jpillora / chisel Goto Github PK

Hi, its hard to understand what chisel does and does not do.
Is it possible to add some user scenario examples on the readme please?

If I understand correctly you can use chisel to:

• set up a proxy on the internet that allows you to connect to ports your firewall blocks
• set up your own socks proxy on the internet somewhere so you can make connections to internet sites that you are not allowed to go to by a firewall

You cannot use chisel to:

• remotely login into a desktop say on your work behind corporate firewall, like you can with logmein hamachi or other remote login services

Hi, this is a really neat project you've hacked together. Just out of curiosity, if you're controlling clients and servers on both ends why don't you just tunnel tcp via a tls channel and be done with it? Why do you need HTTP in there at all?

Client get crashed after running about 3 minutes while the download speed is about 25MB/s, I'm testing locally with wget.

System: ubuntu 16.04 64 bit (Linux desktop 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux)

Desktop lan ip is 192.168.9.162, port 80 is served by nginx for file download.

Server command: chisel server -v --port 3000 --proxy http://example.com

Client command: chisel client -v --keepalive=10s http://192.168.9.162:3000 8001:80

Download test command: wget http://192.168.9.162:8001/dl/00002.m2ts

chisel client crash log:

2017/02/03 20:50:39 client: Disconnected
2017/02/03 20:50:39 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
2017/02/03 20:50:39 client: Sending configurating
2017/02/03 20:50:39 client: Connected (Latency 333.839µs)
2017/02/03 20:50:42 client: 0.0.0.0:80#1: conn#4: Open
2017/02/03 20:51:24 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
2017/02/03 20:52:06 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
panic: ssh: no key material for msgNewKeys

goroutine 71 [running]:
panic(0x74ec60, 0xc820084bb0)
	/usr/lib/go-1.6/src/runtime/panic.go:481 +0x3e6
golang.org/x/crypto/ssh.(*connectionState).writePacket(0xc820128168, 0xc82011ad80, 0x7fc143dba330, 0xc8200126f0, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
	/root/gocode/src/golang.org/x/crypto/ssh/transport.go:163 +0x2c5
golang.org/x/crypto/ssh.(*transport).writePacket(0xc820128100, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
	/root/gocode/src/golang.org/x/crypto/ssh/transport.go:144 +0x81
golang.org/x/crypto/ssh.(*handshakeTransport).pushPacket(0xc820106140, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
	/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:206 +0x63
golang.org/x/crypto/ssh.(*handshakeTransport).kexLoop(0xc820106140)
	/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:286 +0x40f
created by golang.org/x/crypto/ssh.newClientTransport
	/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:113 +0x352

Hello, I am having a difficult time understanding how to use chisel for my use case.

I have a sever, running "chisel server --port 8080".

I have a client (client A) that is running a webserver on port 80.
I have another client behind a firewall (client B).
I would like client B to be able to view the website hosted on client A's machine.

What types of settings would I use in "chisel client" for each client to allow this to work?

Thank you!!

This feature assumes connections will be broken if server is restarted.

This would come in handy for building the auth file programmatically from a separate data source to avoid.

There's three ways we could do it in increasing levels of complexity:

1. Reload every x second regardless
2. Catch SIGUSR1 to trigger a reload
3. Use inotify to trigger a reload when the file changes

Not sure which will be best.

Following archive from https://github.com/jpillora/chisel/releases/tag/1.2.2 are corrupted...

chisel_darwin_amd64.gz
chisel_linux_386.gz
chisel_linux_amd64.gz
chisel_linux_arm.gz
chisel_windows_amd64.exe.gz

wrong CRC during extraction

Is there an option to use the tun/tap devices with ssh to have a vpn implemented over chisel instead of doing port forwarding?

Is possible to add X-Forwarded-For header option to server, so the destination server could get real IP, or even add support for Proxy Protocol v1?

Hi,

I can't seem to find the option to specify an upstream proxy on the client side. The objective would be to support a chisel client that has to connect through an authenticated (NTLM) proxy in order to connect to the chisel server.

Any options ?
Thanks.
Arno

is there a possibility to drop ssh an use plain web sockets over https? in other words, why is this using http, websocket and ssh instead of just https and websocket?

Thanks for all your work !
I use Chisel Client in Windows 7. Internet connection of our company runs through a proxy.
Chisel Client does not seem to support a http proxy (I tried to set HTTP_PROXY in ENV).
Did I miss a point ? Do you see a possibility to get it working ?

Client was automatic add duration when connect fail.
But some times server is down at a long time, client can't retry in a few seconds.
Restart client is only i can do.

Currently, with 1.2, multiple clients instances are needed to connect to multiple servers.
Although #9 would aid in this in the sense that instead of running multiple server you would run a router and multiple clients proxying endpoints so maybe multiple servers per client is not a necessary feature.

(Sorry for my poor English)
Chisel is an amazing tool! I want to use chisel behind Nginx.
Becasuse the firewall of my company only allow port 443 use HTTP CONNECT command.
I want to use port 443 for my home server for HTTPS website, and chisel too.
So I tried to config Nginx to redirect HTTPS request by different domain.

[Client Command]
chisel_windows_amd64.exe client --proxy http://company-proxy:port https://home-server:443 0.0.0.0:33389:192.168.1.102:3389

2017/05/26 11:34:54 client: Retrying in 100ms...

@jpillora I need to tunnel https/http over an http connection specifically to GAE. Using this project would be ideal, however GAE doesn't yet support web sockets. Is there a way to fall back to HTTP when web sockets aren't available?

I know this isn't nearly as natural, but at least in our firewall environment I can only hit an http endpoint without ws support.

If one tries to run multiple chisel clients, possibly talking to different hosts, but mistakenly uses the same local port, the second invocation should fail and complain loudly.

./chisel client -v --keepalive 10s https://first-host 5022::2022 &
./chisel client -v --keepalive 10s https://second-host 5022::2022

The second invocation continues to run despite encountering the error (silent error!). This leads to false sense of success, and subsequent attempts to communicate to second-host via local port 5022 will actually forward traffic to first-host.

Below is slightly modified output from an actual run:

$ ./chisel client -v --keepalive 10s https://second-host 5022::2022
2017/04/13 12:38:32 client: Connecting to wss://second-host:443
2017/04/13 12:38:32 client: 0.0.0.0:202#1: listen tcp4 0.0.0.0:5022: bind: address already in use
2017/04/13 12:38:33 client: Fingerprint 6e:37:2b:d4:76:28:35:12:36:a3:ae:b1:59:10:77:3e
2017/04/13 12:38:33 client: Sending configurating
2017/04/13 12:38:33 client: Connected (Latency 30.839892ms)

Hi.
Add please option custom HTTP header in client.These settings help many bypass the firewall.
User-Agent:CustomAgent
Host:CustomHost
X-Forwarded-Host:CustomHost

The current settings for bypassing the firewall are very bad -
User-Agent:Go-http-client/1.1

Please add this option.
I think to you many will say thank you.
And your program will be the best.

Please add a TLS capable listener to bypass 'smart' firewalls.

After a while not using the chisel connections(30minutes).
The connections dead and seems not accessable.

2016/03/25 05:36:14 client: ghp:8123#1: conn#104: Close (sent 47380 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#507: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#512: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#517: Close (sent 233 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#514: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#509: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#510: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#515: Close (sent 215 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#516: Close (sent 223 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#504: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#505: Close (sent 233 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#518: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#513: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#519: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#506: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#511: Close (sent 0 received 0)

The connection was dead. and can not read any data.

I forced kill the progress. and run again . the connection working well.

so please add dead connection detect, when the connection is dead, can not read any data for a limit time(3-30s). please disconnect and reconnect it .

Thanks.

I'm using nginx to proxy requests to chisel, there are several benefits if users can change the hostname of server address

• proxy by any hostname you want, without register a domain or change DNS records. Useful when you have lots of chisel backends with one entry server.
• no DNS query (which is clear text) was sent, man-in-the-middle could not get the hostname, it's more secure.

Probable usage:

$ chisel client --hostname mydomain.com https://1.2.3.4 3000

the --hostname parameter will override the default server hostname.

I'm trying to get started with chisel by running the demo but I can't get client to connect.

~> docker run --rm -it jpillora/chisel client https://chisel-demo.herokuapp.com 3000
2016/06/28 10:15:58 client: Connecting to wss://chisel-demo.herokuapp.com:443
2016/06/28 10:15:59 client: Retrying in 100ms...
2016/06/28 10:16:00 client: Retrying in 200ms...
2016/06/28 10:16:01 client: Retrying in 400ms...
2016/06/28 10:16:02 client: Retrying in 800ms...
2016/06/28 10:16:04 client: Retrying in 1.6s...
2016/06/28 10:16:06 client: Retrying in 3.2s...

I can browse to the webpage in browser and get example.com output however.

Hello.
I trying:

~/bin $ ./chisel_linux_amd64 server --port 9312 --socks5
2017/08/27 18:08:00 server: SOCKS5 Enabled
2017/08/27 18:08:00 server: Fingerprint 2b:01:b4:8b:26:a5:24:5a:e2:b8:02:fa:58:96:ee:35
2017/08/27 18:08:00 server: Listening on 9312

but got

./chisel_linux_amd64 client --fingerprint 2b:01:b4:8b:26:a5:24:5a:e2:b8:02:fa:58:96:ee:35  https://pacific-refuge-52999.herokuapp.com:9312 1080:socks
2017/08/27 21:10:49 client: Connecting to wss://pacific-refuge-52999.herokuapp.com:9312
2017/08/27 21:10:49 client: tunnel#1 127.0.0.1:1080=>socks: Listening
2017/08/27 21:10:50 client: Retrying in 100ms...
2017/08/27 21:10:52 client: Retrying in 200ms...
2017/08/27 21:10:53 client: Retrying in 400ms...
2017/08/27 21:10:55 client: Retrying in 800ms...
2017/08/27 21:10:57 client: Retrying in 1.6s...

What am I doing wrong?

telnet pacific-refuge-52999.herokuapp.com 9312
Trying 23.23.116.0...
Trying 23.21.155.56...
Trying 23.23.120.204...
Trying 23.23.117.76...
Trying 23.21.142.10...
Trying 23.21.45.51...
Trying 23.21.181.176...
Trying 23.23.126.158...
telnet: Unable to connect to remote host: Connection refused

ssh -L defaults to exposing the tunnel locally on localhost. If a chisel server is providing access to a port on its localhost, it seems like having the client keep its end of the tunnel on localhost is a safe default. As a user coming from ssh tunnelling, this not being the case was an unexpected difference.

I want to support manual TLS with certs and automatic with Let's Encrypt (see acmewrapper. However, this would require a tls.json file (or a set of files) to store TLS state, and with Let's Encrypt you'd also need to specify a hostname and you'd be restricted to port 80/443. All of this adds complexity so, I ended up leaving TLS support out for now. Since the SSH protocol is already performing full authentication and encryption, I see TLS as an optional nice to have.

Encrypting the keys using the server key then storing them encrypted out in the open, in a public database somewhere might work... First I'd need to use a proper PBKDF for the server key.

Please mention any comments/ideas you have below

autossh allows using pkill -HUP autossh to make autossh attempt to reconnect immediately.

See https://linux.die.net/man/1/autossh "Controlling SSH".

Use case: When you have a 5 min timeout from the backoff, but you want it to connect immediately without having to restart the process.

I'm trying to run chisel server on an OpenShift application but it fails. I think this is because Apache is listening on port 8080 by default (not sure).

Command:

./chisel server --host $OPENSHIFT_GO_IP --port $OPENSHIFT_GO_PORT --proxy http://example.com

Error:

bind: address already in use

how?

I have OpenVPN server running on TCP/443. Is it possible to run it over chisel?

If yes, what commands should be issued on server and what on client?

Any help would be much appreciated.

On Ubuntu 16.04 there appears to be a conflict when installing via dpkg -i . The binary tries to install a file named test under /usr/bin but /usr/bin/test already exists as part of coreutils. Perhaps renaming to something more descriptive (and unique) would be better.

Hi, it's cool to have tun device, so we can use chisel as a simple VPN solution :)

Would seem web sockets are now on the agenda for GAE. Thought I would just leave this here https://code.google.com/p/googleappengine/issues/detail?id=2535. Feel free to close. Might be nice to add to readme.

plase add the release for windows 32-bit.

Hello , currently chisel has built in socks server. i guess we can easy add http proxy server inside chisel server.

I am made a very tiny http proxy server

https://github.com/netroby/gohttpproxy

We can put chisel into docker image.
Here is my docker image

https://github.com/netroby/alpine-chisel
https://hub.docker.com/r/netroby/alpine-chisel/

and these guide how to using docker image

Both server and client need docker installed.

Server side

There be a proxy server listen on 127.0.0.1:8123 on server. (squid or polipo)
create a file /etc/chisel.json, with content

{
    "USER:AVERYSTRONGPASSWORD": [
        ""
    ]
}

run command

docker run -d --restart=always --name chisel-server  -v /etc/chisel.json:/etc/chisel.json -p 0.0.0.0:8719:8719  netroby/alpine-chisel /bin/chisel server -v --port 8719 --authfile /etc/chisel.json

Client side

$SERVER_IP will be your chisel server ip address
run command

docker run -d --restart=always --name chisel  -p 0.0.0.0:8123:8123  netroby/alpine-chisel /bin/chisel client -v --keepalive 300s --auth USER:AVERYSTRONGPASSWORD $SERVER_IP:8719 8123

After it success connected to chisel server, the localhost:8123 will forward tcp connection to remote server proxy server port. you will be access to the free network

Hi,
It would be useful to be able to run the client in 'stdio' mode - that way it can be used as a ProxyCommand for SSH, eg

ssh -o ProxyCommand='chisel client mychiselserver stdio:%h:%p' myuser@somehost

To gain better connect performance, can we add conn pool for client?

The current client, will dial remote when need.
It's ok, but not very fast.
If there be conn pool. it will gain better performance.

First off, let me begin by saying that Chisel is a brilliant little project for accomplishing a lot of useful tasks. I personally use Chisel to tunnel SSH traffic to containers and VMs.

However, this got me thinking- how do you propose to achieve zero-downtime maintenance and deployment of the chisel server? If there are existing tunnels already created and active, would it be possible to switch the connections over to the new chisel server instance?

Issue #8 mentions problems with reaching clients behind HTTP-only NAT/firewalls. Allowing a client to be a proxy endpoint would provide access to the client via the chisel server. For example, client A connects to client B via server:

[client A] <-> [server] <-> [client B] <-> ...

Possible API:

chisel server <server options>

#client B
chisel client --proxy B <client options> <server address>

#client A
chisel client <client options> <server address> B@3000

Where B@3000 is in the format <proxy name>@<chisel remote>

My use case is being able to SSH into 1000's of embedded devices that are behind a firewall. I've been looking at creating a supervisor app for your server that would listen on a std port for connection requests from devices, and then create new instances respectively. The supervisor app would also need to provide some sort of directory service to clients wishing to connect to devices.

Some firewalls will check the Host header in the request and see if it's in the white list. I wish there could be a command-line option to customize this field (and possibly, arbitrary header fields).

Hi, Thanks for all your good work. @jpillora and @morikat

Since ssh channels are used, is it possible to add remote port forwarding in the future?
Something like ssh clients do.

 -R [bind_address:]port:host:hostport
         Specifies that the given port on the remote (server) host is to
         be forwarded to the given host and port on the local side.

During chisel's normal operation, I had this error:

ssh: handshake failed: websocket: close 1006 (abnormal closure): unexpected EOF

The client is on a bad network so that's probably what caused the error. The problem is that the tunnel went down for good and chisel didn't stop ether.

If this kind of fatal error occurs, can you either:

• try / catch and retry to open the tunnel
• exit the process with a non-null exit code so that it may be restarted

Can it be related to this code ?
https://github.com/jpillora/chisel/blob/master/client/client.go#L160

It would be nice to have a client option to limit the retries to a specified amount of time, so it does not retry indefinitely.
This is useful to monitor the connection of "daemonized" tunnels; one can set-up a bash script which opens the tunnel, and if chisel exists (because it fails to re-establish the connection in x amount of time) e.g. an alert email could be sent.
Currently chisel does not exit and tries to reconnect forever, which is hard to monitor from bash scripts.

tks for your reply!

I have chisel set up successfully and I've established an SSH tunnel between a remote host and my developer machine. I'm connected to the host using a webterm (https://github.com/chjj/tty.js).

I'm wondering if it's possible to use chisel to transfer files to and from my dev machine to the remote host?

Is it possible to set my machine up so that I can scp files to and from these machines, transferring the files using the tunnel that gets set up?

It would be awesome to see this offer reverse port forwards as well as local port forwards.

Dose chisel client support --authfile ?
I would prefer chisel read configure file from disk. and do not want other user view the password .

The current -auth put username and password on command line argument. when using ps -aux | grep chisel , you will see the password.
It might be not safe

i have a situation where i have some embedded devices out in the field and they are all in NAT environment. They can only call upstream on 80 and 443.

So i am hoping i could use this to connect to them via a public static in between server, using Chisel.

But i am not sure.. Can you let me know what you think..