RPort Technology Explained

What happens behind the scenes

How does RPort work?

Client-Server that overcomes NAT

RPort is based on a client-server principle. There is a central server. The clients connect to this server. This ensures that the server can always reach its clients, even if they change their IP address or are behind a NAT.

SSH through HTTP

Clients establish their connection via HTTP. The use of HTTP proxies is supported. Within the HTTP connection, an SSH connection is established from the client to the server. Thus, the entire communication is encrypted. Proxies must allow HTTP CONNECT. Consequently, encryption happens at the application level and not at the transport level.

The client must know the fingerprint of the server before the connection is established. If the fingerprint does not match the server, the client refuses the connection. This prevents a possible man-in-the-middle attack.

The statically compiled client has all SSH libraries on board. It does not access SSH program files in the operating system.

Control Channel

Once the SSH connection tunneled through HTTP is established, the client and server establish a so-called control channel based on web sockets. Through this channel, the server can send commands to the client. Whether and how the client passes commands to the operating system or a shell can be specified in great detail in the client configuration. For example, the user can . only allow a service to be restarted or updates to be applied. Under Unix, this requires additional Sudo rules. The client has its own unprivileged user and does not run with root privileges.

Tunneling for remote access from anywhere

If the user wants to access a TCP port this client, for example port 22 for SSH or 3389 for the remote desktop, the server instructs the client to establish a reverse tunnel. This also happens via SSH through HTTP. This makes local ports of the clients available on the server. The ports forwarded in this way are protected by default with an access control list. Only the user who initiated the tunnel can use it. ACLs can be adjusted or disabled per tunnel. This allows services such as a web server to be shared on the Internet when systems are located behind NAT routers.

Tunnels are not limited to localhost. Any client can forward a remote TCP port to the server. This gives access to browser-based configurations of printers, NAS devices, routers or switches.

RESTful API and a user interface based on modern vue.js

The RPort server is controlled via REST API. Since each client gets its own REST endpoint, the clients also become controllable via REST. This makes numerous automation use cases possible.

RPort also comes with a modern web interface. This allows the customer to conveniently manage their entire infrastructure.

RPort client and server are developed in Golang and are licensed under MIT. Ready-to-use binaries are available for download for all major operating systems.