Skip to content

snsinfu/reverse-tunnel

Repository files navigation

Reverse tunnel TCP and UDP

Build Status Release MIT License

rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.

Build

Compiled binaries are available in the release page. To build your own ones, clone the repository and make:

$ git clone https://github.com/snsinfu/reverse-tunnel
$ cd reverse-tunnel
$ make

Or,

$ go build -o rtun github.com/snsinfu/reverse-tunnel/agent/cmd
$ go build -o rtun-server github.com/snsinfu/reverse-tunnel/server/cmd

Docker

Docker images are available:

Quick usage:

$ docker run -it \
  -p 8080:8080 -p 9000:9000 \
  -e RTUN_AGENT="8080/tcp @ samplebfeeb1356a458eabef49e7e7" \
  snsinfu/rtun-server

$ docker run -it --network host \
  -e RTUN_GATEWAY="ws://0.1.2.3:9000" \
  -e RTUN_KEY="samplebfeeb1356a458eabef49e7e7" \
  -e RTUN_FORWARD="8080/tcp:localhost:8080" \
  snsinfu/rtun

See docker image readme.

Usage

Gateway server

Create a configuration file named rtun-server.yml:

# Gateway server binds to this address to communicate with agents.
control_address: 0.0.0.0:9000

# List of authorized agents follows.
agents:
  - auth_key: a79a4c3ae4ecd33b7c078631d3424137ff332d7897ecd6e9ddee28df138a0064
    ports: [10022/tcp, 60000/udp]

You may want to generate auth_key with openssl rand -hex 32. Agents are identified by their keys and the agents may only use the whitelisted ports listed in the configuration file.

Then, start gateway server:

$ ./rtun-server

Now agents can connect to the gateway server and start reverse tunneling. The server and agent uses WebSocket for communication, so the gateway server may be placed behind an HTTPS reverse proxy like caddy. This way the tunnel can be secured by TLS.

Standalone TLS

rtun-server supports automatic acquisition and renewal of TLS certificate. Set control address to :443 and domain to the domain name of the public gateway server.

control_address: :443

lets_encrypt:
  domain: rtun.example.com

Non-root user can not use port 443 by default. You may probably want to allow rtun-server bind to privileged port using setcap on Linux:

sudo setcap cap_net_bind_service=+ep rtun-server

Agent

Create a configuration file named rtun.yml:

# Specify the gateway server.
gateway_url: ws://the-gateway-server.example.com:9000

# A key registered in the gateway server configuration file.
auth_key: a79a4c3ae4ecd33b7c078631d3424137ff332d7897ecd6e9ddee28df138a0064

forwards:
  # Forward 10022/tcp on the gateway server to localhost:22 (tcp)
  - port: 10022/tcp
    destination: 127.0.0.1:22

  # Forward 60000/udp on the gateway server to localhost:60000 (udp)
  - port: 60000/udp
    destination: 127.0.0.1:60000

And run agent:

$ ./rtun

Note: When you are using TLS on the server the gateway URL should start with wss:// instead of ws://. In this case, the port number should most likely be the default:

gateway_url: wss://the-gateway-server.example.com

License

MIT License.