TCP Tunnelling

TCP tunnelling allows clients to tunnel TCP traffic over a Nabto connection to the device. The TCP Tunnel module uses the Authorization API to determine if actions are allowed on a given connection. An Authorization Request listener must therefore be configured when using TCP tunnelling. It is recomended to use the Nabto IAM module to handle Authorization Requests.

A TCP tunnel client first makes a CoAP request: GET /tcptunnels/connect/:serviceId - this will check that the given connection is authorized to create a connection to the specific TCP Service and return the StreamPort the client needs to use for that connection.

Later, when a TCP connection is made through the client, a new stream is created to the StreamPort obtained in the previous step. When this happens, the device makes another authorization request which again checks that the given connection is allowed to connect to the specific TCP Service.

The TCP tunnelling module has the following authorization actions:

TcpTunnel:ListServices  CoAP request to list services
TcpTunnel:GetService    CoAP request to get information for a specific service
TcpTunnel:Connect       See note below

Note on the TcpTunnel:Connect action: When used in CoAP context, it is used to test permissions for establishing a stream connection and to get information about the connection. When used in Streaming context, it is used to authorize an actual stream connection.

The TCP Tunnelling module has the following authorization attributes:

TcpTunnel:ServiceId   The id of the service.
TcpTunnel:ServiceType The type of the service.