rathole

rathole is a tool that helps you reach a computer or service that sits behind a home or office router. Many devices, like a home NAS or a small server, do not have their own public address on the Internet, so people on the outside cannot connect to them directly. This situation is called being behind NAT. rathole solves it by routing traffic through a second machine that does have a public address, so the hidden service becomes reachable. It works in the same spirit as two other known tools, frp and ngrok, and is written in the Rust programming language.

The setup has two parts. You run rathole in server mode on a machine with a public address, and you run it in client mode on the device you want to expose. Both sides read a small configuration file written in TOML format. The server file lists which public port should forward to which service, and the client file points at the server and at the local service to forward. A shared secret token must match on both sides, which keeps strangers from using your tunnel.

The README walks through a concrete example: exposing the SSH service of a home NAS so you can log into it from anywhere. After both sides are running, traffic sent to a chosen port on the public server is passed through to the chosen port on the device at home.

The project lists several features it focuses on. It aims for high throughput and stable behavior under many connections, low memory use, and a very small program file that can fit on constrained hardware such as routers. Tokens are required for every service, and traffic can be encrypted using either TLS or the Noise Protocol, with no need to create your own certificate. Services can also be added or removed while it runs by reloading the configuration file. You can get a prebuilt release, a Docker image, or build it from source yourself.