Chisel is a fast TCP tunnel, transported over HTTP. Single executable including both client and server. Written in Go (Golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance.
Features
- Easy to use
- Performant *
- Encrypted connections using
crypto/ssh - Authenticated connections ; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
- Client auto-reconnects with exponential backoff
- Client can create multiple tunnel endpoints over one TCP connection
- Server optionally doubles as a reverse proxy
Download & Install
Enter the following command to download chisel
git clone https://github.com/jpillora/chisel.git
Note: Download and install it withc curl https://i.jpillora.com/chisel! | bash
Now to run chisel type
Docker
docker run --rm -it jpillora/chisel --help
Source
go get -v github.com/jpillora/chisel
Security
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the –key option, which will be used to seed the key generation. When clients connect, they will also display the server’s public key fingerprint. The client can force a particular fingerprint using the –fingerprint option. See the –help above for more information.
Authentication
Using the –authfile option, the server may optionally provide a user.json configuration file to create a list of accepted users. The client then authenticates using the –auth option. See users.json for an example authentication configuration file. See the –help above for more information.
Internally, this is done using the Password authentication method provided by SSH.
Performance
With crowbar , a connection is tunnelled by repeatedly querying the server with updates. This results in a large amount of HTTP and TCP connection overhead. Chisel overcomes this using WebSockets combined with crypto/ssh to create hundreds of logical connections, resulting in one TCP connection per client.
Known Issues
- WebSockets support is required
- IaaS providers all will support WebSockets
- Unless an unsupporting HTTP proxy has been forced in front of you, in which case I’d argue that you’ve been downgraded to PaaS.
- PaaS providers vary in their support for WebSockets
- Heroku has full support
- Openshift has full support though connections are only accepted on ports 8443 and 8080
- Google App Engine has no support
- IaaS providers all will support WebSockets
