npipe is a cross-platform (Windows / Linux / macOS) secure tunneling and proxy tool written in Rust. It securely forwards multiplexed TCP/UDP traffic to remote hosts over encrypted tunnels, with rich proxy protocol support and a web management dashboard.
- Multi-protocol Proxy
- TCP / UDP port forwarding (local & remote)
- SOCKS5 proxy server (local & remote)
- HTTP proxy server (local & remote)
- Multiple Transports (compile-time selectable)
tcp— Standard TCPkcp— Low-latency KCPws— WebSocket (firewall traversal)quic— QUIC / HTTP3 (fast handshake)
- Security
- TLS encrypted transport (optional)
- Per-tunnel encryption (Xor, etc.) + LZ4 compression
- Web Dashboard (actix-web + Vue.js)
- User & tunnel management
- Real-time online status monitoring
- Windows Service: Client can be registered as a system service for auto-start
- Non-npipe Traffic Forwarding: Transparently forward non-npipe traffic to other programs (e.g., Nginx)
- Multiple Databases: SQLite (default) / MySQL
npipe/
├── np_base/ # Core library (networking, proxy, encryption)
├── np_proto/ # Protocol definitions (Protobuf)
├── np_server/ # Server
├── np_client/ # Client
└── npipe-admin/ # Web admin frontend (Vue 3)
Ensure the Rust toolchain is installed (stable recommended).
# Build all components (with KCP / WebSocket / QUIC)
cargo build --release
# Build with TCP support only (minimal binary size)
cargo build --release --no-default-features --features tcpCross-compilation: The project includes
Cross.tomlfor use with cross.
The server reads config.json from the current directory by default. Use -c to specify an alternative path.
{
"database_url": "sqlite://data.db?mode=rwc",
"listen_addr": "tcp://0.0.0.0:8118,kcp://0.0.0.0:8118,ws://0.0.0.0:8119,quic://0.0.0.0:8119",
"illegal_traffic_forward": "",
"illegal_traffic_forward_rules": [
{
"name": "http-to-nginx",
"match_expr": "http",
"target": "127.0.0.1:80"
},
{
"name": "tls-to-https",
"match_expr": "tls",
"target": "127.0.0.1:443"
}
],
"enable_tls": false,
"tls_cert": "./cert.pem",
"tls_key": "./server.key.pem",
"web_base_dir": "./dist",
"web_addr": "0.0.0.0:8120",
"web_enable_tls": false,
"web_tls_cert": "./web-cert.pem",
"web_tls_key": "./web-key.pem",
"web_tls_auto_self_signed": false,
"web_cookie_secure": false,
"web_username": "admin",
"web_password": "admin@1234",
"transport_max_connections_per_player": 16,
"transport_idle_timeout_secs": 60,
"quiet": false,
"log_dir": "logs"
}| Option | Description | Example |
|---|---|---|
database_url |
Database connection URL | sqlite://data.db?mode=rwcmysql://user:pass@host:3306/dbname |
listen_addr |
Server listen addresses, comma-separated | tcp://0.0.0.0:8118,kcp://0.0.0.0:8118,ws://0.0.0.0:8119 |
enable_tls |
Enable TLS | true / false |
tls_cert |
TLS certificate file path | ./cert.pem |
tls_key |
TLS private key file path | ./server.key.pem |
web_base_dir |
Web frontend static files directory (empty to disable) | ./dist |
web_addr |
Web dashboard listen address | 0.0.0.0:8120 |
web_enable_tls |
Enable HTTPS for the web dashboard directly | true / false |
web_tls_cert |
Web dashboard HTTPS certificate path | ./web-cert.pem |
web_tls_key |
Web dashboard HTTPS private key path | ./web-key.pem |
web_tls_auto_self_signed |
Auto-generate a temporary self-signed certificate when cert is empty | true / false |
web_cookie_secure |
Force Secure flag on session cookies; recommended when behind HTTPS reverse proxy | true / false |
web_username |
Web admin username (empty to disable web dashboard) | admin |
web_password |
Web admin password (empty to disable web dashboard) | admin@1234 |
transport_max_connections_per_player |
Max forward connections/streams per user; 0 = single-connection mode |
0 / 4 / 8 |
transport_idle_timeout_secs |
Forward connection idle timeout (seconds); 0 = never close |
60 |
illegal_traffic_forward |
Forward non-npipe traffic to this address (empty to discard) | 127.0.0.1:80 |
illegal_traffic_forward_rules |
Traffic forwarding rules array (see detailed explanation below) | See example |
quiet |
Quiet mode, suppress log output | true / false |
log_dir |
Log output directory | logs |
- QUIC requires TLS: QUIC mandates encryption by design. If
listen_addrcontains aquic://address,enable_tlsmust betruewith validtls_certandtls_key, otherwise the QUIC listener will fail to start. - Transport multi-connection: Server
transport_max_connections_per_playerdefaults to16; client--transport-max-connectionsdefaults to16. If either side is0, single-connection mode is used; when both are > 0, the smaller value wins. Client--transport-min-connections(default4) controls the minimum pre-warmed connections after login; idle cleanup will not drop below this value. QUIC uses multiple streams on one QUIC connection; TCP / KCP / WebSocket use multiple forward connections. - Mixed protocols: TCP / KCP / WebSocket can run without TLS, but enabling TLS is recommended in production.
- Web dashboard HTTPS:
web_enable_tlsonly controls the web dashboard and is independent of the tunnel service'senable_tls; bothweb_tls_certandweb_tls_keymust be configured when enabled. - Temporary self-signed certificate: If
web_enable_tlsistruebutweb_tls_cert/web_tls_keyare not configured, setweb_tls_auto_self_signedtotrueto auto-generate a temporary self-signed certificate. Browsers will show an untrusted certificate warning; recommended only for testing. - HTTPS reverse proxy: If the browser accesses the dashboard via an HTTPS proxy (e.g., Nginx) while
np_servercommunicates with the proxy over HTTP, setweb_cookie_securetotrueso session cookies are only sent over HTTPS. - Disabling web dashboard: If any of
web_username,web_password, orweb_addris empty, the web dashboard is automatically disabled.
When the server receives non-npipe protocol traffic, it can forward to a single address via illegal_traffic_forward, or use illegal_traffic_forward_rules to match and dispatch to different targets by traffic type.
Each rule has three fields:
| Field | Description |
|---|---|
name |
Rule name (for identification) |
match_expr |
Match expression (see syntax below) |
target |
Target address to forward to |
match_expr syntax:
| Expression | Description | Example |
|---|---|---|
http |
Detect HTTP method prefix (GET/POST/PUT/DELETE etc) | "http" |
tls |
Detect TLS ClientHello (0x16 0x03 prefix) |
"tls" |
any |
Catch-all, always matches | "any" |
prefix:<hex> |
Hex byte prefix match | "prefix:1603" (i.e. TLS) |
prefix:str:<s> |
String prefix match | "prefix:str:GET " |
regex:<pattern> |
Regular expression match | `"regex:^(GET |
Note: Rules are matched in array order; first match wins. If
illegal_traffic_forwardis also configured, it acts as a catch-all (any) rule appended after allillegal_traffic_forward_rules.
Example configuration:
{
"illegal_traffic_forward_rules": [
{
"name": "http-to-nginx",
"match_expr": "http",
"target": "127.0.0.1:80"
},
{
"name": "tls-to-https",
"match_expr": "tls",
"target": "127.0.0.1:443"
},
{
"name": "rdp",
"match_expr": "prefix:0300",
"target": "192.168.1.100:3389"
}
]
}# Use default config file
np_server
# Specify config file
np_server -c /etc/npipe/config.json
# Show help
np_server --helpUsage: np_server [OPTIONS]
Options:
-b, --backtrace <BACKTRACE> Print backtrace info [default: false]
-c, --config-file <CONFIG_FILE> Config file path [default: config.json]
--log-level <LOG_LEVEL> Log level [default: info]
--base-log-level <BASE_LOG_LEVEL> Base library log level [default: error]
-h, --help Print help
-V, --version Print version
np_client run --server tcp://your-server:8118 --username user1 --password pass123Multiple server addresses can be specified; the client will cycle through them on reconnection:
np_client run \
--server "tcp://server1:8118,kcp://server2:8118" \
--username user1 \
--password pass123 \
--transport-max-connections 4 \
--transport-min-connections 2 \
--transport-idle-timeout-secs 60 \
--enable-tls \
--ca-cert ./root-ca.pemUsage: np_client run [OPTIONS] --server <SERVER> --username <USERNAME> --password <PASSWORD>
Options:
-s, --server <SERVER> Server address (comma-separated, round-robin reconnect)
-u, --username <USERNAME> Username
-p, --password <PASSWORD> Password
--enable-tls Enable TLS
--tls-server-name <NAME> TLS SNI server name (optional)
--insecure Skip server certificate verification (not recommended)
--ca-cert <CA_CERT> CA certificate file path
--transport-max-connections <N> Max forward connections/streams; 0 = single-connection mode [default: 16]
--transport-min-connections <N> Min connections to keep alive (pre-warmed); 0 = no warm-up [default: 4]
--transport-idle-timeout-secs <SECS> Forward connection idle timeout in seconds [default: 60]
--log-level <LOG_LEVEL> Log level [default: info]
--base-log-level <BASE_LOG_LEVEL> Base library log level [default: error]
--log-dir <LOG_DIR> Log directory [default: logs]
--quiet Quiet mode, suppress log output
--backtrace <BACKTRACE> Print backtrace info [default: false]
-h, --help Print help
Run the following commands in an elevated command prompt to register the client as a Windows system service:
:: Install service
np_client.exe install --server tcp://your-server:8118 --username user1 --password pass123
:: Start service
sc.exe start "np_client"
:: Stop service
sc.exe stop "np_client"
:: Uninstall service
np_client.exe uninstallThe project includes a certificate generation script for creating self-signed CA and server certificates:
./generate-certificate.shGenerated files:
| File | Purpose |
|---|---|
root-ca.pem |
Root CA certificate (client trust) |
root-ca.key.pem |
Root CA private key |
cert.pem |
Server certificate |
server.key.pem |
Server private key |
The web dashboard is built with Vue 3 + Vite, source code in npipe-admin/.
# Install dependencies
cd npipe-admin
npm install
# Development mode
npm run dev
# Production build (output to dist/)
npm run buildConfigure the build output directory in the server's web_base_dir, then access http://<server-ip>:<web_port> to open the dashboard.
This project is open-sourced under the LICENSE.
- Project homepage: https://github.com/tkzcfc/npipe