Single executable including both client and server. Written in Go (Golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance.

Features

• Easy to use
• Performant*
• Encrypted connections using the SSH protocol (via crypto/ssh)
• Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
• Client auto-reconnects with exponential backoff
• Client can create multiple tunnel endpoints over one TCP connection
• Client can optionally pass through HTTP CONNECT proxies
• Server optionally doubles as a reverse proxy
• Server optionally allows SOCKS5 connections (See guide below)

Usage

$ chisel --help

   Usage: chisel [command] [--help]

   Version: X.Y.Z

   Commands:
     server - runs chisel in server mode
     client - runs chisel in client mode

   Read more:
     https://github.com/jpillora/chisel

Security

Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the --key option, which will be used to seed the key generation. When clients connect, they will also display the server’s public key fingerprint. The client can force a particular fingerprint using the --fingerprint option. See the --help above for more information.

Authentication

Using the --authfile option, the server may optionally provide a user.json configuration file to create a list of accepted users. The client then authenticates using the --auth option. See users.json for an example authentication configuration file. See the --help above for more information.

Known Issues

• WebSockets support is required
  • IaaS providers all will support WebSockets
    • Unless an unsupporting HTTP proxy has been forced in front of you, in which case I’d argue that you’ve been downgraded to PaaS.
  • PaaS providers vary in their support for WebSockets
    • Heroku has full support
    • Openshift has full support though connections are only accepted on ports 8443 and 8080
    • Google App Engine has no support (Track this on their repo)