/opentunnel

Encrypted tunnels to localhost

Primary LanguageTypeScriptMIT LicenseMIT

Opentunnel - encrypted tunnels to localhost

Version npm

Opentunnel is a reverse proxy that creates an encrypted tunnel from a public endpoint to a locally running server. Opentunnel support any TCP server and all modern browsers and devices (that support TLS v3). Opentunnel is tuned for low latency and low volume (signaling) traffic like the one that generated by end-user devices or apps.

Why Opentunnel?

Opentunnel is a scalable open source solution for tunneling for Web or IoT that is not tied to specific vendor. Possible alternatives is ngrok and PageKite. ngrok is closed source that might not work for everyone, PageKite does not support clustering, allows unencrypted traffic, frp works only for exposing something in local network having server that connected directly to the internet. Opentunnel tries to solve this by being opensource, resilent and end-to-end encrypted.

Getting Started

Opentunnel is a nodejs commandline utility that have client and server in a single binary. When starting a tunnel it registers it self on registration server to get a domain name, starts a tunnel, issue a certificate (via Let's Encrypt) and then enable traffic flow to your server that is completely end-to-end encrypted between your user and your server.

To instal it in your system execute:

yarn global add opentunnel

Now you can start a tunnel for your local server that listens on 8080 port:

opentunnel -p 8080

Opentunnel creates a config file with certificates in .opentunnel directory in current working one. If you want to keep your domain name you have to preserver this directory.

Self Hosting

Backend is completely stateless. There are three servers - registration server (issuen authentication tokens), frontend server (accepts incoming connections) and backend server (accepting tunnel connections). Authentication tokens are like JWT, but using fast and proven crypto via NaCL/TweetNaCL.

Requirements

Domain Name

Domain name that is used for public endpoints.

NATS event bus

Opentunnel uses NATS for messaging between servers that scales well and is able to route traffic via shortest network path. Before deployment of Opentunnel you have to deploy NATS cluster.

Frontend

Frontend servers are the one that accept connections from public network.

opentunnel frontend -p <listening_port> -ph <listening_http_port> -s <nats_servers>
  • <listening_port> is a tls port, usually 443. Default is 9000.
  • <listening_http_port> is a http port, usually 80. Default is 9005.
  • <nats_servers> is a NATS server endpoints to connect to. Default is localhost.

Backend

Backend servers are the one that accept incoming connections from servers.

opentunnel backend <key> -p <listening_port> -s <nats_servers>
  • is a public part of the authentication key.
  • <listening_port> is a port to listen too. Default is 9001.
  • <nats_servers> is a NATS server endpoints to connect to. Default is localhost.

Registrator

Default registration server that issues random domains. This operation requires REG_KEY environment key with a secret part of authentication key.

opentunnel registrator <domain> -p <listening_port>
  • is a base domain that is used to issue tokens for random subdomains.
  • <listening_port> is a port to listen too. Default is 9001.

Licence

MIT