English | 简体中文
Lightweight HTTP-over-SSH proxy written in Go, designed to be cross-platform and easy to deploy.
gotun is a command-line HTTP-over-SSH proxy. It establishes an SSH connection to a remote host and uses that host as the egress point for HTTP(S) traffic. Local HTTP requests are forwarded through the SSH tunnel and executed from the remote host.
Typical use cases:
- Accessing routers, servers, APIs and other resources in a private network
- Reaching networks that are only visible from a specific host (bastion/jump host, corporate network, isolated segments, etc.)
- Using the remote host as an outbound HTTP proxy
Your machine Firewall/NAT Internal network
┌─────────┐ ┌─────────┐ ┌─────────────┐
│ │ ❌ direct │ │ │ Router │
│ PC │ ─────────────▶ │ FW/NAT │ │ NAS │
│ │ blocked │ │ │ Servers │
└─────────┘ └─────────┘ └─────────────┘
Your machine SSH (tcp/22) Bastion Internal network
┌─────────┐ ┌─────────────┐ ┌─────────┐ ┌─────────────┐
│ │ HTTP │ gotun HTTP │ SSH tunnel │ │ internal │ Router │
│ PC │ ◀──────▶ │ proxy │◀──────────────▶│ Bastion │◀────────────▶│ NAS │
│ │ └─────────────┘ │ │ │ Servers │
└─────────┘ └─────────┘ └─────────────┘
↑
└─ HTTP proxy set to 127.0.0.1:8080
| Traditional approach | With gotun |
|---|---|
| Manual port forwards per service | One SSH tunnel for all HTTP(S) traffic |
| Multiple ports exposed on the bastion | No extra open ports; uses existing SSH only |
| Hard to manage multiple mappings | Single proxy endpoint |
| Easy to accidentally expose internal hosts | All traffic stays inside an encrypted SSH tunnel |
- No additional software required on the remote host (only SSH)
- All traffic is carried over an SSH tunnel
- Can reach any address that the remote host can reach (including internal addresses)
- Supports single and multi-hop SSH jump hosts
- Cross-platform: Windows, Linux, macOS
- Can be used as a system HTTP proxy (optional)
- Rule-based traffic splitting via configuration file
- Shell completion support for Bash, Zsh, Fish, PowerShell
- Structured logging and verbose mode for debugging
curl -fsSL https://raw.githubusercontent.com/Sesame2/gotun/main/scripts/install.sh | shThe script installs gotun into ~/.local/bin or /usr/local/bin.
Make sure that directory is included in your PATH.
brew install gotunDownload the appropriate binary for your platform from the
Releases page.
git clone https://github.com/Sesame2/gotun.git
cd gotun
make buildThe binary will be placed under build/.
With Go 1.17+:
go install github.com/Sesame2/gotun/cmd/gotun@latestNote: when installing via
go install, the--versionoutput may not include an exact version number, as it depends on build-time metadata. For reproducible version information, prefer the install script, Homebrew, or release binaries.
Ensure $GOBIN or $GOPATH/bin is on your PATH.
# Basic: connect to an SSH server and start an HTTP proxy
gotun user@example.com
# Use a non-default SSH port
gotun -p 2222 user@example.com
# Use a specific private key
gotun -i ~/.ssh/id_rsa user@example.com
# Change local proxy listen address/port
gotun --listen :8888 user@example.com
# Disable automatic system proxy configuration
gotun --sys-proxy=false user@example.comBy default, gotun listens on 127.0.0.1:8080 (unless changed by --listen).
In your browser’s proxy settings:
- HTTP proxy host:
127.0.0.1 - HTTP proxy port:
8080(or the port you configured)
If system proxy support is enabled, some platforms can be configured automatically.
| Flag | Short | Description | Default |
|---|---|---|---|
--listen |
-l |
Local HTTP proxy bind address | :8080 |
--port |
-p |
SSH server port | 22 |
--pass |
SSH password (not recommended; use interactively) | ||
--identity_file |
-i |
Private key file path | |
--jump |
-J |
Comma-separated jump hosts (user@host:port) |
|
--target |
Optional target network scope/coverage | ||
--timeout |
SSH connection timeout | 10s |
|
--verbose |
-v |
Enable verbose logging | false |
--log |
Log file path | stdout | |
--sys-proxy |
Enable automatic system proxy configuration | true |
|
--rules |
Path to routing rules configuration file |
Run gotun --help for the full list of options.
Assume jumpserver.company.com can reach 192.168.1.100 inside a private network:
gotun admin@jumpserver.company.comOnce running and proxy is configured, you can browse:
http://192.168.1.100:8080- Other HTTP(S) endpoints reachable from the jumpserver
You need to reach a remote dev environment (APIs, DB, etc.) from your local machine:
# Verbose logging and custom listen port
gotun --listen :8888 -v developer@dev-server.comIf you do not want gotun to modify system proxy settings:
gotun --sys-proxy=false --listen :8888 -v developer@dev-server.comThen configure your IDE or tooling to use 127.0.0.1:8888 as HTTP proxy.
gotun user@proxy-server.comAll (or selected) HTTP(S) traffic will exit from the remote server’s network.
When the final target is only reachable via one or more intermediate hosts, you can configure jump hosts.
Your machine SSH Tunnel Jump Host SSH Tunnel Target Host
┌─────────┐ ┌───────────┐ ┌──────────┐ ┌───────────┐ ┌──────────┐
│ │ 🔐 │ │ 🔐 │ │ 🔐 │ │ 🌐 │ │
│ PC │◀───────▶│ gotun tun │◀───────▶│ Bastion │◀───────▶│ gotun tun │◀───────▶│ Target │
│ │ HTTP │ (encrypt) │ │ │ │ (encrypt) │ │ │
└─────────┘ └───────────┘ └──────────┘ └───────────┘ └──────────┘
gotun -J user1@jump.host.com user2@target.server.comTraffic flow:
PC → SSH to jump.host.com → SSH to target.server.com → HTTP request
gotun -J user1@jump1.com,user2@jump2.com user3@target.comgotun will establish nested SSH tunnels through each hop in order.
# Explicit key
gotun -i ~/.ssh/id_rsa user@example.com
# Rely on default keys in ~/.ssh
gotun user@example.com# Interactive (recommended over CLI flags)
gotun user@example.com
# gotun will prompt for the password
# Non-interactive (not recommended)
gotun --pass 'yourpassword' user@example.comAvoid passing passwords directly on the command line when possible.
By default (--sys-proxy=true), gotun attempts to:
- Capture the current system proxy settings
- Set the system HTTP proxy to its local listening address (e.g.
127.0.0.1:8080) - Restore the original settings on exit
If you prefer to manage proxy settings yourself, run:
gotun --sys-proxy=false user@example.comPlatform notes:
- macOS: uses
networksetup - Windows: uses registry-based proxy configuration
- Linux: attempts to use desktop settings (e.g. GNOME) and/or environment variables where applicable
gotun can read a Clash-style YAML rules file to decide which traffic is sent via the SSH proxy and which goes directly.
This is useful when you need:
- Direct access to local or corporate networks
- Proxy only for selected destinations (e.g. external services)
rules.yaml:
mode: rule
rules:
# Direct access for internal domains and networks
- DOMAIN-SUFFIX,internal.company.com,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- DOMAIN-SUFFIX,cn,DIRECT
- DOMAIN-SUFFIX,qq.com,DIRECT
# Specific domains via proxy
- DOMAIN-SUFFIX,google.com,PROXY
- DOMAIN-SUFFIX,github.com,PROXY
# Everything else via proxy
- MATCH,PROXYStart gotun with the rules file:
gotun --rules ./rules.yaml user@your_ssh_server.comRequests will be matched from top to bottom; the first matching rule applies.
# Enable verbose logs
gotun -v user@example.com
# Log to a file
gotun -v --log ./gotun.log user@example.comCheck:
- SSH connectivity (
ssh user@example.com) - Firewall or security groups
- Correct key/port/jump configuration
On some systems, changing system proxy settings requires elevated privileges:
# macOS / Linux
sudo gotun user@example.com
# Windows: run cmd/PowerShell as Administrator
gotun.exe user@example.comIf this is not acceptable, disable system proxy management and configure proxy settings manually:
gotun --sys-proxy=false user@example.comImplemented:
- HTTP proxy
- HTTPS tunneling via
CONNECT - SSH key-based authentication
- Interactive password authentication
- Optional automatic system proxy configuration
- Cross-platform support (Windows/Linux/macOS)
- Verbose logging and log file output
- CLI flags and subcommands
- Single and multi-hop jump host support
- Rule-based routing
- Shell completion for common shells
Planned:
- RDP gateway support
- Tray/GUI frontend
- Export/import of configuration profiles
- SOCKS5 proxy support
- Connection pooling and performance tuning
- Traffic statistics and basic monitoring
This project is licensed under the MIT License.