Nabto Edge TCP Tunnelling

The Nabto Edge platform supports TCP tunnelling, allowing TCP client applications to securely connect to remote TCP server applications on IoT devices sitting behind end-users’ firewalls.

This way of integrating Nabto is particularly useful if you want to add secure remote access capabilities to existing TCP client/server applications: Only minimal code changes as the existing TCP client just needs to connect to the local Nabto proxy TCP server started in the client application instead of the actual TCP server.

The concept is very similar to SSH tunnelling - Nabto just makes it much simpler to deploy and provides much finer grained access control.

Use Cases

  • Video: The majority of Nabto devices deployed in the field uses TCP tunnelling injected between an existing video player client and a TCP video streaming service such as an RTSP server on an IP camera or an NVR/DVR.
  • HTTP: Secure remote access to existing HTTP services is popular to provide remote access to especially admin applications. But also remote API access from a client app to a REST service on an IoT device is popular. With Nabto, you don’t need the hassle of browsers complaining about self-signed HTTPS certificates - you can use plain http on top of the secure Nabto layer.
  • SSH/telnet: You can use TCP tunnelling to access ssh or telnet services on deployed devices: Nabto ensures secure access to your devices, you only need to allow ssh/telnet access from localhost and use the Nabto authorization framework to control remote access.
  • Custom TCP protocols: You can tunnel any TCP based protocol, the Nabto tunnels just move encrypted bits between the endpoints.

Get Started

We provide SDK level support for clients and devices to easily integrate Nabto Edge TCP Tunnelling in your own solutions. We also provide production quality standalone applications built on top of the SDKs.

Step 1: Use Nabto Provided Standalone Apps

A typical workflow is to first use the ready-made applications for a proof-of-concept project to evaluate the platform: In both ends (client and embedded device) you just download, configure and run the existing applications. Your existing TCP client can then connect through the Nabto applications on the client and embedded device, respectively, to your existing TCP service. We have described this in the Tunnel Step-by-Step Buide.

Step 2: Client Integration Through SDK

After the quick evaluation, a typical next step is to integrate tighter on the client side: Instead of using a standalone tunnel application, the Nabto Edge Client SDK is integrated with the client application to start the tunnel endpoint.

The integration effort is still minimal; the existing client TCP client still just connects to the TCP endpoint spawned by Nabto Edge Client SDK. In this step, the embedded tunnel endpoint application as described above is typically still used.

Step 3: Embedded Device Integration Through SDK

As an optional final step, some customers prefer to further tailor the integration on the embedded device - in some scenarios this is mandatory, for instance for platforms where the standalone tunnel applications are not supported (this includes all RTOSes).

This means using the Nabto Embedded Edge SDK to start the Nabto TCP tunnel server endpoint - still a very simple exercise. In most production scenarios on higher level systems where the ready-made tunnel applications exist, these are typically used as-is for production purposes - or slightly modified for customer specific requirements.


A simple tunnel example application demonstrates Nabto Edge Tunnels: See the simple_tunnel example and its client counterpart.

The Nabto Embedded SDK also comes with a production ready tunnel application (as described above): The Nabto Edge Tunnel app. The embedded application can be used with the Nabto Edge Tunnel CLI client tool. Also see the thorough tunnel step-by-step guide.

Also see the general embedded examples section.