A cryptographically secure TCP tunnel

How do I install saltunnel?

To install from source: $ sudo apt install libsodium-dev libsodium23 # Debian/Ubuntu
$ sudo dnf install libsodium-devel libsodium-static # RedHat/Fedora
$ git clone
$ cd saltunnel
$ sh
$ ./configure
$ make
$ sudo make install

How do I use it?

First, you'll need to generate a long-term key. This key must be 32 uniform random bytes, and you must copy it to both the client and server machines. You may generate the key any way you like, and place it anywhere you like. But in this example, we'll place our key at ~/.saltunnel/k, and we'll generate it and transfer it (which involves manually re-typing the key) using the following commands:

# ---- First machine ----
$ mkdir ~/.saltunnel/k
$ saltunnel key generate ~/.saltunnel/k
$ saltunnel key export ~/.saltunnel/k
# ---- Second machine ----
$ mkdir ~/.saltunnel/k
$ saltunnel key import ~/.saltunnel/k

Next, you can establish a tunnel. Continuing the "Clyde and Steve" example from the Introduction page, we want to end up with the following:

To get there, Clyde will need to run:

saltunnel client -k ~/.saltunnel/k

...and Steve will need to run:

saltunnel server -k ~/.saltunnel/k

Finally, Steve will need to configure his network to forward port 1025 to his computer.

That's it. Now, when Clyde establishes a TCP connection on his local port 80, all of the data within that connection will be securely authenticated, encrypted, and forwarded as a new connection to Steve's port 1025, which will in turn be verified, decrypted, and forwarded to Steve's local port 80.