explaingit

jpillora/chisel

16,002GoAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Chisel is a single-file networking tool that punches a secure encrypted tunnel through firewalls and corporate proxies by disguising traffic as ordinary web requests.

Mindmap

mindmap
  root((chisel))
    How it works
      HTTP transport
      SSH encryption
      Single binary
    Tunnel modes
      Forward ports
      Reverse tunnels
      SOCKS5 proxy
    Features
      Auth users file
      Auto reconnect
      Let Encrypt TLS
    Use cases
      Bypass firewalls
      Remote access
      Network bridging
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Expose a local development server to a remote colleague when both are behind separate corporate firewalls.

USE CASE 2

Give a remote helper temporary SSH-secured access to a service running on a private home or office network.

USE CASE 3

Bridge two isolated networks quickly for testing without setting up a full VPN.

USE CASE 4

Use SOCKS5 proxying through Chisel to route browser traffic securely over an untrusted network.

Tech stack

GoSSHHTTPDocker

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

Chisel is a small networking tool that creates a tunnel between two machines, letting traffic that would normally be blocked travel between them by disguising it as ordinary web traffic. The README describes it as a fast TCP/UDP tunnel transported over HTTP and secured via SSH. It ships as a single executable that acts as either the server or the client depending on the subcommand you run. The idea is to deal with a common annoyance: you have a service running somewhere, but a firewall or a corporate proxy stands between you and it. Chisel works around that by carrying the real connection inside an HTTP session, which most networks allow. To stop anyone in the middle from listening in, the inner channel is encrypted using the SSH protocol. The server listens on a normal HTTP port and the client connects to it, after which the client can forward local ports to remote ones or, in reverse mode, forward server-side ports out through the client. Multiple tunnel endpoints can share one TCP connection. Optional extras include authentication via a users config file, fingerprint matching, SOCKS5 proxying in either direction, the ability for the server to double as a plain reverse proxy so Chisel hides in plain sight, automatic reconnect with exponential backoff, and TLS with auto-issued certificates via Let's Encrypt. Someone would reach for Chisel to expose a development server behind a corporate firewall, give a remote helper access to a machine on a private network, or bridge two networks for a quick test. It is written in Go and distributed as prebuilt binaries, a Docker image, a Fedora RPM package, and via go install. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
I want to expose my local port 3000 dev server through a Chisel server running on a public VPS so a remote colleague can review it. Give me the exact server and client commands.
Prompt 2
Set up Chisel in reverse tunnel mode so a machine on my private network can be reached from the Chisel server side. Show me the commands for both ends.
Prompt 3
Configure Chisel server with a users auth file so only specific clients with the right credentials can connect.
Prompt 4
I want Chisel to also act as a reverse proxy so it hides behind a normal-looking website. How do I enable that and what does the config look like?
Prompt 5
Help me run Chisel in a Docker container as a persistent background tunnel server with auto-restart and TLS via Let's Encrypt.
Open on GitHub → Explain another repo

← jpillora on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.