Push-button DIY tunnel service. Run on your Raspberry Pi or VPS to create your own secure tunnel to access your devices from anywhere or simply to expose your localhost development to the outside world.
Go to file
Maciej Krüger eb36af8269 feat: Initial snapcraft configuration 2018-11-10 17:02:37 +01:00
admin add index.json 2018-06-15 22:53:30 +00:00
bin Show Bad Gateway rather than disconnect when south-end has gone missing. 2018-11-04 01:12:46 +00:00
dist/etc/systemd/system don't assume the use of /etc 2018-06-14 14:40:43 -06:00
examples update example config 2018-06-15 06:09:46 +00:00
installer de-hard-code TELEBIT_RELAY_PATH 2018-06-14 21:13:36 +00:00
lib touch device lastSeen on ws pong 2018-11-04 21:22:44 +00:00
snap feat: Initial snapcraft configuration 2018-11-10 17:02:37 +01:00
snippets fs cleanup 2016-09-30 18:03:41 -04:00
.gitignore feat: Initial snapcraft configuration 2018-11-10 17:02:37 +01:00
.jshintrc treat devices more like devices and less like domains 2018-08-20 19:45:13 +00:00
LICENSE turning into a service, first steps 2018-05-23 11:12:39 +00:00
README.md merge new features 2018-08-21 02:58:04 +00:00
package.json v0.20.0: use proxy-packer v2.x 2018-08-08 09:08:56 +00:00

README.md

Telebit Relay

Friends don't let friends localhost™

A server that works in combination with Telebit Remote to allow you to serve http and https from any computer, anywhere through a secure tunnel.

| Sponsored by ppl | Telebit Relay | Telebit Remote |

Features

  • Expose your bits even in the harshest of network environments
    • NAT, Home Routers
    • College Dorms, HOAs
    • Corporate Firewalls, Public libraries, Airports
    • and even Airplanes, yep
  • Automated HTTPS (Free SSL)

Install

Mac & Linux

Open Terminal and run this install script:

curl -fsSL https://get.telebit.cloud/relay | bash

Of course, feel free to inspect the install script before you run it.

This will install Telebit Relay to /opt/telebit-relay and put a symlink to /opt/telebit-relay/bin/telebit-relay in /usr/local/bin/telebit-relay for convenience.

You can customize the installation:

export NODEJS_VER=v10.2
export TELEBIT_RELAY_PATH=/opt/telebit-relay
curl -fsSL https://get.telebit.cloud/relay

That will change the bundled version of node.js is bundled with Telebit Relay and the path to which Telebit Relay installs.

You can get rid of the tos + email and server domain name prompts by providing them right away:

curl -fsSL https://get.telebit.cloud/relay | bash -- jon@example.com telebit-relay.example.com

Windows & Node.js

  1. Install node.js
  2. Open Node.js
  3. Run the command npm install -g telebit-relay

Note: Use node.js v8.x or v10.x

There is a bug in node v9.x that causes telebit-relay to crash.

Manually Install

git clone https://git.coolaj86.com/coolaj86/telebit-relay.js.git telebit-relay

# we're very picky to due to bugs in various versions of v8, v9, and v10
export NODEJS_VER="v10.2.1"

# We can keep everything self-contained
export NPM_CONFIG_PREFIX=/opt/telebit-relay
export NODE_PATH=/opt/telebit-relay/lib/node_modules

curl -fsSL https://bit.ly/node-installer | bash -s -- --no-dev-deps

pushd /opt/telebit-relay
  bin/node bin/npm install
  rsync -a examples/telebit-relay.yml etc/telebit-relay.yml
  rsync -a dist/etc/systemd/system/telebit-relay.service /etc/systemd/system/telebit-relay.service
popd

# IMPORTANT: Season the config file to taste
# IMPORTANT: change your email address and domain
edit /opt/telebit-relay/etc/telebit-relay.yml

adduser --home /opt/telebit-relay --gecos '' --disabled-password telebit >/dev/null 2>&1
sudo chown -R telebit:telebit /opt/telebit-relay/

systemctl daemon-reload
systemctl restart telebit-relay

systemctl status telebit-relay
journalctl -xefu telebit-relay

Usage

telebit-relay --config /opt/telebit-relay/etc/telebit-relay.yml

Options

/opt/telebit-relay/etc/telebit-relay.yml:

email: 'jon@example.com'       # must be valid (for certificate recovery and security alerts)
agree_tos: true                # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
community_member: true         # receive infrequent relevant but non-critical updates
telemetry: true                # contribute to project telemetric data
secret: ''                     # JWT authorization secret. Generate like so:
                               # node -e "console.log(crypto.randomBytes(16).toString('hex'))"
servernames:                   # hostnames that direct to the Telebit Relay admin console
  - telebit-relay.example.com
  - telebit-relay.example.net
vhost: /srv/www/:hostname      # securely serve local sites from this path (or false)
                               # (uses template string, i.e. /var/www/:hostname/public)
greenlock:
  store: le-store-certbot      # certificate storage plugin
  config_dir: /opt/telebit-relay/etc/acme    # directory for ssl certificates

Security

The bottom line: As with everything in life, there is no such thing as anonymity or absolute security. Only use Telebit Relays that you trust or self-host. :D

Even though the traffic is encrypted end-to-end, you can't just trust any Telebit Relay willy-nilly.

A man-in-the-middle attack is possible using Let's Encrypt since an evil Telebit Relay would be able to complete the http-01 challenges without a problem (since that's where your DNS is pointed when you use the service).

Also, the traffic could still be copied and stored for decryption is some era when quantum computers exist (probably never).

Why?

We created this for anyone to use on their own server or VPS, but those generally cost $5 - $20 / month and so it's probably cheaper to purchase data transfer, which is only $1/month for most people.

In keeping with our no lock-in policy, we release a version of the server for anyone to use independently.

TODO show how to do on

* Node WS Tunnel (zero setup)
* Heroku (zero cost)
* Chunk Host (best deal per TB/month)

Useful Tidbits

As a systemd service

./dist/etc/systemd/system/telebit-relay.service should be copied to /etc/systemd/system/telebit-relay.service.

The user and group telebit should be created.

Use privileged ports without sudo

# Linux
sudo setcap 'cap_net_bind_service=+ep' $(which node)

API

The authentication method is abstract so that it can easily be implemented for various users and use cases.

// bin/telebit-relay.js
state.authenticate()                  // calls either state.extensions.authenticate or state.defaults.authenticate
                                      // which, in turn, calls Server.onAuth()

state.extensions = require('../lib/extensions');
state.extensions.authenticate({
  state: state                        // lib/relay.js in-memory state
, auth: 'xyz.abc.123'                 // arbitrary token, typically a JWT (default handler)
})

// lib/relay.js
Server.onAuth(state, srv, rawAuth, validatedTokenData);