LinuxCommandLibrary

chisel

TCP/UDP port forwarding over SSH

TLDR

Run a Chisel server

$ chisel server
copy

Run a Chisel server listening to a specific port
$ chisel server [[-p|--port]] [server_port]
copy

Run a chisel server that accepts authenticated connections using username and password
$ chisel server --auth [username]:[password]
copy

Connect to a Chisel server and tunnel a specific port to a remote server and port
$ chisel client [server_ip]:[server_port] [local_port]:[remote_server]:[remote_port]
copy

Connect to a Chisel server and tunnel a specific host and port to a remote server and port
$ chisel client [server_ip]:[server_port] [local_host]:[local_port]:[remote_server]:[remote_port]
copy

Connect to a Chisel server using username and password authentication
$ chisel client --auth [username]:[password] [server_ip]:[server_port] [local_port]:[remote_server]:[remote_port]
copy

Initialize a Chisel server in reverse mode on a specific port, also enabling SOCKS5 proxy (on port 1080) functionality
$ chisel server [[-p|--port]] [server_port] --reverse --socks5
copy

Connect to a Chisel server at specific IP and port, creating a reverse tunnel mapped to a local SOCKS proxy
$ chisel client [server_ip]:[server_port] R:socks
copy

SYNOPSIS

chisel server [-p port] [--auth user:pass] ...
chisel client remotehost:remoteport [[R:]local:remote] [--socks5] ...

PARAMETERS

-h, --help
    Show help

-v, --version
    Print version

--auth user:pass
    Basic auth (visible in process list)

--authfile file
    File with username:password pairs

--debug
    Enable verbose logging

--fingerprint hex
    Expected server fingerprint

--headerdown key=value
    Custom header from client to server

--headerup key=value
    Custom header from server to client

--host addr
    Listen host (default 0.0.0.0)

--keepalive secs
    Keepalive period (default 10s)

--key base64
    Private key (auto-generates if unset)

--max num
    Max parallel tunnels (default 1024)

--port, -p uint16
    Listen port (default 8080)

--proxy url
    HTTP proxy URL

--socks5
    Client: expose SOCKS5 on stdout

--timeout secs
    Connect timeout (default 5s)

--useragent string
    Custom User-Agent header

DESCRIPTION

Chisel is a lightweight, fast tool for creating TCP and UDP tunnels using HTTP as the transport protocol. It excels at bypassing firewalls, NAT traversal, and exposing local services securely.

In operation, run chisel server on a public host to listen for connections. Then, use chisel client from behind firewalls to forward ports or create reverse tunnels. Supports normal tunnels (local to remote) and reverse (remote to local) via the R: prefix.

Key features include HTTP/2 multiplexing for high performance, optional authentication (--auth or --authfile), keepalive pings, SOCKS5 proxy support, and customizable headers. Tunnels are encrypted with Noise protocol using a generated or provided key.

Ideal for development, remote access, CI/CD pipelines, and pentesting. Binaries are statically linked, portable across Linux distros, and no root required. Performance rivals SSH tunnels but simpler setup.

CAVEATS

Not installed by default; download binary from GitHub. Avoid --auth in production (use --authfile). Exposed servers risk abuse without auth. UDP tunnels limited to client-side initiation.

TUNNEL SYNTAX

Normal: localport:remotehost:remoteport (forwards local to remote).
Reverse: R:localport:remotehost:remoteport (forwards remote to local).

BASIC EXAMPLE

Server: ./chisel server -p 8080 --authfile auth.txt
Client forward: ./chisel client server.com:8080 8081:localhost:3000
Client SOCKS5: ./chisel client server.com:8080 --socks5

HISTORY

Developed by John Pillora in 2015 as open-source HTTP tunneling tool. Inspired by ngrok; uses Noise protocol for crypto. Actively maintained on GitHub/jpillora/chisel with releases up to v1.10+.

SEE ALSO

ssh(1), socat(1), nc(1), autossh(1)

Copied to clipboard