TCP Tunnelling

TCP tunneling through Nabto enables clients to tunnel TCP traffic through a Nabto connection to and from the embedded device. This approach leverages the inherent peer-to-peer (P2P) security and efficiency of the Nabto connection, allowing for low-latency and firewall-bypassing data streaming, particularly beneficial for smart devices like video cameras.

The TCP Tunnel module uses the Authorization API to determine if actions are allowed on a given connection. An Authorization Request listener must therefore be configured when using TCP tunnelling. It is recomended to use the Nabto IAM module to handle Authorization Requests.

A TCP tunnel client first makes a CoAP request: GET /tcptunnels/connect/:serviceId - this will check that the given connection is authorized to create a connection to the specific TCP Service and return the StreamPort the client needs to use for that connection.

Later, when a TCP connection is made through the client, a new stream is created to the StreamPort obtained in the previous step. When this happens, the device makes another authorization request which again checks that the given connection is allowed to connect to the specific TCP Service.

The TCP tunnelling module has the following authorization actions:

TcpTunnel:ListServices  CoAP request to list services
TcpTunnel:GetService    CoAP request to get information for a specific service
TcpTunnel:Connect       See note below

Note on the TcpTunnel:Connect action: When used in the context of CoAP, it is used to test permissions for establishing a stream connection and to get information about the connection. When used in the context of Streaming, it is used to authorize an actual stream connection.

The TCP Tunnelling module has the following authorization attributes:

TcpTunnel:ServiceId   The id of the service.
TcpTunnel:ServiceType The type of the service.