Rathole, like frp and ngrok, can help to expose the service on the device behind the NAT to the Internet, via a server with a public IP.
A full-powered rathole
can be obtained from the release page. Or build from source for other platforms and minimizing the binary. A Docker image is also available.
The usage of rathole
is very similar to frp. If you have experience with the latter, then the configuration is very easy for you. The only difference is that configuration of a service is split into the client side and the server side, and a token is mandatory.
To use rathole
, you need a server with a public IP, and a device behind the NAT, where some services that need to be exposed to the Internet.
Assuming you have a NAS at home behind the NAT, and want to expose its ssh service to the Internet:
Create server.toml
with the following content and accommodate it to your needs.
server.toml
[server]
bind_addr = “0.0.0.0:2333” # 2333
specifies the port that rathole listens for clients
[server.services.my_nas_ssh]
token = “use_a_secret_that_only_you_know” # Token that is used to authenticate the client for the service. Change to a arbitrary value.
bind_addr = “0.0.0.0:5202” # 5202
specifies the port that exposes my_nas_ssh
to the Internet
Then run:
./rathole server.toml
Create client.toml
with the following content and accommodate it to your needs.
[client]
remote_addr = “myserver.com:2333” # The address of the server. The port must be the same with the port in server.bind_addr
[client.services.my_nas_ssh]
token = “use_a_secret_that_only_you_know” # Must be the same with the server to pass the validation
local_addr = “127.0.0.1:22” # The address of the service that needs to be forwarded
myserver.com
on port 2333
, and any traffic to myserver.com:5202
will be forwarded to the client’s port 22
.So you can ssh myserver.com:5202
to ssh to your NAS.
To run rathole
run as a background service on Linux, checkout the systemd examples.
rathole
can automatically determine to run in the server mode or the client mode, according to the content of the configuration file, if only one of [server]
and [client]
block is present, like the example in Quickstart.
But the [client]
and [server]
block can also be put in one file. Then on the server side, run rathole --server config.toml
and on the client side, run rathole --client config.toml
to explicitly tell rathole
the running mode.
Before heading to the full configuration specification, it’s recommend to skim the configuration examples to get a feeling of the configuration format.
See Transport for more details about encryption and the transport
block.
Here is the full configuration specification
[client]
remote_addr = “example.com:2333” # Necessary. The address of the server
default_token = “default_token_if_not_specify” # Optional. The default token of services, if they don’t define their own ones
heartbeat_timeout = 40 # Optional. Set to 0 to disable the application-layer heartbeat test. The value must be greater than server.heartbeat_interval
. Default: 40 seconds
[client.transport] # The whole block is optional. Specify which transport to use
type = “tcp” # Optional. Possible values: [“tcp”, “tls”, “noise”]. Default: “tcp”
[client.transport.tcp] # Optional. Also affects noise
and tls
proxy = “socks5://user:passwd@127.0.0.1:1080” # Optional. The proxy used to connect to the server. http
and socks5
is supported.
nodelay = false # Optional. Determine whether to enable TCP_NODELAY, if applicable, to improve the latency but decrease the bandwidth. Default: false
keepalive_secs = 20 # Optional. Specify tcp_keepalive_time
in tcp(7)
, if applicable. Default: 20 seconds
keepalive_interval = 8 # Optional. Specify tcp_keepalive_intvl
in tcp(7)
, if applicable. Default: 8 seconds
[client.transport.tls] # Necessary if type
is “tls”
trusted_root = “ca.pem” # Necessary. The certificate of CA that signed the server’s certificate
hostname = “example.com” # Optional. The hostname that the client uses to validate the certificate. If not set, fallback to client.remote_addr
[client.transport.noise] # Noise protocol. See docs/transport.md
for further explanation
pattern = “Noise_NK_25519_ChaChaPoly_BLAKE2s” # Optional. Default value as shown
local_private_key = “key_encoded_in_base64” # Optional
remote_public_key = “key_encoded_in_base64” # Optional
[client.services.service1] # A service that needs forwarding. The name service1
can change arbitrarily, as long as identical to the name in the server’s configuration
type = “tcp” # Optional. The protocol that needs forwarding. Possible values: [“tcp”, “udp”]. Default: “tcp”
token = “whatever” # Necessary if client.default_token
not set
local_addr = “127.0.0.1:1081” # Necessary. The address of the service that needs to be forwarded
nodelay = false # Optional. Determine whether to enable TCP_NODELAY for data transmission, if applicable, to improve the latency but decrease the bandwidth. Default: false
[client.services.service2] # Multiple services can be defined
local_addr = “127.0.0.1:1082”
[server]
bind_addr = “0.0.0.0:2333” # Necessary. The address that the server listens for clients. Generally only the port needs to be change.
default_token = “default_token_if_not_specify” # Optional
heartbeat_interval = 30 # Optional. The interval between two application-layer heartbeat. Set to 0 to disable sending heartbeat. Default: 30 seconds
[server.transport] # Same as [client.transport]
type = “tcp”
[server.transport.tcp] # Same as the client
nodelay = false
keepalive_secs = 20
keepalive_interval = 8
[server.transport.tls] # Necessary if type
is “tls”
pkcs12 = “identify.pfx” # Necessary. pkcs12 file of server’s certificate and private key
pkcs12_password = “password” # Necessary. Password of the pkcs12 file
[server.transport.noise] # Same as [client.transport.noise]
pattern = “Noise_NK_25519_ChaChaPoly_BLAKE2s”
local_private_key = “key_encoded_in_base64”
remote_public_key = “key_encoded_in_base64”
[server.services.service1] # The service name must be identical to the client side
type = “tcp” # Optional. Same as the client [client.services.X.type] token = "whatever" # Necessary if
server.default_token` not set
bind_addr = “0.0.0.0:8081” # Necessary. The address of the service is exposed at. Generally only the port needs to be change.
nodelay = false # Optional. Same as the client
[server.services.service2]
bind_addr = “0.0.0.1:8082”
rathole
, like many other Rust programs, use environment variables to control the logging level. info
, warn
, error
, debug
, trace
are available.
RUST_LOG=error ./rathole config.toml
rathole has similar latency to frp, but can handle a more connections, provide larger bandwidth, with less memory usage.
For more details, see the separate page Benchmark.
However, don’t take it from here that rathole
can magically make your forwarded service faster several times than before. The benchmark is done on local loopback, indicating the performance when the task is cpu-bounded. One can gain quite a improvement if the network is not the bottleneck. Unfortunately, that’s not true for many users. In that case, the main benefit is lower resource consumption, while the bandwidth and the latency may not improved significantly.
rathole
is under active development. A load of features is on the way:
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…