-equipped node if you're running it for a team. The combination of WebRTC + multi-user control + real Linux apps is genuinely rare in FOSS. Apache Guacamole and noVNC stream images over WebSockets, have no real audio, and don't do native multi-participant control. Neko fixes all three at once.
Technical facts
- Latency: <300ms WebRTC, smooth video, synchronized audio.
- Stack: Go 1.24/1.25 backend, Pion WebRTC v3, GStreamer pipelines, custom X11 input drivers, Vue 3 + TypeScript client.
- Latest release: v3.1.0 — base bumped to Debian Trixie, Chromium now runs no-sandbox so
--cap-add=NET_ADMINis no longer required. - Multi-arch:
linux/amd64,linux/arm64,linux/arm/v7. Raspberry Pi works. - GPU acceleration: NVIDIA NVENC h264 encoding + VirtualGL 3.1 for Chromium.
- Surface area: REST API with OpenAPI 3.0, Prometheus metrics, Go plugin system, embeddable iframe via
?embed=1, auto-join links via?pwd=. - Auth (v3): multi-method auth, persistent cookie sessions, granular per-user permissions (mute chat, block uploads, etc.).
- Stream knobs:
VIDEO_BITRATE,AUDIO_BITRATE,MAX_FPS(set to 0 for real 60fps). Adaptive bitrate experimental. - Distribution: 36 Docker packages on ghcr.io, 500K+ pulls on Docker Hub, 57 contributors.
How it stacks up
| Solution | Streaming | Audio | Multi-user control | Self-host | Embeddable API |
|---|---|---|---|---|---|
| Neko | WebRTC <300ms | Built-in | Native | Yes (Apache-2.0) | Yes |
| Apache Guacamole | Images / WebSocket | None | No | Yes | Limited |
| noVNC + websockify | Images / WebSocket | None | No | Yes | No |
| Hyperbeam | WebRTC | Yes | Yes | No (SaaS) | Yes (paid) |
| Kasm Workspaces | WebRTC / Web | Yes | Limited | Yes (community / paid) | Limited |
Where it actually shines
OSINT & threat intel
Drop a suspicious URL into a Neko-hosted Tor Browser. The container handles any drive-by exploit, any fingerprinting attempt, any tracking pixel. When you close the room, the container is destroyed and nothing made it to your laptop. To your ISP, the traffic looks like a video call. Combine with a VPN for additional anonymity.
Secure jump host without a VPN
Expose Neko in front of internal admin panels, databases, and dashboards. Engineers reach them through a browser tab. Only video and audio leave the bastion — no session tokens, no cookies, no DB credentials ever touch the endpoint. If a laptop is compromised, the attacker can't pivot. Bonus: every session can be RTMP-recorded for compliance audit trails.
Collaborative debugging & demos
Three engineers join the same room. One drives, the others watch and chime in — or the host grants control mid-call. Same flow works for product demos to clients without ever shipping the underlying code: only pixels travel.
Browser automation with a human override
Install Playwright or Puppeteer inside the container. Watch the script run from outside. When it stalls on a CAPTCHA or a UI change, just take control and unstick it manually.
The original use case still works
Watch parties, interactive presentations, classroom teaching, even running it inside VRChat — all still first-class.
Limitations & pricing
Cost: $0. Apache-2.0. You only pay for the box.
- An active crypto-token scam on X/Twitter is impersonating the project. The real Neko project has no Twitter account and no crypto involvement — the homepage explicitly warns about this.
- AV1 pipeline ships but doesn't work — encoding is too slow today; stick with h264 (NVENC if you have a GPU).
- iOS audio needs iOS 15 or newer.
- v3.0 shipped a backend rewrite ahead of the client refresh, so a few new server features aren't exposed in the UI yet (clarified in the v3.1 docs).
- Strict firewalls that block WebRTC fall back to a WebSocket screencast — functional, but you lose the smoothness.
What's next
The roadmap signals worth watching: stabilizing webcam and microphone passthrough, adaptive bitrate going from experimental to default, and a long-discussed mode where Neko acts as a pure WebRTC relay in front of arbitrary RDP/VNC backends — turning Neko into a universal “web frontend for any remote desktop.” The sister projects (neko-rooms for multi-room orchestration with zero-knowledge HTTPS install, neko-apps for community-packaged Docker images, plus neko-vpn) make it realistic to deploy a small in-house Hyperbeam clone in an afternoon.
Sources: m1k1o/neko on GitHub, neko.m1k1o.net, v3 docs, v3.1.0 release notes.
