Lib.rs

Network programming
#proxy #firewall #tcp #tunnel #quic #bidirectional #sock

ombrac

Safe, fast, small TCP tunnel using Rust

Owned by ioaths.

13 unstable releases (3 breaking)

Uses new Rust 2024

new 0.5.0 Mar 24, 2025
0.4.2 Mar 11, 2025
0.3.2 Feb 17, 2025
0.2.6 Feb 8, 2025
0.2.1 Dec 21, 2024

#1892 in Network programming

Download history 96/week @ 2024-12-11 142/week @ 2024-12-18 6/week @ 2024-12-25 394/week @ 2025-01-01 18/week @ 2025-01-08 169/week @ 2025-02-05 446/week @ 2025-02-12 113/week @ 2025-02-19 323/week @ 2025-02-26 138/week @ 2025-03-05 65/week @ 2025-03-12

706 downloads per month
Used in 4 crates

Apache-2.0

44KB
947 lines

Ombrac

Ombrac is a high-performance, Rust-based TCP tunneling solution designed for secure communication

Features

  • High Performance: Leverages QUIC's multiplexing capabilities with bidirectional streams for efficient and low-latency transmission.
  • Secure Communication: Encryption is ensured by the built-in TLS layer of QUIC, providing robust security for your data.
  • Zero-RTT Support: Optional 0-RTT or 0.5-RTT connections for faster handshakes (at the cost of slightly weakened security).

Apache 2.0 Licensed Build Status Build Status

Install

Releases

Download the latest release from the releases page.

Build

cargo build --bin ombrac-client --bin ombrac-server --features binary

NOTE: On linux systems, aws-lc-rs will be used for cryptographic operations. A C compiler and CMake may be required on these systems for installation.

Crates

cargo install ombrac-client ombrac-server --features binary

Homebrew

brew tap ombrac/tap && brew install ombrac

Usage

Server

ombrac-server -l "[::]:443" -k "secret" --tls-cert "./cert.pem" --tls-key "./key.pem"

Starts the Ombrac server listening on port 443, using the provided TLS certificate and key for encrypted communication.

Client

ombrac-client -s "example.com:443" -k "secret"

Will sets up a SOCKS5 server on 127.0.0.1:1080, forwarding traffic to example.com:443.

When using a self-signed certificate, the client requires both the --server-name parameter and the --tls-cert path to be explicitly configured.

Alternatively, you can use the --insecure option to skip TLS verification. This is not recommended for production environments as it bypasses certificate validation, potentially exposing your communication to security risks.

Full Options

Server

Usage: ombrac-server [OPTIONS] --secret <STR> --listen <ADDR>

Options:
  -h, --help     Print help
  -V, --version  Print version

Service Secret:
  -k, --secret <STR>  Protocol Secret

Transport QUIC:
  -l, --listen <ADDR>        The address to bind for QUIC transport
      --tls-cert <FILE>      Path to the TLS certificate file
      --tls-key <FILE>       Path to the TLS private key file
      --insecure             When enabled, the server will generate a self-signed TLS certificate
                             and use it for the QUIC connection. This mode is useful for testing
                             but should not be used in production
      --zero-rtt             Enable 0-RTT for faster connection establishment (may reduce security)
      --cwnd-init <NUM>      Initial congestion window size in bytes
      --idle-timeout <TIME>  Maximum idle time (in milliseconds) before closing the connection
                             30 second default recommended by RFC 9308 [default: 30000]
      --keep-alive <TIME>    Keep-alive interval (in milliseconds) [default: 8000]
      --max-streams <NUM>    Maximum number of bidirectional streams that can be open simultaneously [default: 100]

Logging:
      --tracing-level <TRACE>  Logging level e.g., INFO, WARN, ERROR [default: WARN]

Client

Usage: ombrac-client [OPTIONS] --secret <STR> --server <ADDR>

Options:
  -h, --help     Print help
  -V, --version  Print version

Service Secret:
  -k, --secret <STR>  Protocol Secret

Endpoint SOCKS:
      --socks <ADDR>  The address to bind for the SOCKS server [default: 127.0.0.1:1080]

Transport QUIC:
      --bind <ADDR>          The address to bind for QUIC transport
  -s, --server <ADDR>        Address of the server to connect to
      --server-name <STR>    Name of the server to connect (derived from `server` if not provided)
      --tls-cert <FILE>      Path to the TLS certificate file
      --insecure             Skip TLS certificate verification (insecure, for testing only)
      --zero-rtt             Enable 0-RTT for faster connection establishment (may reduce security)
      --no-multiplex         Disable connection multiplexing (each stream uses a separate QUIC connection)
                             This may be useful in special network environments where multiplexing causes issues
      --cwnd-init <NUM>      Initial congestion window size in bytes
      --idle-timeout <TIME>  Maximum idle time (in milliseconds) before closing the connection
                             30 second default recommended by RFC 9308 [default: 30000]
      --keep-alive <TIME>    Keep-alive interval (in milliseconds) [default: 8000]
      --max-streams <NUM>    Maximum number of bidirectional streams that can be open simultaneously [default: 100]

Logging:
      --tracing-level <TRACE>  Logging level (e.g., INFO, WARN, ERROR) [default: WARN]

License

This project is licensed under the Apache-2.0 License.

Dependencies

~3–11MB
~114K SLoC