LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

chisel

TCP/UDP tunnel over HTTP secured via SSH

TLDR

Start server
$ chisel server --port [8080]
copy
Start server with authentication
$ chisel server --authfile [users.json]
copy
Connect client with port forward
$ chisel client [server:8080] [local:3000:remote:80]
copy
Reverse tunnel
$ chisel client [server:8080] R:[remote:8001:local:80]
copy
SOCKS5 proxy
$ chisel client [server:8080] socks
copy
Connect via HTTPS
$ chisel client https://[server] [8080:localhost:80]
copy

SYNOPSIS

chisel server [options]chisel client [options] server remote...

DESCRIPTION

chisel is a fast TCP/UDP tunnel transported over HTTP and secured via SSH. A single executable contains both client and server functionality. It uses WebSockets to multiplex connections, allowing multiple tunnels through a single HTTP connection.The tool is useful for traversing firewalls, accessing services behind NAT, and creating reverse tunnels. It supports forward and reverse port forwarding as well as SOCKS5 proxy mode. Authentication can be configured with username/password pairs or an authentication file. Written in Go.

SERVER OPTIONS

-p, --port PORT

Listening port (default 8080).
--host HOST
Listening interface (default all).
--authfile FILE
Path to a JSON file mapping user:pass credentials to allowed remotes.
--auth USER:PASS
Single inline credential pair.
--reverse
Allow clients to request reverse tunnels (R:).
--socks5
Allow clients to request a SOCKS5 endpoint via the special socks remote.
--backend URL
Forward non-chisel HTTP requests hitting the server to this backend URL (useful to co-host chisel with a web server).
--keepalive DURATION
WebSocket keepalive interval (default 25s).
--key, --keygen, --keyfile
Manage the server's persistent SSH host key.
--tls-key, --tls-cert, --tls-ca, --tls-domain
Enable native TLS termination and client-cert verification.

CLIENT OPTIONS

--auth USER:PASS

Authenticate to the server.
--fingerprint HASH
Pin the expected server SSH key fingerprint.
--proxy URL
Dial through an upstream HTTP CONNECT or SOCKS5 proxy.
--header NAME: VAL
Extra HTTP header to add to the WebSocket handshake (repeatable).
--hostname HOST
Override the HTTP Host header.
--sni NAME
Override the TLS ServerName used during the handshake.
--keepalive DURATION
WebSocket keepalive interval.
--max-retry-count N, --max-retry-interval DURATION
Cap reconnection attempts and backoff.
--tls-ca FILE, --tls-skip-verify, --tls-key FILE, --tls-cert FILE
Control TLS verification and client-certificate authentication.

REMOTE SYNTAX

$ [<local-host>:]<local-port>[:<remote-host>:<remote-port>][/udp]
copy
Defaults: local-host = 0.0.0.0, remote-host = 0.0.0.0, protocol = tcp. Prefix with R: for a reverse tunnel. Special values: socks (SOCKS5 endpoint, requires --socks5 on the server) and stdio:host:port (stdio-attached tunnel).

CAVEATS

Useful for bypassing firewalls. WebSocket support varies by PaaS provider. Install: curl https://i.jpillora.com/chisel! | bash

SEE ALSO

ssh(1), socat(1), ngrok(1)

Copied to clipboard
Kai