Skip to main content

Sharing TCP and UDP Servers

zrok includes support for sharing low-level TCP and UDP network resources using the tcpTunnel and udpTunnel backend modes.

As of version v0.4, zrok supports sharing TCP and UDP network resources using private sharing.

To share a raw network resource using zrok, you'll want to use the zrok share private command from your enable-d environment, like this:

$ zrok share private --backend-mode tcpTunnel 192.168.9.1:22

This will result in a share client starting, which looks like this:

╭───────────────────────────────────────────────────────────╮╭────────────────────╮
│ access your share with: zrok access private 5adagwfl888k ││[PRIVATE][TCPTUNNEL]│
╰───────────────────────────────────────────────────────────╯╰────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────╮
│ │
│ │
│ │
│ │
╰─────────────────────────────────────────────────────────────────────────────────╯

Then on the system where you want to access your shared resource (an SSH endpoint in this case), you'll need an enable-d zrok environment. Run the following command (shown in the banner at the top of the zrok share client above):

$ zrok access private 5adagwfl888k

This will start an access client on this system:

╭─────────────────────────────────────────────────────────────────────────────────╮
│ tcp://127.0.0.1:9191 -> 5adagwfl888k │
╰─────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────╮
│ │
│ │
│ │
│ │
╰─────────────────────────────────────────────────────────────────────────────────╯

The access client shows the endpoint at the top where the service can be accessed. In this case, you'll want to connect your SSH client to 127.0.0.1:9191. We'll just use nc (netcat) to access the shared TCP port:

$ nc 127.0.0.1 9191
SSH-2.0-OpenSSH_9.2 FreeBSD-openssh-portable-9.2.p1,1

And both the share client and the access client show the traffic:

╭──────────────────────────────────────────────────────────╮╭─────────────────────╮
│ access your share with: zrok access private 5adagwfl888k ││[PRIVATE] [TCPTUNNEL]│
╰──────────────────────────────────────────────────────────╯╰─────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────╮
│Friday, 23-Jun-23 15:33:10 EDT ziti-edge-router │
│connId=2147483648, logical=ziti- │
│sdk[router=tls:ziti-lx:3022] -> ACCEPT 192.168.9.1:22 │
│ │
│ │
╰─────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────╮
│ tcp://127.0.0.1:9191 -> 5adagwfl888k │
╰─────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────╮
│Friday, 23-Jun-23 15:33:10 EDT 127.0.0.1:42312 -> ACCEPT 5adagwfl888k │
│ │
│ │
│ │
╰─────────────────────────────────────────────────────────────────────────────────╯

Exit the access client to remove the local access to the shared TCP port. Exit the share client to disable further accesses to the shared resource.

For UDP network resources just use the zrok share private --backend-mode udpTunnel instead of tcpTunnel.