Ghostunnel is a TLS proxy with mutual authentication support for securing non-TLS services. It sits in front of (or alongside) a backend service and handles the TLS layer, so the service itself never has to.
Accepts TLS connections and forwards them as plaintext to a backend. Terminate mutual TLS in front of services that don't speak it.
Accepts plaintext connections on a TCP or UNIX socket and forwards them over TLS to a remote service. Add client certificates to anything.
Enforces mutual TLS by requiring valid client certificates on every connection, with hostname verification and modern TLS defaults.
Restrict access based on certificate fields (e.g. SPIFFE ID), or write declarative authorization policies with Open Policy Agent.
Reload certificates without restarting via SIGHUP or timed reload intervals, enabling the use of short-lived certificates.
Load keys from PEM/PKCS#12 files, ACME (Let's Encrypt), hardware modules (PKCS#11), macOS Keychain, Windows Certificate Store, or SPIFFE Workload API.
Listeners and targets are restricted to localhost and UNIX sockets unless explicitly overridden, and Landlock sandboxing is enabled on Linux.
Ships as a single static Go binary with no runtime dependencies. Runs on Linux, macOS, Windows, and the BSDs.
Ghostunnel also supports PROXY protocol v2, has a status port with rich metrics, can be tuned with connection limits and timeouts, supports systemd/launchd socket activation, and more. See the docs for details.
See the Quick Start guide for installation, generating test certificates, and running your first tunnel. The full documentation is available under Docs. Pre-built binaries are available on the Releases page and via Docker. See Docker Images for available image variants.