Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Cheat Sheet

From attacker/server start listening on 9090:
./chisel server -p 9090 --reverse
From client/target:
# listen on 80, forward to localhost:80
./chisel client {server ip}:9090 R:80:
# listen on 3000, forward to
./chisel client {server ip}:9090 R:3000:
# listen on 4242, forward to
./chisel client {server ip}:9090 R:4242:
# create SOCKS5 listener on default port (1080), proxy through client
./chisel client {server ip}:9090 R:socks
0xdf's guide is pretty good for a deep understanding of chisel:


--help flag:
# ./chisel --help
Usage: chisel [command] [--help]
Version: 1.7.7 (go1.17.6)
server - runs chisel in server mode
client - runs chisel in client mode
Read more:


--help flag:
# ./chisel server --help
Usage: chisel server [options]


--help flag:
# ./chisel client --help
Usage: chisel client [options] <server> <remote> [remote] [remote] ...
<server> is the URL to the chisel server.
<remote>s are remote connections tunneled through the server, each of
which come in the form:
■ local-host defaults to (all interfaces).
■ local-port defaults to remote-port.
■ remote-port is required*.
■ remote-host defaults to (server localhost).
■ protocol defaults to tcp.
which shares <remote-host>:<remote-port> from the server to the client
as <local-host>:<local-port>, or:
which does reverse port forwarding, sharing <remote-host>:<remote-port>
from the client to the server's <local-interface>:<local-port>.
example remotes
When the chisel server has --socks5 enabled, remotes can
specify "socks" in place of remote-host and remote-port.
The default local host and port for a "socks" remote is Connections to this remote will terminate
at the server's internal SOCKS5 proxy.
When the chisel server has --reverse enabled, remotes can
be prefixed with R to denote that they are reversed. That
is, the server will listen and accept connections, and they
will be proxied through the client which specified the remote.
Reverse remotes specifying "R:socks" will listen on the server's
default socks port (1080) and terminate the connection at the
client's internal SOCKS5 proxy.
When stdio is used as local-host, the tunnel will connect standard
input/output of this program with the remote. This is useful when
combined with ssh ProxyCommand. You can use
ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \
to connect to an SSH server through the tunnel.