Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


When a corkscrew just isn't enough...


Crowbar overview

Crowbar is an EXPERIMENTAL tool that allows you to establish a secure circuit with your existing encrypting TCP endpoints (an OpenVPN setup, an SSH server for forwarding...) when your network connection is limited by a Web proxy that only allows basic port 80 HTTP connectivity.

Crowbar will tunnel TCP connections over an HTTP session using only GET and POST requests. This is in contrast to most tunneling systems that reuse the CONNECT verb. It also provides basic authentication to make sure nobody who stumbles upon the server steals your proxy to order drugs from Silkroad.


  • Establishes TCP connections via a proxy server using only HTTP GET and POST requests
  • Authenticates users from an authentication file
  • Will probably get you fired if you use this in an office setting

Security & Confidentiality

Crowbar DOES NOT PROVIDE ANY DATA CONFIDENTIALITY. While the user authentication mechanism protects from replay attacks to establish connectivity, it will not prevent someone from MITMing the later connection transfer itself, or from MITMing whole sessions. So, yeah, make sure to use it only tunnel an SSH or OpenVPN server, and firewall off most outgoing connections on your proxy server (ie. only allow access to an already publicly-available SSH server)

The authentication code and crypto have not been reviewed by cryptographers. I am not a cryptographer. You should consider this when deploying Crowbar.

Known bugs

The crypto can be improved vastly to enable server authentication and make MITMing more difficult. It could also use a better authentication setup to allow the server to keep password hashes instead of plaintext.

The server should include some filtering functionality for allowed remote connections.

The server lacks any cleanup functions and rate limiting, so it will leak both descriptors and memory - this should be fixed soon.

Is it any good?

Eh, it works. I'm not an experienced Golang programmer though, so the codebase is probably butt-ugly.


BSD 2-clause, 'nuff said.


Binary releases

Release and snapshot binaries can be downloaded from this project's Github Releases page.

Server setup

This assumes you're using Linux. If not, you're on your own.

Set up an user for the service

useradd -rm crowbar
mkdir /etc/crowbar/
chown crowbar:crowbar /etc/crowbar

Create an authentication file - a new-line delimited file containing username:password pairs.

touch /etc/crowbar/userfile
chown crowbar:crowbar /etc/crowbar/userfile
chmod 600 /etc/crowbar/userfile
echo -ne "q3k:supersecurepassword\n1337h4xx0r:canttouchthis" >> /etc/crowbar/userfile

Set up an iptables rule to forward traffic from the :80 port to :8080, where the server will be running. Replace eth0 with your public network interface.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-port 8080

Run the daemon in screen/tmux or write some unit files for your distribution:

crowbard -userfile=/etc/crowbar/userfile

Client setup

This assumes you're running Linux on your personal computer. If not, you're on your own.

Crowbar will honor the de-facto standard HTTP_PROXY env var on Linux:


For netcat-like functionality:

crowbar-forward -local=- -username q3k -password secret -server -remote

For port-forwarding:

crowbar-forward -local= -username q3k -password secret -server -remote &
nc 1337

For SSH ProxyCommand integration, place this in your .ssh/config, and then SSH into as usual:

    ProxyCommand crowbar-forward -local=- -username q3k -password secret -server -remote %h:%p

Building from source

I assume you have a working $GOPATH.

go get

crowbar-forward and crowbard will be in $GOPATH/bin.


Tunnel TCP over a plain HTTP session (warning: mediocre Go code)







No packages published