# Rathole — Lightweight High-Performance Reverse Proxy for NAT Traversal in Rust

> A fast and resource-efficient reverse proxy written in Rust for exposing local services behind NATs and firewalls, serving as a lightweight alternative to frp and ngrok.

## Install

Save in your project root:

# Rathole — Lightweight High-Performance Reverse Proxy for NAT Traversal in Rust

## Quick Use
```bash
# Download the latest release binary
curl -LO https://github.com/rapiz1/rathole/releases/latest/download/rathole-x86_64-unknown-linux-gnu.zip
unzip rathole-x86_64-unknown-linux-gnu.zip

# Run as server (on public VPS)
./rathole server.toml

# Run as client (behind NAT)
./rathole client.toml
```

## Introduction
Rathole is a reverse proxy for NAT traversal that tunnels traffic from a public server to services running behind firewalls or NATs. Written in Rust with async I/O via Tokio, it achieves high throughput with minimal memory usage. The binary is small enough to run on embedded devices like routers.

## What Rathole Does
- Tunnels TCP and UDP traffic from a public server to services behind NAT or firewalls
- Achieves higher throughput and lower latency than frp with significantly less memory
- Ships as a single static binary under 500 KiB for constrained environments
- Supports optional Noise Protocol encryption for secure tunnels without TLS certificates
- Allows hot-reloading of service configurations without restarting the process

## Architecture Overview
Rathole uses a client-server model over multiplexed connections. The server listens on public ports and the client connects outbound to the server, establishing a control channel. When traffic arrives on a server-side service port, the server signals the client to open a data channel for that connection. Data flows through the tunnel with zero-copy forwarding where possible. The Noise Protocol (Noise_NK) provides authenticated encryption when configured, using a simple keypair exchange instead of certificate authorities.

## Self-Hosting & Configuration
- Deploy the server binary on a VPS with public IP and open the required ports
- Configure `server.toml` with bind address and service definitions including tokens
- Configure `client.toml` with server address, tokens, and local service endpoints
- Each service has a mandatory token for authentication to prevent unauthorized tunnel use
- Enable Noise Protocol encryption by generating a keypair and adding it to both configs

## Key Features
- Sub-500 KiB binary suitable for routers and embedded Linux devices
- Higher throughput than frp and more stable under heavy connection loads
- Per-service token authentication prevents unauthorized tunnel access
- Noise Protocol encryption without needing TLS certificates or a CA
- Hot-reloadable configuration for adding or removing services at runtime

## Comparison with Similar Tools
- **frp** — Go-based reverse proxy with more features (dashboard, plugins); rathole is leaner and faster
- **ngrok** — SaaS tunnel service with free tier; rathole is fully self-hosted with no external dependency
- **bore** — simple Rust tunnel for TCP; rathole adds UDP support, encryption, and per-service auth
- **Cloudflare Tunnel** — managed service requiring a Cloudflare account; rathole has no vendor lock-in
- **chisel** — Go HTTP tunnel over WebSocket; rathole uses raw TCP multiplexing for lower overhead

## FAQ
**Q: Can rathole tunnel UDP traffic?**
A: Yes. UDP tunneling is supported alongside TCP, useful for DNS, game servers, and VoIP.

**Q: How does it compare to frp in benchmarks?**
A: Rathole consistently shows 2-5x higher throughput and uses a fraction of the memory in the project's published benchmarks.

**Q: Do I need TLS certificates?**
A: No. The optional Noise Protocol provides encryption using a simple keypair without certificate management. You can also terminate TLS externally if preferred.

**Q: Can I run it as a systemd service?**
A: Yes. The repository includes example systemd unit files for both server and client modes.

## Sources
- https://github.com/rapiz1/rathole
- https://github.com/rapiz1/rathole/blob/main/docs/benchmark.md

---
Source: https://tokrepo.com/en/workflows/asset-d22ddd44
Author: AI Open Source