derptun 0.1.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +27 -13
  2. package/package.json +1 -1
  3. package/vendor/aarch64-apple-darwin/derptun/derptun +0 -0
  4. package/vendor/aarch64-unknown-linux-musl/derptun/derptun +0 -0
  5. package/vendor/x86_64-apple-darwin/derptun/derptun +0 -0
  6. package/vendor/x86_64-unknown-linux-musl/derptun/derptun +0 -0
package/README.md CHANGED
@@ -8,6 +8,7 @@ It supports:
8
8
  - text, file, and directory transfer with `send` and `receive`
9
9
  - local TCP service sharing with `share` and `open`
10
10
  - SSH access exchange with `ssh invite` and `ssh accept`
11
+ - durable TCP tunnels with the companion `derptun` package
11
12
 
12
13
  `derphole` uses the public Tailscale [DERP](#what-is-derp) relay network for rendezvous and relay fallback. It is **not** affiliated with Tailscale, does **not** require a Tailscale account or tailnet, and does **not** use `tailscaled` for transport.
13
14
 
@@ -34,7 +35,7 @@ Session tokens carry authorization, and receive-code flows resolve into the same
34
35
 
35
36
  ## Quick Start
36
37
 
37
- `listen` receives bytes and prints a token. `pipe` sends stdin into that token. `share` and `open` use the same token shape for local TCP services.
38
+ `listen` receives bytes and prints a token. `pipe` sends stdin into that token. `share` and `open` use the same token shape for local TCP services. Use `derptun` when the service needs a reusable token and longer-lived tunnel.
38
39
 
39
40
  ### Stream a Raw File
40
41
 
@@ -151,32 +152,42 @@ npx -y derphole@latest open <token> 127.0.0.1:8080
151
152
 
152
153
  ### Durable SSH Tunnels with `derptun`
153
154
 
154
- `derptun` is the durable TCP tunnel companion to `derphole`. Use it when a host is behind NAT and you want a stable token you can reuse for days instead of a one-hour, session-scoped share token.
155
+ `derptun` is the durable TCP tunnel companion to `derphole`. Use it when `serverhost` is behind NAT and you want a stable server credential that can survive process restarts.
155
156
 
156
- On the target host:
157
+ On `serverhost`:
157
158
 
158
159
  ```bash
159
- npx -y derptun@latest token --days 7 > alpha.token
160
- npx -y derptun@latest serve --token "$(cat alpha.token)" --tcp 127.0.0.1:22
160
+ npx -y derptun@latest token server > server.dts
161
+ npx -y derptun@latest token client --token "$(cat server.dts)" > client.dtc
162
+ npx -y derptun@latest serve --token "$(cat server.dts)" --tcp 127.0.0.1:22
161
163
  ```
162
164
 
163
- On the client:
165
+ Copy only `client.dtc` to `clienthost`.
166
+
167
+ On `clienthost`:
164
168
 
165
169
  ```bash
166
- npx -y derptun@latest open --token "$(cat alpha.token)" --listen 127.0.0.1:2222
167
- ssh -p 2222 foo@127.0.0.1
170
+ npx -y derptun@latest open --token "$(cat client.dtc)" --listen 127.0.0.1:2222
171
+ ssh -p 2222 user@127.0.0.1
168
172
  ```
169
173
 
170
174
  For SSH without a separate local listener, use `ProxyCommand`:
171
175
 
172
176
  ```sshconfig
173
- Host alpha-derptun
174
- HostName alpha
177
+ Host serverhost-derptun
178
+ HostName serverhost
175
179
  User foo
176
- ProxyCommand derptun connect --token ~/.config/derptun/alpha.token --stdio
180
+ ProxyCommand derptun connect --token ~/.config/derptun/client.dtc --stdio
177
181
  ```
178
182
 
179
- `derptun` keeps trying when the network path drops, and it can reconnect while both `derptun` processes stay alive. If either process exits, the token can bring the tunnel back, but an already-open TCP session is gone. Use `tmux` or `screen` on the remote host when shell continuity matters.
183
+ The server token is secret serving authority. Keep it on the serving machine or in its secret manager. The client token can connect until it expires, but it cannot serve or mint more tokens.
184
+
185
+ Server tokens default to 180 days. Client tokens default to 90 days and cannot outlive their server token. Set a relative lifetime with `--days`, or use an absolute expiry:
186
+
187
+ ```bash
188
+ npx -y derptun@latest token server --expires 2026-05-01T00:00:00Z > server.dts
189
+ npx -y derptun@latest token client --token "$(cat server.dts)" --expires 2026-04-25T00:00:00Z > client.dtc
190
+ ```
180
191
 
181
192
  The first `derptun` release is TCP-only. UDP forwarding is planned for use cases like Minecraft Bedrock servers, but it is not part of this release.
182
193
 
@@ -186,6 +197,7 @@ Use the development channel for the latest commit from `main`:
186
197
 
187
198
  ```bash
188
199
  npx -y derphole@dev version
200
+ npx -y derptun@dev version
189
201
  ```
190
202
 
191
203
  By default, `listen`, `pipe`, `send`, `receive`, `share`, and `open` keep transport status quiet. `listen` and `share` print tokens, `open` prints the local listening address, and `send` / `receive` print the receiver command or code needed to complete the transfer. Known-size transfers show wormhole-shaped progress on stderr. Use `--hide-progress` to suppress the progress bar. Use `--verbose` to see state transitions like `connected-relay` and `connected-direct`:
@@ -219,6 +231,7 @@ DERP provides **rendezvous** and **relay fallback**. If the term is new, see [Wh
219
231
  The data plane is selected per session:
220
232
 
221
233
  - `share/open` uses multiplexed QUIC streams over `derphole`'s relay/direct UDP transport, so one claimed session can carry many independent TCP connections to the shared service.
234
+ - `derptun` uses a stable tunnel token and the same relay/direct UDP transport to carry reconnectable TCP streams. It is built for longer-lived access, such as SSH to a host behind NAT.
222
235
  - `listen/pipe` uses a one-shot byte stream. By default, `derphole` coordinates through DERP, promotes to rate-adaptive direct UDP when traversal succeeds, and stays on encrypted relay fallback when no direct path is available.
223
236
  - `send/receive` wraps the same one-shot stream with text, file, directory, and progress metadata.
224
237
 
@@ -259,12 +272,13 @@ In practice: move bytes early, keep them moving through relay if needed, then sh
259
272
 
260
273
  ## Security Model
261
274
 
262
- The session token is a **bearer capability**. Anyone with the token can claim the session until it expires, so share it over a trusted channel. Tokens expire after one hour.
275
+ Tokens are **bearer capabilities**. Anyone with a token can claim the matching session or tunnel until it expires, so share tokens over a trusted channel. `derphole` session tokens expire after one hour. `derptun` server tokens default to 180 days and can mint shorter-lived client tokens; client tokens default to 90 days and cannot serve.
263
276
 
264
277
  DERP relays do **not** get the secret material needed to read or impersonate the session:
265
278
 
266
279
  - On the default `listen/pipe` and `send/receive` direct UDP path, payload packets are encrypted and authenticated with session AEAD derived from the token bearer secret.
267
280
  - On `share/open`, stream traffic uses authenticated QUIC streams for the claimed session.
281
+ - On `derptun`, stream traffic uses authenticated QUIC streams pinned to the stable tunnel identity in the token.
268
282
  - If packets are relayed through DERP, DERP only forwards encrypted session bytes.
269
283
 
270
284
  Important security property: `derphole` does not trade speed for plaintext shortcuts:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "derptun",
3
- "version": "0.1.0",
3
+ "version": "0.9.0",
4
4
  "license": "BSD-3-Clause",
5
5
  "bin": {
6
6
  "derptun": "bin/derptun.js"