Skip to navigationSkip to content
libvirtd docs
Commands

Manual nav

Search `/` or jump with `g` / `G`.

Portal

  • Home manual
  • Command explorer
Foundations6 sections
  • Overview1
  • Installation2
  • Platform1
  • Concepts5
  • Domains2
  • Domain XML2
Subsystems9 sections
  • Identity1
  • Automation2
  • Daemons3
  • virsh3
  • Networking5
  • Storage4
  • Security3
  • Observability2
  • Remote Access1
Operations6 sections
  • Migration2
  • Backup2
  • Performance3
  • Recovery1
  • Troubleshooting2
  • References2

/ search · g top · G quickstart

manremote-accessReviewed March 6, 2026

Remote TLS, TCP, and auth basics

Remote libvirt access can travel over SSH or over TLS/TCP. SSH is usually the simplest path. TLS/TCP is the right fit when you want a managed API endpoint, certificate identity, and central auth policy. Transport choices

tlstcpsaslvirtproxyd

Remote libvirt access can travel over SSH or over TLS/TCP. SSH is usually the simplest path. TLS/TCP is the right fit when you want a managed API endpoint, certificate identity, and central auth policy.

Transport choices

  • qemu+ssh://user@host/system: simple and secure, piggybacks on SSH access.
  • qemu+tls://host/system: certificate-based transport, often paired with SASL or policy controls.
  • Plain TCP without protection is for lab-only scenarios and usually not acceptable in production.

Core TLS settings

/etc/libvirt/virtproxyd.confini
listen_tls = 1
listen_tcp = 0
auth_tls = "sasl"

What to verify first

BASH
systemctl status virtproxyd.socket virtproxyd-tls.socket
ss -ltnp | grep 16514
virsh -c qemu+tls://hv-a/system hostname

virtproxyd-tls.socket

Check virtproxyd-tls.socket when a TLS client cannot establish the remote API session at all.

Auth layers

Connection success depends on more than certificates. The stack can include listener state, certificate trust, SASL, and local authorization policy on the destination host.

Related

  • virtqemud and virtproxyd roles
  • virsh connection URIs
  • Troubleshooting playbook

On this page

  • Transport choices
  • Core TLS settings
  • What to verify first
  • virtproxyd-tls.socket
  • Auth layers