• Stars
    star
    12,490
  • Rank 2,584 (Top 0.06 %)
  • Language
    Go
  • License
    MIT License
  • Created over 9 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fast TCP/UDP tunnel over HTTP

Chisel

GoDoc CI

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

overview

Table of Contents

Features

  • Easy to use
  • Performant*
  • Encrypted connections using the SSH protocol (via crypto/ssh)
  • Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
  • Client auto-reconnects with exponential backoff
  • Clients can create multiple tunnel endpoints over one TCP connection
  • Clients can optionally pass through SOCKS or HTTP CONNECT proxies
  • Reverse port forwarding (Connections go through the server and out the client)
  • Server optionally doubles as a reverse proxy
  • Server optionally allows SOCKS5 connections (See guide below)
  • Clients optionally allow SOCKS5 connections from a reversed port forward
  • Client connections over stdio which supports ssh -o ProxyCommand providing SSH over HTTP

Install

Binaries

Releases Releases

See the latest release or download and install it now with curl https://i.jpillora.com/chisel! | bash

Docker

Docker Pulls Image Size

docker run --rm -it jpillora/chisel --help

Fedora

The package is maintained by the Fedora community. If you encounter issues related to the usage of the RPM, please use this issue tracker.

sudo dnf -y install chisel

Source

$ go install github.com/jpillora/chisel@latest

Demo

A demo app on Heroku is running this chisel server:

$ chisel server --port $PORT --proxy http://example.com
# listens on $PORT, proxy web requests to http://example.com

This demo app is also running a simple file server on :3000, which is normally inaccessible due to Heroku's firewall. However, if we tunnel in with:

$ chisel client https://chisel-demo.herokuapp.com 3000
# connects to chisel server at https://chisel-demo.herokuapp.com,
# tunnels your localhost:3000 to the server's localhost:3000

and then visit localhost:3000, we should see a directory listing. Also, if we visit the demo app in the browser we should hit the server's default proxy and see a copy of example.com.

Usage

$ chisel --help

  Usage: chisel [command] [--help]

  Version: X.Y.Z

  Commands:
    server - runs chisel in server mode
    client - runs chisel in client mode

  Read more:
    https://github.com/jpillora/chisel

$ chisel server --help

  Usage: chisel server [options]

  Options:

    --host, Defines the HTTP listening host – the network interface
    (defaults the environment variable HOST and falls back to 0.0.0.0).

    --port, -p, Defines the HTTP listening port (defaults to the environment
    variable PORT and fallsback to port 8080).

    --key, (deprecated use --keygen and --keyfile instead)
    An optional string to seed the generation of a ECDSA public
    and private key pair. All communications will be secured using this
    key pair. Share the subsequent fingerprint with clients to enable detection
    of man-in-the-middle attacks (defaults to the CHISEL_KEY environment
    variable, otherwise a new key is generate each run).

    --keygen, A path to write a newly generated PEM-encoded SSH private key file.
    If users depend on your --key fingerprint, you may also include your --key to
    output your existing key. Use - (dash) to output the generated key to stdout.

    --keyfile, An optional path to a PEM-encoded SSH private key. When
    this flag is set, the --key option is ignored, and the provided private key
    is used to secure all communications. (defaults to the CHISEL_KEY_FILE
    environment variable). Since ECDSA keys are short, you may also set keyfile
    to an inline base64 private key (e.g. chisel server --keygen - | base64).

    --authfile, An optional path to a users.json file. This file should
    be an object with users defined like:
      {
        "<user:pass>": ["<addr-regex>","<addr-regex>"]
      }
    when <user> connects, their <pass> will be verified and then
    each of the remote addresses will be compared against the list
    of address regular expressions for a match. Addresses will
    always come in the form "<remote-host>:<remote-port>" for normal remotes
    and "R:<local-interface>:<local-port>" for reverse port forwarding
    remotes. This file will be automatically reloaded on change.

    --auth, An optional string representing a single user with full
    access, in the form of <user:pass>. It is equivalent to creating an
    authfile with {"<user:pass>": [""]}. If unset, it will use the
    environment variable AUTH.

    --keepalive, An optional keepalive interval. Since the underlying
    transport is HTTP, in many instances we'll be traversing through
    proxies, often these proxies will close idle connections. You must
    specify a time with a unit, for example '5s' or '2m'. Defaults
    to '25s' (set to 0s to disable).

    --backend, Specifies another HTTP server to proxy requests to when
    chisel receives a normal HTTP request. Useful for hiding chisel in
    plain sight.

    --socks5, Allow clients to access the internal SOCKS5 proxy. See
    chisel client --help for more information.

    --reverse, Allow clients to specify reverse port forwarding remotes
    in addition to normal remotes.

    --tls-key, Enables TLS and provides optional path to a PEM-encoded
    TLS private key. When this flag is set, you must also set --tls-cert,
    and you cannot set --tls-domain.

    --tls-cert, Enables TLS and provides optional path to a PEM-encoded
    TLS certificate. When this flag is set, you must also set --tls-key,
    and you cannot set --tls-domain.

    --tls-domain, Enables TLS and automatically acquires a TLS key and
    certificate using LetsEncrypt. Setting --tls-domain requires port 443.
    You may specify multiple --tls-domain flags to serve multiple domains.
    The resulting files are cached in the "$HOME/.cache/chisel" directory.
    You can modify this path by setting the CHISEL_LE_CACHE variable,
    or disable caching by setting this variable to "-". You can optionally
    provide a certificate notification email by setting CHISEL_LE_EMAIL.

    --tls-ca, a path to a PEM encoded CA certificate bundle or a directory
    holding multiple PEM encode CA certificate bundle files, which is used to 
    validate client connections. The provided CA certificates will be used 
    instead of the system roots. This is commonly used to implement mutual-TLS. 

    --pid Generate pid file in current working directory

    -v, Enable verbose logging

    --help, This help text

  Signals:
    The chisel process is listening for:
      a SIGUSR2 to print process stats, and
      a SIGHUP to short-circuit the client reconnect timer

  Version:
    X.Y.Z

  Read more:
    https://github.com/jpillora/chisel

$ chisel client --help

  Usage: chisel client [options] <server> <remote> [remote] [remote] ...

  <server> is the URL to the chisel server.

  <remote>s are remote connections tunneled through the server, each of
  which come in the form:

    <local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>

    ■ local-host defaults to 0.0.0.0 (all interfaces).
    ■ local-port defaults to remote-port.
    ■ remote-port is required*.
    ■ remote-host defaults to 0.0.0.0 (server localhost).
    ■ protocol defaults to tcp.

  which shares <remote-host>:<remote-port> from the server to the client
  as <local-host>:<local-port>, or:

    R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>

  which does reverse port forwarding, sharing <remote-host>:<remote-port>
  from the client to the server's <local-interface>:<local-port>.

    example remotes

      3000
      example.com:3000
      3000:google.com:80
      192.168.0.5:3000:google.com:80
      socks
      5000:socks
      R:2222:localhost:22
      R:socks
      R:5000:socks
      stdio:example.com:22
      1.1.1.1:53/udp

    When the chisel server has --socks5 enabled, remotes can
    specify "socks" in place of remote-host and remote-port.
    The default local host and port for a "socks" remote is
    127.0.0.1:1080. Connections to this remote will terminate
    at the server's internal SOCKS5 proxy.

    When the chisel server has --reverse enabled, remotes can
    be prefixed with R to denote that they are reversed. That
    is, the server will listen and accept connections, and they
    will be proxied through the client which specified the remote.
    Reverse remotes specifying "R:socks" will listen on the server's
    default socks port (1080) and terminate the connection at the
    client's internal SOCKS5 proxy.

    When stdio is used as local-host, the tunnel will connect standard
    input/output of this program with the remote. This is useful when 
    combined with ssh ProxyCommand. You can use
      ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \
          [email protected]
    to connect to an SSH server through the tunnel.

  Options:

    --fingerprint, A *strongly recommended* fingerprint string
    to perform host-key validation against the server's public key.
	Fingerprint mismatches will close the connection.
	Fingerprints are generated by hashing the ECDSA public key using
	SHA256 and encoding the result in base64.
	Fingerprints must be 44 characters containing a trailing equals (=).

    --auth, An optional username and password (client authentication)
    in the form: "<user>:<pass>". These credentials are compared to
    the credentials inside the server's --authfile. defaults to the
    AUTH environment variable.

    --keepalive, An optional keepalive interval. Since the underlying
    transport is HTTP, in many instances we'll be traversing through
    proxies, often these proxies will close idle connections. You must
    specify a time with a unit, for example '5s' or '2m'. Defaults
    to '25s' (set to 0s to disable).

    --max-retry-count, Maximum number of times to retry before exiting.
    Defaults to unlimited.

    --max-retry-interval, Maximum wait time before retrying after a
    disconnection. Defaults to 5 minutes.

    --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be
    used to reach the chisel server. Authentication can be specified
    inside the URL.
    For example, http://admin:[email protected]:8081
            or: socks://admin:[email protected]:1080

    --header, Set a custom header in the form "HeaderName: HeaderContent".
    Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World")

    --hostname, Optionally set the 'Host' header (defaults to the host
    found in the server url).

    --sni, Override the ServerName when using TLS (defaults to the 
    hostname).

    --tls-ca, An optional root certificate bundle used to verify the
    chisel server. Only valid when connecting to the server with
    "https" or "wss". By default, the operating system CAs will be used.

    --tls-skip-verify, Skip server TLS certificate verification of
    chain and host name (if TLS is used for transport connections to
    server). If set, client accepts any TLS certificate presented by
    the server and any host name in that certificate. This only affects
    transport https (wss) connection. Chisel server's public key
    may be still verified (see --fingerprint) after inner connection
    is established.

    --tls-key, a path to a PEM encoded private key used for client 
    authentication (mutual-TLS).

    --tls-cert, a path to a PEM encoded certificate matching the provided 
    private key. The certificate must have client authentication 
    enabled (mutual-TLS).

    --pid Generate pid file in current working directory

    -v, Enable verbose logging

    --help, This help text

  Signals:
    The chisel process is listening for:
      a SIGUSR2 to print process stats, and
      a SIGHUP to short-circuit the client reconnect timer

  Version:
    X.Y.Z

  Read more:
    https://github.com/jpillora/chisel

Security

Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the --keyfile option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the --fingerprint option. See the --help above for more information.

Authentication

Using the --authfile option, the server may optionally provide a user.json configuration file to create a list of accepted users. The client then authenticates using the --auth option. See users.json for an example authentication configuration file. See the --help above for more information.

Internally, this is done using the Password authentication method provided by SSH. Learn more about crypto/ssh here http://blog.gopheracademy.com/go-and-ssh/.

SOCKS5 Guide with Docker

  1. Print a new private key to the terminal

    chisel server --keygen -
    # or save it to disk --keygen /path/to/mykey
  2. Start your chisel server

    jpillora/chisel server --keyfile '<ck-base64 string or file path>' -p 9312 --socks5
  3. Connect your chisel client (using server's fingerprint)

    chisel client --fingerprint '<see server output>' <server-address>:9312 socks
  4. Point your SOCKS5 clients (e.g. OS/Browser) to:

    <client-address>:1080
    
  5. Now you have an encrypted, authenticated SOCKS5 connection over HTTP

Caveats

Since WebSockets support is required:

  • IaaS providers all will support WebSockets (unless an unsupporting HTTP proxy has been forced in front of you, in which case I'd argue that you've been downgraded to PaaS)
  • PaaS providers vary in their support for WebSockets
    • Heroku has full support
    • Openshift has full support though connections are only accepted on ports 8443 and 8080
    • Google App Engine has no support (Track this on their repo)

Contributing

Changelog

  • 1.0 - Initial release
  • 1.1 - Replaced simple symmetric encryption for ECDSA SSH
  • 1.2 - Added SOCKS5 (server) and HTTP CONNECT (client) support
  • 1.3 - Added reverse tunnelling support
  • 1.4 - Added arbitrary HTTP header support
  • 1.5 - Added reverse SOCKS support (by @aus)
  • 1.6 - Added client stdio support (by @BoleynSu)
  • 1.7 - Added UDP support
  • 1.8 - Move to a scratchDocker image
  • 1.9 - Switch from --key seed to P256 key strings with --key{gen,file} + bump to Go 1.21 (by @cmenginnz)

License

MIT © Jaime Pillora

More Repositories

1

cloud-torrent

☁️ Cloud Torrent: a self-hosted remote torrent client
Go
5,744
star
2

xdomain

A pure JavaScript CORS alternative
JavaScript
3,072
star
3

overseer

Monitorable, gracefully restarting, self-upgrading binaries in Go (golang)
Go
2,276
star
4

notifyjs

Notify.js - A simple, versatile notification library
1,903
star
5

xhook

Easily intercept and modify XHR request and response
HTML
983
star
6

webproc

Wrap any program in a simple web-based user-interface
Go
725
star
7

docker-dnsmasq

dnsmasq in a docker container, configurable via a simple web UI
Dockerfile
723
star
8

go-tcp-proxy

A small TCP proxy written in Go
Go
694
star
9

backoff

Simple backoff algorithm in Go (golang)
Go
627
star
10

jquery.rest

A jQuery plugin for easy consumption of RESTful APIs
CoffeeScript
614
star
11

ipfilter

A package for IP Filtering in Go (golang)
Go
386
star
12

node-edit-google-spreadsheet

A simple API for editing Google Spreadsheets
JavaScript
304
star
13

base64-encoder

Base64 Encoder
HTML
260
star
14

installer

One-liner for installing binaries from Github releases
Go
200
star
15

node-torrent-cloud

Torrent Cloud – A self-hosted Bittorrent client in the Cloud
JavaScript
183
star
16

velox

Real-time Go struct to JS object synchronisation over SSE and WebSockets
Go
180
star
17

grunt-aws

A Grunt interface into the Amazon Node.JS SDK
JavaScript
174
star
18

opts

A Go (golang) package for building frictionless command-line interfaces
Go
162
star
19

verifyjs

Verify.js - A powerful, customizable asynchronous validation library
JavaScript
159
star
20

ssh-tron

Multiplayer Tron over SSH, written in Go
Go
143
star
21

go-ogle-analytics

Monitor your Go (golang) servers with Google Analytics
HTML
133
star
22

cloud-gox

A Go (golang) Cross-Compiler in the cloud
Go
132
star
23

media-sort

Automatically organise your movies and tv series
Go
118
star
24

go-tld

TLD Parser in Go
Go
114
star
25

node-load-tester

Simple load testing with Node.js
JavaScript
88
star
26

sshd-lite

A feature-light sshd(8) for Windows, Mac, and Linux written in Go
Go
85
star
27

csv-to-influxdb

Import CSV files into InfluxDB
Go
81
star
28

node-logbook

A simple, unobtrusive logger for Node
JavaScript
61
star
29

spy

Spy - Watches for file changes, restarts stuff
Go
61
star
30

go-and-ssh

Go and the Secure Shell protocol
Go
58
star
31

node-glob-all

Provide multiple patterns to node-glob
JavaScript
57
star
32

serve

Your personal HTTP file server in Go
Go
53
star
33

go-sandbox

An alternate frontend to the Go Playground
JavaScript
52
star
34

scraper

A dual interface Go module for building simple web scrapers
Go
50
star
35

node-google-sheets

Google Sheets v4 API using Node.js
JavaScript
44
star
36

dedup

A cross platform command-line tool to deduplicate files, fast
Go
42
star
37

archive

Archiver is a high-level API over Go's archive/tar,zip
Go
33
star
38

icmpscan

ICMP scan all hosts across a given subnet in Go (golang)
Go
29
star
39

hashedpassword

A small Go (Golang) package for hashed passwords
Go
26
star
40

gswg-examples

Getting Started with Grunt - Code Examples
JavaScript
25
star
41

webfont-downloader

A small web service which converts webfonts into zip archives
Go
24
star
42

aoc-in-go

A template repository for rapidly writing Advent of Code solutions in Go
Go
21
star
43

conncrypt

Symmetrically encrypt your Go net.Conns
Go
19
star
44

s3hook

Transparent Client-side S3 Request Signing
JavaScript
19
star
45

grunt-source

Reuse a Grunt environment across multiple projects
JavaScript
18
star
46

docker-cloud-torrent-openvpn

cloud-torrent and OpenVPN in a docker container
Shell
17
star
47

longestcommon

Longest common prefix/suffix across of list of strings in Go (Golang)
Go
16
star
48

mega-stream

Stream media content from Mega
JavaScript
14
star
49

node-gitlab-deploy

Deploy a Node server via a Gitlab Webhook
JavaScript
13
star
50

go-template

An automatic cross-compiling Go (golang) repository template using goreleaser and Github actions
Shell
13
star
51

ansi

Easy to use ANSI control codes
Go
12
star
52

subfwd

URL shortening via sub-domains, written in Go
HTML
12
star
53

js-play

A JavaScript playground/sandbox for learning, testing and prototyping
CSS
12
star
54

upnpctl

A small UPnP client
Go
11
star
55

go-echo-server

View your requests in JSON format
Go
10
star
56

node-echo-server

Responds with the JSONified Request
JavaScript
10
star
57

ddns-daemon

A Simple Dynamic DNS Daemon using Node.js and Route53
JavaScript
10
star
58

whos-home

ARP scan your subnet and POST findings
Go
10
star
59

uploader

A small server to receive files over HTTP
JavaScript
9
star
60

dynflare

DynamicDNS using Cloudflare
Go
9
star
61

pnode

peer-to-peer dnode over anything!
JavaScript
9
star
62

go433

Send and receive 433 MHz using a RaspberryPi and Go
Go
9
star
63

sockfwd

Forward a unix socket to a tcp socket
Go
9
star
64

vip

An IPv4 addressing Go (golang) module, based on uint32 instead of []byte
Go
8
star
65

ipflare

Find your public IP address according to Cloudflare
Go
8
star
66

node-ssh-http-agent

An HTTP agent for tunnelling through SSH connections
JavaScript
7
star
67

eventsource

An eventsource event encoder in Go (golang)
Go
7
star
68

sizestr

Pretty print byte counts in Go
Go
7
star
69

docker-caddy

Caddy in a docker container, configurable via a simple web UI
Dockerfile
7
star
70

sleep-on-lan

Send your computer to sleep via HTTP
JavaScript
7
star
71

requestlog

Simple request logging in Go (golang)
Go
6
star
72

pnode-store

A synchronized data store between connected Node.js applications
JavaScript
6
star
73

castlebot

🏰 A bot for your castle
Go
5
star
74

docker-vpn

Dockerized SoftEther VPN with a Web GUI
Shell
5
star
75

node-imdb-sort

Sort files based on IMDB data
CoffeeScript
5
star
76

jquery.prompt

Styled text prompts any element
CoffeeScript
5
star
77

gswg-io

Getting Started with Grunt - Homepage
HTML
5
star
78

compilejs

A mini Grunt.js for the browser
CoffeeScript
5
star
79

go-realtime

Keep your Go structs in sync with your JS objects
JavaScript
4
star
80

md-tmpl

Simple markdown templating using shell commands
Go
4
star
81

cookieauth

Cookie-based Basic-Authentication HTTP middleware for Go (golang)
Go
4
star
82

maplock

A map of locks in Go
Go
4
star
83

opts-examples

A Go (golang) package for building frictionless command-line interfaces
Go
4
star
84

go-mime

Extends pkg/mime with embedded mime types
Go
4
star
85

tranquil

Generate powerful RESTful JSON APIs
CoffeeScript
3
star
86

ipmath

IP Address Math in Go (golang)
Go
3
star
87

xtls

TLS utils
Go
3
star
88

puzzler

A programming puzzle framework in Go
Go
3
star
89

goff

Concatenate audio files, built with Go and FFmpeg
Go
3
star
90

prettyprinter

Simple Pretty Printer using Google's Prettify
HTML
3
star
91

github-badge-maker

Github Badge Maker
JavaScript
3
star
92

opts-talk

A talk on opts, for the Sydney Go Meetup
Go
3
star
93

grunt-source-web

A Grunt Source project to build optimized static websites
CoffeeScript
3
star
94

playground

Next version of https://js.jpillora.com
2
star
95

node-king

The king of your nodes - A powerful command and control center for your server infrastructure
JavaScript
2
star
96

bookshelf

Your personal bookshelf
HTML
2
star
97

debator-lander

Interactive and transparent debates online
2
star
98

webscan

Scans the entire Web for particular server types and devices
2
star
99

xmlfmt

A pure Go streaming XML formatter
Go
2
star
100

vigilant

Simple CLI tool for running multiple CLI tools in the same process
JavaScript
2
star