LinuxCommandLibrary

chisel

TCP/UDP port forwarding over SSH

TLDR

Run a Chisel server

$ chisel server
copy

Run a Chisel server listening to a specific port
$ chisel server [[-p|--port]] [server_port]
copy

Run a chisel server that accepts authenticated connections using username and password
$ chisel server --auth [username]:[password]
copy

Connect to a Chisel server and tunnel a specific port to a remote server and port
$ chisel client [server_ip]:[server_port] [local_port]:[remote_server]:[remote_port]
copy

Connect to a Chisel server and tunnel a specific host and port to a remote server and port
$ chisel client [server_ip]:[server_port] [local_host]:[local_port]:[remote_server]:[remote_port]
copy

Connect to a Chisel server using username and password authentication
$ chisel client --auth [username]:[password] [server_ip]:[server_port] [local_port]:[remote_server]:[remote_port]
copy

Initialize a Chisel server in reverse mode on a specific port, also enabling SOCKS5 proxy (on port 1080) functionality
$ chisel server [[-p|--port]] [server_port] --reverse --socks5
copy

Connect to a Chisel server at specific IP and port, creating a reverse tunnel mapped to a local SOCKS proxy
$ chisel client [server_ip]:[server_port] R:socks
copy

SYNOPSIS

chisel server [OPTIONS]
chisel client [OPTIONS] <SERVER_ADDRESS> [REMOTES...]

<SERVER_ADDRESS>: The address of the chisel server (e.g., localhost:8080, example.com:80).
[REMOTES...]: One or more remote forwarding rules, similar to SSH's -L, -R, or -D options. Format examples: L:local_port:remote_host:remote_port, R:remote_port:local_host:local_port, SOCKS, http-proxy:local_port.

PARAMETERS

-p, --port <port>
    Specifies the listening port for the server or the server port for the client.

--reverse
    Enables reverse tunneling, allowing remote clients to connect to services on the client's network.

--socks5
    Activates a SOCKS5 proxy on the specified local port (client) or on the server side to be used by clients (server).

--http
    Activates an HTTP proxy on the specified local port (client) or on the server side to be used by clients (server).

--auth <user:pass>
    Sets basic authentication credentials for client connections or server-side authentication.

--proxy <proxy_addr>
    Specifies an upstream HTTP or SOCKS proxy for the client to connect through.

--log-level <level>
    Sets the logging verbosity (e.g., debug, info, warn, error).

--keep-alive <duration>
    Sets the interval for sending keep-alive packets to prevent connection timeouts (e.g., 30s).

--bind <addr>
    Specifies the network interface address for the server to listen on.

--max-sess <count>
    Limits the maximum number of concurrent client sessions the server will accept.

DESCRIPTION

chisel is a high-performance, cross-platform TCP/UDP tunnel, often referred to as a "fast SSH-like tunnel". It operates in two primary modes: server and client. Its main purpose is to establish secure and efficient network connections, typically used for bypassing firewalls, exposing internal services to the outside world, or creating secure back-channels through restrictive networks.

Unlike traditional SSH tunnels, chisel is designed for speed and simplicity, making it ideal for situations where a full SSH daemon is not available or desired, or when higher throughput is required. It can tunnel a variety of protocols, including HTTP proxies, SOCKS5 proxies, and raw TCP/UDP connections. chisel supports both local forwarding (connecting a local port to a remote service) and reverse forwarding (connecting a remote port to a local service), similar to SSH's -L and -R options. It uses a custom protocol over HTTP or raw TCP for data transmission, with optional basic authentication for security. Its small binary size and single-file distribution make it highly portable.

CAVEATS

chisel is not a full-fledged VPN solution and does not encrypt all network traffic by default; it only encrypts the tunnel itself. While it provides basic authentication, it lacks advanced security features like public-key authentication or granular access controls found in SSH. Performance can be influenced by network latency and bandwidth, though it's optimized for speed. Misuse can lead to security vulnerabilities if not properly configured, especially when exposing internal services to the public internet without proper access restrictions.

<B>CLIENT MODE EXAMPLES</B>

To create a local SOCKS5 proxy on port 1080 connected to a chisel server at example.com:8080:
`chisel client --socks5 example.com:8080`

To forward local port 8000 to remote host internal-db:5432 via the server:
`chisel client example.com:8080 8000:internal-db:5432`

<B>SERVER MODE EXAMPLES</B>

To start a chisel server listening on port 8080:
`chisel server --port 8080`

To start a server with authentication and enable reverse tunneling:
`chisel server --port 8080 --auth user:pass --reverse`

<B>REVERSE TUNNELING</B>

Reverse tunneling with chisel allows services on the client's network to be exposed to the server's network. The server must be started with the --reverse flag. Clients can then establish reverse tunnels using the R:remote_port:local_host:local_port syntax. For example, to expose the client's local web server on port 80 to the server's port 8080:
`chisel client --reverse example.com:8080 R:8080:localhost:80`

HISTORY

chisel was created by jpillora and first released around 2014-2015. Its development aimed to address the need for a faster and simpler alternative to SSH for TCP/UDP tunneling, especially in environments where SSH might be blocked or overkill. It gained popularity for its ease of use, cross-platform compatibility (being written in Go), and its ability to quickly set up proxies and bypass firewalls. It continues to be actively maintained and used for its specific niche in network utility.

SEE ALSO

ssh(1), socat(1), netcat(1), proxychains(1)

Copied to clipboard