jpillora / chisel

Chisel Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Table of Contents • Features • Install • Demo • Usage • Contributing • Changelog • License Features • Easy to use • Performant\* • Encrypted connections using the SSH protocol (via ) • Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching. • Client auto-reconnects with exponential backoff • Clients can create multiple tunnel endpoints over one TCP connection • Clients can optionally pass through SOCKS or HTTP CONNECT proxies • Reverse port forwarding (Connections go through the server and out the client) • Server optionally doubles as a reverse proxy • Server optionally allows SOCKS5 connections (See guide below) • Clients optionally allow SOCKS5 connections from a reversed port forward • Client connections over stdio which supports providing SSH over HTTP Install Binaries See the latest release or download and install it now with Docker Fedora The package is maintained by the Fedora community. If you encounter issues related to the usage of the RPM, please use this issue tracker. Source Demo A demo app on Heroku is running this : This demo app is also running a simple file server on , which is normally inaccessible due to Heroku's firewall. However, if we tunnel in with: and then visit localhost:3000, we should see a directory listing. Also, if we visit the demo app in the browser we should hit the server's default proxy and see a copy of example.com. Usage Security Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the option. See the above for more information. Authentication Using the option, the server may optionally provide a configuration file to create a list of accepted users. The client then authenticates using the option. See users.json for an example authentication configuration file. See the above for more information. Internally, this is done using the _Password_ authentication method provided by SSH. Learn more about here http://blog.gopheracademy.com/go-and-ssh/. SOCKS5 Guide with Docker • Print a new private key to the terminal • Start your chisel server • Connect your chisel client (using server's fingerprint) • Point your SOCKS5 clients (e.g. OS/Browser) to: • Now you have an encrypted, authenticated SOCKS5 connection over HTTP Caveats Since WebSockets support is required: • IaaS providers all will support WebSockets (unless an unsupporting HTTP proxy has been forced in front of you, in which case I'd argue that you've been downgraded to PaaS) • PaaS providers vary in their support for WebSockets • Heroku has full support • Openshift has full support though connections are only accepted on ports 8443 and 8080 • Google App Engine has **no** support (Track this on their repo) Contributing • http://golang.org/doc/code.html • http://golang.org/doc/effective_go.html • contains the shared package • contains the server package • contains the client package Changelog • - Initial release • - Replaced simple symmetric encryption for ECDSA SSH • - Added SOCKS5 (server) and HTTP CONNECT (client) support • - Added reverse tunnelling support • - Added arbitrary HTTP header support • - Added reverse SOCKS support (by @aus) • - Added client stdio support (by @BoleynSu) • - Added UDP support • - Move to a Docker image • - Bump to Go 1.21. Switch from seed to P256 key strings with (by @cmenginnz) • - Bump to Go 1.22. Add and to releases. Fix bad version comparison. • - Bump to Go 1.25.1. Update all dependencies. License MIT © Jaime Pillora