Stop Fighting Firewalls Blind! Chisel Makes Tunneling Effortless
What if I told you that every firewall you've ever cursed at, every corporate proxy that's blocked your SSH connection, every restrictive network that's killed your productivity—they all have a secret backdoor that most developers never discover?
Here's the painful truth: traditional VPNs are bloated, SSH tunneling is painfully manual, and most "modern" solutions require installing half a dozen dependencies just to move a few packets through a restrictive network. You've probably spent hours wrestling with OpenVPN configurations, debugging WireGuard handshakes, or explaining to your security team why you need port 22 opened "just this once."
But what if tunneling didn't have to be a nightmare?
Enter Chisel—a single-binary, zero-dependency TCP/UDP tunnel that rides over standard HTTP and wraps everything in battle-tested SSH encryption. Created by Jaime Pillora and written in Go, this lightweight powerhouse is quietly becoming the secret weapon that elite developers, DevOps engineers, and security professionals reach for when networks get hostile.
Ready to see how one 15MB binary can replace your entire VPN stack? Let's dive in.
What is Chisel?
Chisel is a fast TCP/UDP tunnel transported over HTTP and secured via SSH. It's a single executable that includes both client and server functionality—no separate installs, no dependency hell, no configuration file nightmares. Written in Go, Chisel leverages the crypto/ssh package to provide always-on encryption without the complexity of managing SSH keys or certificates manually.
The project lives at github.com/jpillora/chisel and has gained serious traction in the developer community for one simple reason: it solves real problems with minimal friction.
Why Chisel is Trending Now
In an era of zero-trust networking, cloud-native architectures, and increasingly locked-down enterprise environments, developers need tools that:
- Work anywhere HTTP works (which is basically everywhere)
- Require zero installation privileges (single static binary)
- Auto-reconnect when networks flake (because they always do)
- Support both forward and reverse tunnels (flexibility matters)
Chisel checks every box. Unlike traditional SSH tunneling that requires direct SSH access, Chisel tunnels over HTTP—meaning it glides through corporate proxies, CDN edge networks, and even restrictive cloud platforms that would block raw SSH traffic.
The project's recent updates keep it cutting-edge: Go 1.25.1, updated dependencies, and packaged releases for .rpm, .deb, and .apk formats. Whether you're on Fedora, Debian, or Alpine Linux, Chisel installs in seconds.
Key Features That Make Chisel Insane
Chisel isn't just another tunneling tool. Here's what separates it from the pack:
🔐 Always-Encrypted with SSH Protocol
Every connection uses ECDSA key pairs generated in-memory. No manual certificate management. No CA infrastructure. The server's fingerprint is displayed on startup—clients verify this fingerprint to prevent MITM attacks. It's SSH-grade security without SSH-grade complexity.
🔄 Auto-Reconnect with Exponential Backoff
Networks fail. Proxies reset. Chisel doesn't care. Built-in exponential backoff means your tunnels automatically resurrect after disconnections. No cron jobs. No watchdog scripts. It just works.
🎯 Multiple Tunnel Endpoints Over One Connection
Why open 10 connections when one suffices? Chisel multiplexes multiple tunnel endpoints over a single TCP connection. This is huge for high-latency networks and environments with connection limits.
🧦 SOCKS5 & HTTP CONNECT Proxy Support
Clients can traverse existing proxy infrastructure. Server optionally doubles as a SOCKS5 proxy. Need to chain through your corporate Squid proxy? Done. Want to expose a SOCKS endpoint for your browser? One flag.
↩️ Reverse Port Forwarding
This is where Chisel gets dangerous—in a good way. Traditional port forwarding brings server resources to the client. Reverse forwarding brings client resources to the server. Expose your local development server to the internet through a cloud VM. Debug webhooks on localhost. The possibilities are endless.
🖥️ stdio Support for SSH ProxyCommand
Combine Chisel with ssh -o ProxyCommand to tunnel SSH itself over HTTP. SSH over HTTP over SSH—sounds like inception, but it's incredibly useful for bastion host scenarios.
🐳 Docker-Ready, Scratch-Based Image
The official Docker image uses a scratch base—meaning zero attack surface beyond the binary itself. The image is tiny, secure, and perfect for Kubernetes sidecars.
Real-World Use Cases Where Chisel Dominates
1. Bypassing Corporate Firewalls for Remote Development
You're at a client site. Their firewall blocks everything except 80/443. Your code lives on GitHub, your API on a private server. Chisel tunnels your development traffic through their HTTP proxy—no IT tickets, no exceptions needed.
2. Secure Access to Internal Kubernetes Services
Your cluster's internal services aren't exposed. Instead of fighting with kubectl port-forward (which drops when your laptop sleeps), run a Chisel server inside the cluster. Persistent, encrypted tunnels to any service—even UDP-based DNS or metrics.
3. Exposing Local Development Servers for Webhook Testing
Building Stripe integrations? Testing GitHub webhooks? Your localhost isn't reachable. Run Chisel in reverse mode on a cheap VPS: your local server appears on the internet instantly. No ngrok subscription required.
4. SOCKS5 Proxy for Secure Browsing Through Your Infrastructure
Traveling on untrusted WiFi? Launch Chisel server at home, connect client with SOCKS mode. All browser traffic tunnels through your trusted home network—encrypted, authenticated, and under your control.
Step-by-Step Installation & Setup Guide
Quick Binary Install
The fastest way to get Chisel:
# One-liner install (Linux/macOS)
curl https://i.jpillora.com/chisel! | bash
# Or download manually from releases
# https://github.com/jpillora/chisel/releases/latest
Docker
# Test drive without installing
docker run --rm -it jpillora/chisel --help
# Run server
docker run -d -p 8080:8080 jpillora/chisel server --port 8080
Fedora / RHEL
# Community-maintained package
sudo dnf -y install chisel
From Source (Go 1.21+)
go install github.com/jpillora/chisel@latest
Basic Server Setup
# Generate a persistent key (do this once)
chisel server --keygen /etc/chisel/server.key
# Start server with authentication
chisel server \
--port 8080 \
--keyfile /etc/chisel/server.key \
--authfile /etc/chisel/users.json \
--socks5 \
--reverse
Basic Client Connection
# Forward local port 3000 to server's localhost:3000
chisel client https://chisel.example.com 3000
# With fingerprint verification (STRONGLY recommended)
chisel client \
--fingerprint 'SHA256:xxxxx...' \
--auth 'user:pass' \
https://chisel.example.com \
3000
REAL Code Examples from the Repository
Let's examine actual usage patterns from Chisel's documentation, with detailed breakdowns of what each command accomplishes.
Example 1: Basic Server with Proxy Camouflage
# From the README demo section
$ chisel server --port $PORT --proxy http://example.com
# listens on $PORT, proxy web requests to http://example.com
What's happening here? Chisel starts in server mode on a dynamic port. The --proxy flag is pure genius for stealth—any non-tunnel HTTP request gets transparently forwarded to example.com. Your chisel server looks like a normal reverse proxy to casual inspection. Firewall administrators see standard HTTP traffic to a benign destination. Meanwhile, WebSocket upgrade requests initiate encrypted tunnels.
This pattern is perfect for PaaS deployments where you must share a port with a web application.
Example 2: Client Tunnel to Expose Remote Service Locally
# From the README demo section
$ chisel client https://chisel-demo.herokuapp.com 3000
# connects to chisel server at https://chisel-demo.herokuapp.com,
# tunnels your localhost:3000 to the server's localhost:3000
The remote syntax is local:remote by default. Here, 3000 is shorthand for 0.0.0.0:3000:0.0.0.0:3000/tcp. Your local machine's port 3000 now reaches the server's localhost:3000.
Critical insight: The Heroku demo runs a file server on :3000 that's normally firewalled. Through Chisel, you access it as if local. This demonstrates Chisel's core value proposition: making remote resources feel local, regardless of network topology.
Example 3: SOCKS5 Proxy Setup (Full Docker Workflow)
# Step 1: Generate server key
chisel server --keygen -
# or save it to disk --keygen /path/to/mykey
# Step 2: Start server with SOCKS5 enabled
docker run -d -p 9312:9312 jpillora/chisel server \
--keyfile '<ck-base64 string or file path>' \
-p 9312 \
--socks5
# Step 3: Connect client with fingerprint verification
chisel client \
--fingerprint '<see server output>' \
<server-address>:9312 \
socks
# Step 4: Configure applications to use SOCKS5 proxy
# <client-address>:1080
This is Chisel's most powerful pattern. The socks remote is special syntax—it doesn't forward a specific port but instead terminates at the server's internal SOCKS5 proxy. Your client becomes a local SOCKS5 endpoint (127.0.0.1:1080 by default), and every connection through it gets tunneled, encrypted, and egressed from the server.
Security note: The --fingerprint flag is strongly recommended because it pins the server's identity. Without it, you're vulnerable to MITM attacks on the initial connection.
Example 4: Reverse Tunnel for Exposing Local Services
# Server must be started with --reverse flag
chisel server --port 8080 --reverse
# Client creates reverse tunnel
chisel client https://server.example.com R:2222:localhost:22
Reverse syntax breakdown: R:2222:localhost:22 means "server listens on 2222, forwards to client's localhost:22." The R: prefix flips the direction.
Use case: Your laptop runs a development API on port 8080. You want your teammate to test it. Run chisel client https://your-vps.com R:8080:localhost:8080. Now your-vps.com:8080 reaches your laptop—no NAT traversal, no dynamic DNS.
Example 5: SSH Over Chisel (stdio Mode)
# From README client help documentation
ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \
user@example.com
This is advanced magic. The stdio:%h:%p remote tells Chisel to tunnel stdin/stdout to the remote host and port that SSH would normally connect to directly. %h and %p are SSH substitutions for target host and port.
Why this matters: Some networks block SSH entirely but allow HTTP. This command encapsulates SSH inside Chisel's HTTP tunnel—giving you shell access where it should be impossible. The SSH connection remains end-to-end encrypted (SSH inside Chisel's SSH), so you have double encryption with independent key exchanges.
Advanced Usage & Best Practices
Production Hardening
# Enable mutual TLS for client certificate authentication
chisel server \
--tls-key /etc/chisel/server.key \
--tls-cert /etc/chisel/server.crt \
--tls-ca /etc/chisel/ca.crt
# Client presents certificate
chisel client \
--tls-key /etc/chisel/client.key \
--tls-cert /etc/chisel/client.crt \
https://server.example.com 3000
Authentication File Format
{
"admin:secret123": [""],
"developer:devpass": ["^localhost:", "^10\\.0\\.0\\."],
"readonly:readpass": ["^10\\.0\\.0\\.100:80$"]
}
Regex-based access control per user. The empty string [""] grants full access. Patterns use Go regex syntax—anchor with ^ and $ for precision.
Keepalive Tuning
# Aggressive keepalive for flaky mobile networks
chisel client --keepalive 5s https://server.example.com 3000
# Disable keepalive on reliable LAN (slight latency reduction)
chisel client --keepalive 0s https://server.example.com 3000
Environment Variable Fallbacks
Chisel respects standard environment variables: HOST, PORT, CHISEL_KEY, CHISEL_KEY_FILE, AUTH. Perfect for 12-factor app deployments and secret management systems.
Comparison with Alternatives
| Feature | Chisel | ngrok | SSH Tunnel | WireGuard | frp |
|---|---|---|---|---|---|
| Single Binary | ✅ Yes | ❌ Client+service | ✅ OpenSSH | ❌ Kernel module | ✅ Yes |
| Self-Hosted | ✅ Free | ❌ Paid plans | ✅ Yes | ✅ Yes | ✅ Yes |
| HTTP Traversal | ✅ Native | ✅ Native | ❌ Blocked | ❌ UDP only | ⚠️ TCP only |
| Reverse Tunnels | ✅ Built-in | ✅ Paid feature | ✅ Manual | ❌ Complex | ✅ Yes |
| SOCKS5 Proxy | ✅ Built-in | ❌ No | ❌ Manual config | ✅ With setup | ✅ Limited |
| Auto-Reconnect | ✅ Exponential backoff | ✅ Yes | ❌ Manual | ✅ Yes | ⚠️ Basic |
| UDP Support | ✅ Yes | ❌ No | ❌ No | ✅ Yes | ✅ Yes |
| Memory Footprint | ~15MB | ~50MB+ | ~5MB | Kernel | ~20MB |
| License | MIT | Proprietary | OpenSSH | GPL | Apache |
The verdict? Chisel wins when you need self-hosted, HTTP-traversing tunnels with minimal resource usage. ngrok is simpler for quick public shares but costs money and phones home. WireGuard is faster for permanent infrastructure but fails on HTTP-only networks. SSH tunnels are familiar but lack auto-reconnect and SOCKS flexibility.
FAQ
Is Chisel secure for production use?
Yes. All connections use ECDSA encryption via crypto/ssh. Enable --fingerprint verification and --authfile authentication for defense in depth. For maximum security, add mutual TLS with --tls-ca, --tls-key, and --tls-cert.
Can Chisel tunnel UDP traffic?
Absolutely. Since version 1.7, Chisel supports UDP tunneling. Specify /udp in your remote: 1.1.1.1:53/udp tunnels DNS queries.
Does Chisel work behind corporate HTTP proxies?
Yes—this is Chisel's superpower. Use --proxy http://proxy.corp.com:8080 or --proxy socks://proxy.corp.com:1080 on the client. The HTTP CONNECT method tunnels through standard corporate proxies.
How does Chisel compare to VPN performance?
Chisel adds minimal overhead: HTTP framing plus SSH encryption. Benchmarks show near-native throughput for most applications. The single-connection multiplexing actually reduces overhead versus multiple TCP connections on high-latency links.
Can I run Chisel on Kubernetes?
Perfectly suited. Use the scratch-based Docker image as a sidecar container. Mount your key and auth files as secrets. The tiny footprint and lack of shell make it ideal for security-conscious clusters.
What about WebSocket support requirements?
Chisel requires WebSockets for its HTTP transport. All major IaaS providers support this. PaaS varies: Heroku ✅, OpenShift ✅ (ports 8080/8443), Google App Engine ❌.
Is there a Windows client?
Yes. Download the Windows binary from releases. The same single executable works on Windows, macOS, Linux, and FreeBSD.
Conclusion
Chisel represents a paradigm shift in network tunneling: maximum capability, minimum complexity. One binary. No dependencies. HTTP traversal. SSH security. Auto-reconnect. Reverse forwarding. SOCKS5 proxying.
Whether you're punching through a draconian corporate firewall, exposing local development servers, or building secure infrastructure access, Chisel delivers where alternatives falter.
The best part? It's completely free, open-source, and actively maintained. Jaime Pillora and contributors have built something that belongs in every developer's toolkit.
Stop fighting networks. Start tunneling smarter.
👉 Get Chisel now: github.com/jpillora/chisel
Star the repo, try the Heroku demo, and join the thousands of developers who've already made Chisel their secret networking weapon. Your future self—stuck in that airport lounge with only port 443 open—will thank you.