A fast, resilient tunneling layer for bridging entry and exit servers across hostile networks.

GitHub · Channel · Contact · 🇮🇷 فارسی

Phormal connects an entry node (restricted uplink, e.g. Iran) to an exit node (clean foreign uplink), then publishes your service ports on the entry public IP — users never connect to the exit directly.

Every path breaks differently: some drop UDP, some pass only TCP, some barely let anything through but ICMP. Instead of betting on one method, Phormal ships six independent tunnel products, tests each one against your real path, and tells you which to use.

Every product is multi-tunnel: many named instances per server, each with its own config, ports, and service unit.

flowchart LR
  subgraph users [End users]
    C[Client]
  end
  subgraph entry [Entry — Iran]
    E[Published ports]
  end
  subgraph link [Phormal link]
    T[Bridge / Relay / Reverse / GRE / Echo / Raw]
  end
  subgraph exit [Exit — Kharej]
    X[Your service]
  end
  C --> E --> T --> X

Run on both servers (entry and exit):

curl -fsSL https://raw.githubusercontent.com/Schmi7zz/Phormal/main/phormal.sh -o phormal.sh && sed -i 's/\r$//' phormal.sh && chmod +x phormal.sh && sudo ./phormal.sh

After the first run, Phormal installs a global command:

sudo phormal
# or simply
phormal

Always run this first when pairing a new Iran ↔ Kharej set.

• Tests every product with real bidirectional traffic across your actual path.
• Needs SSH access to the peer (key preferred; password also works — prompted once).
• One direction only: this host → peer. Phormal never opens SSH back from the peer.
• Prints a PASS / FAIL table with a confidence rating, maps each passing product to its menu block, and recommends a BEST CHOICE.

Peer SSH host / port / user are remembered in /etc/phormal/phormal.conf.

Re-run it whenever you add a new peer or the network behavior changes — then just follow the BEST CHOICE.

Roles: add the exit on the Kharej server first, then the entry on the Iran server.

Each Manage submenu lists instances and offers restart, stop, logs, edit ports, delete, etc.

Exit (Kharej) — menu 6

1. Name the tunnel, pick a link port (UDP, e.g. 8531).
2. Note the auth + obfuscation passwords.
3. Open the firewall: ufw allow 8531/udp
4. Run your service on the user port (e.g. 5151).

Entry (Iran) — menu 7

1. Enter the exit IP, the same link port, the same passwords.
2. Enter the user ports to publish.

Users connect to Iran IP : user port.

A Phormal Bridge link is point-to-point: one exit link per Iran peer.

• Exit — menu 2: name, IPs, note the bridge key.
• Entry — menu 3: matching key, transport, user ports.

Path test SSH fails

• Use key auth, or be ready to type the peer root password when prompted.
• Test manually: ssh root@PEER_IP echo OK

Relay clients time out

• Users must use the entry IP + user port, not the exit IP or link port.
• Restart the exit first, then the entry.

View logs

# everything Phormal, live
journalctl -u 'phormal-*' -f

# a single product
journalctl -u 'phormal-relay@*' -f
journalctl -u 'phormal-core@*' -f

curl -fsSL https://raw.githubusercontent.com/Schmi7zz/Phormal/main/phormal.sh -o /usr/local/bin/phormal && sed -i 's/\r$//' /usr/local/bin/phormal && chmod +x /usr/local/bin/phormal && sudo phormal

• Author: Schmi7z
• Channel: @SchmitzWS
• Contact: @Schmi7zz

GPL-3.0 — see LICENSE.