A true, stable and high-efficiency reverse proxy for NAT traversal, written in Rust
- Excessive Efficiency Noteworthy increased throughput will likely be finished than frp, and further stable when handling a orderly quantity of connections. Gaze Benchmark
- Low Resource Consumption Consumes out of the ordinary fewer memory than the same tools. Gaze Benchmark. The binary will likely be as little as ~500KiB to suit the constraints of devices, love embedded devices as routers.
- Security Tokens of products and companies are necessary and repair-wise. The server and purchasers are to blame for their very private configs. With the non-indispensable Noise Protocol, encryption will likely be configured at ease. No must fabricate a self-signed certificate! TLS will likely be supported.
- Sizzling Reload Services will likely be added or eradicated dynamically by hot-reloading the configuration file. HTTP API is WIP.
The utilization of
rathole is ver comparable to frp. While you presumably may per chance well possess journey with the latter, then the configuration is so easy for you. The entirely inequity is that configuration of a provider is splited into the client aspect and the server aspect, and a token is critical.
rathole, you wish a server with a public IP, and a gadget at the support of the NAT, where some products and companies that will per chance possess to be uncovered to the Web.
Assuming you presumably can in fact possess a NAS at house at the support of the NAT, and desire to expose its ssh provider to the Web:
- On the server which has a public IP
server.toml with the following thunder and accommodate it to your wants.
# server.toml [server] bind_addr = "0.0.0.0: 2333" # `2333` specifys the port that rathole listens for purchasers [server.services.my_nas_ssh] token = "use_a_secret_that_only_you_know" # Token that's used to authenticate the client for the provider. Change to a arbitrary imprint. bind_addr = "0.0.0.0: 5202" # `5202` specifys the port that exposes `my_nas_ssh` to the Web
- On the host which is at the support of the NAT (your NAS)
client.toml with the following thunder and accommodate it to your wants.
# client.toml [client] remote_addr = "myserver.com: 2333" # The deal with of the server. The port may per chance well possess to be the identical with the port in `server.bind_addr` [client.services.my_nas_ssh] token = "use_a_secret_that_only_you_know" # Ought to be the identical with the server to wander the validataion local_addr = "127.0.0.1: 22" # The deal with of the provider that must be forwarded
- Now the client will are trying to join to the server
2333, and any traffic to
myserver.com: 5202will likely be forwarded to the client’s port
So you presumably can
ssh myserver.com: 5202 to ssh to your NAS.
rathole can routinely resolve to trek within the server mode or the client mode, according to the thunder of the configuration file, if entirely one of
[client] block is present, love the example in Quickstart.
[server] block will likely be build in a single file. Then on the server aspect, trek
rathole --server config.toml and on the client aspect, trek
rathole --client config.toml to explictly characterize
rathole the running mode.
Earlier than heading to the plump configuration specification, it’s recommaned to hover the configuration examples to catch a feeling of the configuration layout.
Gaze Security for extra info about encryption and the
Right here is the plump configuration specification:
[client] remote_addr = "example.com: 2333" # Critical. The deal with of the server default_token = "default_token_if_not_specify" # No longer indispensable. The default token of products and companies, if they set no longer outline their very private ones [client.transport] # The total block is non-indispensable. Specify which transport to exercise kind = "tcp" # No longer indispensable. Possible values: ["tcp", "tls", "noise"]. Default: "tcp" [client.transport.tls] # Critical if `kind` is "tls" trusted_root = "ca.pem" # Critical. The certificate of CA that signed the server's certificate hostname = "example.com" # No longer indispensable. The hostname that the client makes exercise of to validate the certificate. If no longer set of residing, fallback to `client.remote_addr` [client.transport.noise] # Noise protocol. Gaze `clinical doctors/security.md` for further explanation sample = "Noise_NK_25519_ChaChaPoly_BLAKE2s" # No longer indispensable. Default imprint as shown local_private_key = "key_encoded_in_base64" # No longer indispensable remote_public_key = "key_encoded_in_base64" # No longer indispensable [client.services.service1] # A provider that wants forwarding. The name `service1` can exchange arbitrarily, as prolonged as the same to the name within the server's configuration kind = "tcp" # No longer indispensable. The protocol that wants forwarding. Possible values: ["tcp", "udp"]. Default: "tcp" token = "no matter" # Critical if `client.default_token` no longer set of residing local_addr = "127.0.0.1: 1081" # Critical. The deal with of the provider that must be forwarded [client.services.service2] # Multiple products and companies will likely be defined local_addr = "127.0.0.1: 1082" [server] bind_addr = "0.0.0.0: 2333" # Critical. The deal with that the server listens for purchasers. Veritably entirely the port needs to be exchange. default_token = "default_token_if_not_specify" # No longer indispensable [server.transport] # Linked as `[client.transport]` kind = "tcp" [server.transport.tls] # Critical if `kind` is "tls" pkcs12 = "name.pfx" # Critical. pkcs12 file of server's certificate and deepest key pkcs12_password = "password" # Critical. Password of the pkcs12 file [server.transport.noise] # Linked as `[client.transport.noise]` sample = "Noise_NK_25519_ChaChaPoly_BLAKE2s" local_private_key = "key_encoded_in_base64" remote_public_key = "key_encoded_in_base64" [server.services.service1] # The provider name may per chance well possess to be the same to the client aspect kind = "tcp" # No longer indispensable. Linked as the client `[client.services.X.type] token = "no matter" # Necesary if `server.default_token` no longer set of residing bind_addr = "0.0.0.0: 8081" # Critical. The deal with of the provider is uncovered at. Veritably entirely the port needs to be exchange. [server.services.service2] bind_addr = "0.0.0.1: 8082"
rathole, love many completely different Rust programs, exercise ambiance variables to govern the logging stage.
hint are avialable.
RUST_LOG=error ./rathole config.toml
rathole with entirely error stage logging.
RUST_LOG is no longer present, the default logging stage is
rathole has similiar latency to frp, nonetheless can deal with a extra connections, present bigger bandwidth, with less memory utilization.
Gaze also Benchmark.
rathole is below inviting trend. A load of aspects is on the procedure:
- TLS reinforce
- UDP reinforce
- Sizzling reloading
- HTTP APIs for configuration