A high-performance TCP/UDP tunnel over QUIC, written in Rust.
rstun leverages the Quinn library for QUIC transport, providing efficient, low-latency, and secure bidirectional communication. All traffic is protected by QUIC's integrated TLS layer.
This fork includes several performance optimizations and enhancements based on my own needs:
- QUIC encryption overhead is removed for the internal tunnel connections between server and client
- Traffic is still protected by TLS at the outer layer, but internal QUIC payload encryption is disabled
- Results in lower CPU usage and reduced latency for high-throughput scenarios
- Ideal for trusted server-client connections where TLS already provides adequate security
- Automatic Snappy compression applied to all tunnel data on top of QUIC
- Intelligently compresses data only when beneficial (>256 bytes and reduces size)
- Provides 40-70% bandwidth reduction for compressible data (HTTP, JSON, text, etc.)
- Minimal CPU overhead with Snappy's fast compression algorithm
- Transparent compression/decompression - no configuration needed
- Debug logging shows compression statistics for monitoring
- Increased QUIC buffer sizes: 4MB stream receive window, 8MB connection receive/send windows
- Optimized TCP socket settings: TCP_NODELAY, increased socket buffers (512KB), TCP_QUICKACK on Linux
- Optimized UDP socket settings: Increased UDP socket buffers (2MB) for better throughput
- Higher stream limits: Supports up to 4096 concurrent bidirectional streams
These optimizations are designed for scenarios where:
- Server and client have a trusted connection (e.g., your own infrastructure)
- You need maximum performance with minimal latency
- Bandwidth costs are a concern (compression helps significantly)
- You're transferring large amounts of data or handling high connection counts
- Multiple TCP and UDP tunnels: Support for running multiple tunnels (TCP and/or UDP) simultaneously in a single client or server instance.
- Bidirectional tunneling: Both inbound (IN) and outbound (OUT) modes for flexible deployment.
- Modern encryption: Security via QUIC's TLS 1.3 layer, with configurable cipher suites.
- Automatic or custom certificates: Use your own certificate/key or let rstun generate a self-signed certificate for testing.
- Connection migration: Optional periodic migration of QUIC connection to new random local UDP ports to avoid throttling during long data transfers.
- Traffic statistics: Real-time tunnel traffic reporting.
Expose a local service (e.g., web server) to the public internet securely through the QUIC tunnel. Useful for making services behind NAT/firewall accessible externally.
Tunnel local outbound traffic through the server, which then forwards it to the specified destination. Commonly used to encrypt and route traffic from a local network to external servers.
- rstunc (client): Establishes and manages tunnels to the server.
- rstund (server): Accepts incoming connections and forwards TCP/UDP traffic according to configuration.
rstund \
--addr 0.0.0.0:6060 \
--tcp-upstream 8800 \
--udp-upstream 8.8.8.8:53 \
--password 123456 \
--cert path/to/cert.der \
--key path/to/key.der--addr— IP:port to listen on.--tcp-upstream— Default TCP upstream for OUT tunnels (if client does not specify one).--udp-upstream— Default UDP upstream for OUT tunnels (if client does not specify one).--password— Required for client authentication.--cert/--key— Certificate and private key for the server. If omitted, a self-signed certificate forlocalhostis generated (for testing only).
rstunc \
--server-addr 1.2.3.4:6060 \
--password 123456 \
--cert path/to/cert.der \
--tcp-mappings "OUT^0.0.0.0:9900^8800,IN^127.0.0.1:8080^9000" \
--udp-mappings "OUT^0.0.0.0:9900^8.8.8.8:53" \
--hop-interval-ms 30000 \
--loglevel D--tcp-mappingsand--udp-mappingsnow accept comma-separated lists of mappings, each in the formMODE^[ip:]port^[ip:]port(e.g.,OUT^8000^ANY).MODEis eitherOUTorIN.ANYas the destination means the server's default upstream is used.--hop-interval-ms— Optional parameter to enable connection migration by periodically changing local UDP ports at the specified interval(ms).
# Start server with auto-generated self-signed certificate
rstund -a 9000 -p 1234
# Start client with both TCP and UDP tunnels and connection migration every 30 seconds
rstunc \
--server-addr 127.0.0.1:9000 \
--password 1234 \
--tcp-mappings "OUT^0.0.0.0:9900^8800" \
--udp-mappings "IN^127.0.0.1:8080^9000" \
--hop-interval-ms 30000Usage: rstund [OPTIONS] --addr <ADDR> --password <PASSWORD>
Options:
-a, --addr <ADDR> Address ([ip:]port) to listen on
-t, --tcp-upstream <ADDR> Default TCP upstream for OUT tunnels ([ip:]port)
-u, --udp-upstream <ADDR> Default UDP upstream for OUT tunnels ([ip:]port)
-p, --password <PASSWORD> Server password (required)
-c, --cert <CERT> Path to certificate file (optional)
-k, --key <KEY> Path to key file (optional)
-w, --workers <N> Number of async worker threads [default: 0]
--quic-timeout-ms <MS> QUIC idle timeout (ms) [default: 40000]
--tcp-timeout-ms <MS> TCP idle timeout (ms) [default: 30000]
--udp-timeout-ms <MS> UDP idle timeout (ms) [default: 30000]
-l, --loglevel <LEVEL> Log level [default: I] [T, D, I, W, E]
-h, --help Print help
-V, --version Print version
Usage: rstunc [OPTIONS] --server-addr <ADDR> --password <PASSWORD>
Options:
-a, --server-addr <ADDR> Server address (<domain:ip>[:port])
-p, --password <PASSWORD> Password for server authentication
-t, --tcp-mappings <MAPPINGS> Comma-separated list of TCP tunnel mappings (MODE^[ip:]port^[ip:]port)
-u, --udp-mappings <MAPPINGS> Comma-separated list of UDP tunnel mappings (MODE^[ip:]port^[ip:]port)
-c, --cert <CERT> Path to certificate file (optional)
-e, --cipher <CIPHER> Cipher suite [default: chacha20-poly1305] [chacha20-poly1305, aes-256-gcm, aes-128-gcm]
-w, --workers <N> Number of async worker threads [default: 0]
-r, --wait-before-retry-ms <MS> Wait before retry (ms) [default: 5000]
--quic-timeout-ms <MS> QUIC idle timeout (ms) [default: 30000]
--tcp-timeout-ms <MS> TCP idle timeout (ms) [default: 30000]
--udp-timeout-ms <MS> UDP idle timeout (ms) [default: 5000]
--hop-interval-ms <MS> Interval in millseconds for connection migration to new random local UDP port (optional,default:0 means disabled)
--dot <DOT> Comma-separated DoT servers for DNS resolution
--dns <DNS> Comma-separated DNS servers for resolution
-l, --loglevel <LEVEL> Log level [default: I] [T, D, I, W, E]
-h, --help Print help
-V, --version Print version
The client supports optional connection migration via the --hop-interval-ms parameter. When specified, the QUIC connection will periodically migrate to a new random local UDP port at the given interval (in millseconds). This feature helps avoid UDP throttling that may occur during long data transfers while maintaining the upper-layer QUIC connection without interruption.
Benefits:
- Prevents UDP port-based rate limiting during extended data transfers
- Maintains seamless connectivity without breaking existing tunnels
- Helps bypass certain network restrictions that may throttle long-lived UDP flows
Usage:
- If
--hop-interval-msis not specified, connection migration is disabled - Recommended intervals range from 60 to 600 seconds depending on network conditions
- Shorter intervals provide more frequent migration but may cause brief latency spikes
- Multiple tunnels: You can specify multiple TCP and/or UDP tunnels in a single client or server instance using the new
--tcp-mappingsand--udp-mappingsoptions. - Mapping format: Each mapping is
MODE^[ip:]port^[ip:]port, whereMODEisOUTorIN. - Self-signed certificates: If no certificate is provided, a self-signed certificate for
localhostis generated (for testing only). - Security: For production, always use a valid certificate and connect via domain name.
- Connection migration: Use
--hop-interval-msto enable periodic port migration for improved performance in environments with UDP throttling.
This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at http://mozilla.org/MPL/2.0/.