Lib.rs

Asynchronous | Network programming
#websocket #certificate #web #cli #server #protocols #client #penguin

bin+lib rusty-penguin

A fast TCP/UDP tunnel, transported over HTTP WebSocket

by Zhang Maiyun

17 unstable releases (6 breaking)

Uses new Rust 2024

0.7.0 May 2, 2025
0.5.6 Apr 4, 2025
0.5.5 Jun 4, 2024
0.5.3 Oct 1, 2023
0.3.2 Dec 29, 2022

#97 in Asynchronous

Download history 2/week @ 2025-03-18 232/week @ 2025-04-01 47/week @ 2025-04-08 9/week @ 2025-04-15 1/week @ 2025-04-22 115/week @ 2025-04-29 37/week @ 2025-05-06 38/week @ 2025-05-13

191 downloads per month

Apache-2.0 OR GPL-3.0-or-later

1.5MB
9K SLoC

Rusty Penguin

Logo

Rust Build and Test Crates.io Dependency Status OpenSSF Best Practices Codecov wakatime License

About

A fast TCP/UDP tunnel, transported over HTTP WebSocket. You are right. This project is inspired by jpillora/chisel (and subsequently my fork myzhang1029/penguin), but completely rewritten in Rust without any linkage to chisel. The logo is generated by DALL-E with the prompt "a penguin standing behind a gear wheel, digital art, logo."

Basic Usage

Server

$ penguin server --host ::1 --port 443 --tls-cert cert.pem --tls-key key.pem --ws-psk some-secret

See penguin server --help for more options.

Client

$ penguin client --ws-psk some-secret wss://server 1080:socks 80:example.com:80

See penguin client --help for more options.

Comparison

Compared to the original penguin or chisel, this project stripped away some functionalities:

  • There is no internal SSH tunnels because it results in double encapsulation when used with HTTPS/WSS.

  • There is no user/password authentication because we do not have SSH. Instead, use PSK authentication.

  • There is no server keep-alive because client keep-alive is enough.

  • There is no support to acquire an ACME certificate on-the-fly. (Implemented)

  • There is no reverse port forwarding because I am too lazy. (Implemented)

Other than that, this project offers these functionalities compared to chisel:

  • Plausible deniability with WebSocket PSK and working backend.

  • TLS certificate hot-reload with SIGUSR1.

  • Higher performance: my crude testing on my machine reveals that penguin is approximately 2x faster than chisel on my machine (penguin commit 73a0045ff vs chisel commit ab8f06a8).

$ iperf3 -c 127.0.0.1 # chisel without TLS
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  5.41 GBytes  4.65 Gbits/sec                  sender
[  5]   0.00-10.00  sec  5.40 GBytes  4.64 Gbits/sec                  receiver

$ iperf3 -c 127.0.0.1 # penguin without TLS
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  16.5 GBytes  14.2 Gbits/sec                  sender
[  5]   0.00-10.00  sec  16.5 GBytes  14.2 Gbits/sec                  receiver

$ iperf3 -c 127.0.0.1 # chisel with TLS
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  4.79 GBytes  4.12 Gbits/sec                  sender
[  5]   0.00-10.01  sec  4.79 GBytes  4.11 Gbits/sec                  receiver

$ iperf3 -c 127.0.0.1 # penguin with TLS
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.01  sec  11.0 GBytes  9.48 Gbits/sec                  sender
[  5]   0.00-10.01  sec  11.0 GBytes  9.48 Gbits/sec                  receiver
  • All the safety Rust offers.

Protocol

Servers and clients with the same protocol version are compatible with each other. However, for the best performance, it is recommended to use the same version of penguin on both sides.

The current protocol version is penguin-v7. See PROTOCOL.md for details.

Contribution

All contributions are welcome. Please make sure you

  1. Write test cases for the bugfix/feature
  2. Check that the patch passes all tests by running
cargo test
  1. Send a Pull Request.

License

GPL v3.0 or later or Apache License 2.0.

Dependencies

~4–22MB
~329K SLoC