_ ____ _
_ __| |_ ___|___ \ __| |_ ___ _ __
| '__| __/ __| __) / _` __/ __| '_ \
| | | || (__ / __/ (_| || (__| |_) |
|_| \__\___|_____\__,_\__\___| .__/
|_|
-success?logo=sigstore&logoColor=white){kind=icon}
Tunnel any TCP port over an end-to-end encrypted WebRTC DataChannel. No inbound ports, no VPN, no accounts. The broker only introduces peers — it never sees payload bytes.
# Pre-built, cosign-signed archives for Linux / macOS / Windows
# → https://github.com/haltman-io/rtc2tcp/releases/latest
# Or from source
go install github.com/haltman-io/rtc2tcp/cmd/rtc2tcp-peer@latest
go install github.com/haltman-io/rtc2tcp/cmd/rtc2tcp-broker@latestSignature verification and platform notes: docs/install.md.
Two peers. Three commands. No config.
Expose the TCP service you want to share:
$ rtc2tcp-peer expose --target 127.0.0.1:22
Session credentials
rendezvous token: jloh_XmGgi1HgUC3LWY7HA
pairing secret : N5mtwubpUlru9fyuOkf1Iw
broker : https://rtc.haltman.io/
target : 127.0.0.1:22
Run this on the connecting machine:
rtc2tcp-peer connect rtc2tcp://jloh_XmGgi1HgUC3LWY7HA:[email protected]Connect from anywhere — paste the printed command, pick a local port:
$ rtc2tcp-peer connect rtc2tcp://…@rtc.haltman.io --listen 127.0.0.1:2222
$ ssh -p 2222 root@localhostThat's the whole thing. The tunnel is end-to-end encrypted; the broker cannot read it.
| Goal | Expose | Connect |
|---|---|---|
| SSH into a box behind NAT | rtc2tcp-peer expose -T 127.0.0.1:22 |
rtc2tcp-peer connect <url> -l 127.0.0.1:2222 → ssh -p 2222 user@localhost |
| Reach an internal HTTP admin panel | rtc2tcp-peer expose -T 10.0.0.5:8080 |
rtc2tcp-peer connect <url> -l 127.0.0.1:8080 → http://localhost:8080 |
| Access a Postgres / MySQL inside a VPC | rtc2tcp-peer expose -T 10.0.0.12:5432 |
rtc2tcp-peer connect <url> -l 127.0.0.1:5432 → psql -h localhost |
| RDP to a Windows host | rtc2tcp-peer expose -T 127.0.0.1:3389 |
rtc2tcp-peer connect <url> -l 127.0.0.1:3389 |
| Dynamic SOCKS5 proxy | rtc2tcp-peer expose --socks5 |
rtc2tcp-peer connect <url> --socks5 -l 127.0.0.1:1080 → curl -x socks5h://127.0.0.1:1080 … |
Pin credentials instead of generating them each run — docs/pinning-credentials.md.
Both peers pass --socks5 to turn the tunnel into a dynamic proxy. No --target is required on the expose side — each SOCKS5 CONNECT request opens a new multiplexed DataChannel and the expose peer dials the requested host.
# expose side
$ rtc2tcp-peer expose --socks5
# connect side
$ rtc2tcp-peer connect rtc2tcp://… --socks5 --listen 127.0.0.1:1080
# any SOCKS5-aware client works
$ curl -x socks5h://127.0.0.1:1080 http://ifconfig.me
$ ssh -o ProxyCommand="nc -X 5 -x 127.0.0.1:1080 %h %p" user@targethostMultiple connections are served concurrently over the same WebRTC session, one DataChannel per stream.
https://rtc.haltman.io/ is a free, public broker operated by haltman.io for community use and testing.
- Blind by design. It sees rendezvous tokens, ICE metadata, and nothing more. Payload is end-to-end encrypted between your peers.
- Best-effort, no SLA. Fine for ad-hoc use, demos, CI, and one-off support calls.
- Rate-limited per IP. If you need guaranteed capacity or you're shipping a product on top, self-host one.
- Defaults in the peer binaries already point at it — nothing to configure.
To opt out, pass --broker <your-url> or build with -ldflags "-X …DefaultBrokerURL=…" (docs/build.md).
This tool exists for research, education, administration, and legitimate remote access. Using it to commit crimes is not clever and not welcome.
The following are prohibited when using rtc.haltman.io:
- Ransomware, wipers, stalkerware, or any malware delivery
- Botnet command-and-control
- DDoS, reflection, amplification, or traffic laundering
- Fraud, phishing infrastructure, credential stuffing
- Unauthorised access to systems you don't own or have explicit written permission to reach
- Harassment, doxxing, or "revenge" operations
We do not host criminal operations. Valid abuse reports are reviewed. Confirmed abuse is terminated without notice.
Abuse reports: [email protected] (PGP key on haltman.io). Security vulnerabilities: see SECURITY.md.
Your responsibility, not ours. The software is offered under the LICENSE as-is.
Run your own in one command:
rtc2tcp-broker --listen :8080For a production deploy behind Caddy, nginx, or Cloudflare Tunnel — with TLS, trusted-proxy rate limiting, and a systemd service — see:
- docs/reverse-proxy.md — Caddy, nginx, Cloudflare Tunnel worked examples.
- contrib/systemd/ — hardened unit +
install.sh/uninstall.sh.
| Topic | File |
|---|---|
| Install (pre-built, from source, verify signatures) | docs/install.md |
| Build from source (ldflags, reproducible builds) | docs/build.md |
| Architecture (what the broker sees, package layout) | docs/architecture.md |
| Security overview (auth scheme, state machine, limits) | docs/security-overview.md |
| Reverse-proxy setup (Caddy, nginx, Cloudflare Tunnel) | docs/reverse-proxy.md |
| Pinning credentials (long-lived setups, env vars) | docs/pinning-credentials.md |
| All flags (peer + broker cheat sheet) | docs/flags.md |
| TURN relay configuration | docs/turn.md |
| Local development (run everything from source) | docs/development.md |
| Release pipeline (semver automation) | docs/releases.md |
| Wire protocol | PROTOCOL.md |
| Threat model | THREAT-MODEL.md |
| Security posture + vulnerability reporting | SECURITY.md |
| Authenticator design notes | docs/authenticator-design.md |
| Changelog | CHANGELOG.md |
- Telegram: t.me/haltman_group
- Issues / features: github.com/haltman-io/rtc2tcp/issues
- Security: SECURITY.md
- thc.org / @hackerschoice - @ohmymex
Built by haltman.io. Source: github.com/haltman-io/rtc2tcp.