Rathole — Lightweight High-Performance Reverse Proxy for NAT Traversal in Rust

Introduction

Rathole is a reverse proxy for NAT traversal that tunnels traffic from a public server to services running behind firewalls or NATs. Written in Rust with async I/O via Tokio, it achieves high throughput with minimal memory usage. The binary is small enough to run on embedded devices like routers.

What Rathole Does

• Tunnels TCP and UDP traffic from a public server to services behind NAT or firewalls
• Achieves higher throughput and lower latency than frp with significantly less memory
• Ships as a single static binary under 500 KiB for constrained environments
• Supports optional Noise Protocol encryption for secure tunnels without TLS certificates
• Allows hot-reloading of service configurations without restarting the process

Architecture Overview

Rathole uses a client-server model over multiplexed connections. The server listens on public ports and the client connects outbound to the server, establishing a control channel. When traffic arrives on a server-side service port, the server signals the client to open a data channel for that connection. Data flows through the tunnel with zero-copy forwarding where possible. The Noise Protocol (Noise_NK) provides authenticated encryption when configured, using a simple keypair exchange instead of certificate authorities.

Self-Hosting & Configuration

• Deploy the server binary on a VPS with public IP and open the required ports
• Configure server.toml with bind address and service definitions including tokens
• Configure client.toml with server address, tokens, and local service endpoints
• Each service has a mandatory token for authentication to prevent unauthorized tunnel use
• Enable Noise Protocol encryption by generating a keypair and adding it to both configs

Key Features

• Sub-500 KiB binary suitable for routers and embedded Linux devices
• Higher throughput than frp and more stable under heavy connection loads
• Per-service token authentication prevents unauthorized tunnel access
• Noise Protocol encryption without needing TLS certificates or a CA
• Hot-reloadable configuration for adding or removing services at runtime

Comparison with Similar Tools

• frp — Go-based reverse proxy with more features (dashboard, plugins); rathole is leaner and faster
• ngrok — SaaS tunnel service with free tier; rathole is fully self-hosted with no external dependency
• bore — simple Rust tunnel for TCP; rathole adds UDP support, encryption, and per-service auth
• Cloudflare Tunnel — managed service requiring a Cloudflare account; rathole has no vendor lock-in
• chisel — Go HTTP tunnel over WebSocket; rathole uses raw TCP multiplexing for lower overhead

FAQ

Q: Can rathole tunnel UDP traffic? A: Yes. UDP tunneling is supported alongside TCP, useful for DNS, game servers, and VoIP.

Q: How does it compare to frp in benchmarks? A: Rathole consistently shows 2-5x higher throughput and uses a fraction of the memory in the project's published benchmarks.

Q: Do I need TLS certificates? A: No. The optional Noise Protocol provides encryption using a simple keypair without certificate management. You can also terminate TLS externally if preferred.

Q: Can I run it as a systemd service? A: Yes. The repository includes example systemd unit files for both server and client modes.

Sources

• https://github.com/rapiz1/rathole
• https://github.com/rapiz1/rathole/blob/main/docs/benchmark.md