Nabto Edge TCP Tunnelling

The Nabto Edge platform supports TCP tunnelling, allowing TCP client applications to securely connect to remote TCP server applications on IoT devices sitting behind end-users’ firewalls.

This way of integrating Nabto is particularly useful if you want to add secure remote access capabilities to existing TCP client/server applications: Only minimal code changes as the existing TCP client just needs to connect to the local Nabto proxy TCP server started in the client application instead of the actual TCP server.

The concept is very similar to SSH tunnelling - Nabto just makes it much simpler to deploy and provides much finer grained access control.

Note: The Nabto TCP server running locally on the client cannot distinguish TCP connections from your existing application and any other applications running on the localhost. If the host running the client cannot be trusted, application level authentication on top of your TCP connection is needed (e.g., RTSP or HTTP basic auth). Or integration through low level Nabto Edge Streams can be used instead (much more complex integration).

Nabto Edge TCP Tunnelling is implemented on top of Nabto Edge Streams: Instead of integrating at the Stream API level, application integration takes place by connecting an existing TCP client to the tunnel - much simpler but less tight integration.

Explainer Video

Use Cases

  • Video: The majority of Nabto devices deployed in the field uses TCP tunnelling injected between an existing video player client and a TCP video streaming service such as an RTSP server on an IP camera or an NVR/DVR.
  • HTTP: Secure remote access to existing HTTP services is popular to provide remote access to especially admin applications. But also remote API access from a client app to a REST service on an IoT device is popular. With Nabto, you don’t need the hassle of browsers complaining about self-signed HTTPS certificates - you can use plain http on top of the secure Nabto layer.
  • SSH/telnet: You can use TCP tunnelling to access ssh or telnet services on deployed devices: Nabto ensures secure access to your devices, you only need to allow ssh/telnet access from localhost and use the Nabto authorization framework to control remote access.
  • Custom TCP protocols: You can tunnel any TCP based protocol, the Nabto tunnels just move encrypted bits between the endpoints.

Get Started

We provide SDK level support for clients and devices to easily integrate Nabto Edge TCP Tunnelling in your own solutions. We also provide production quality standalone applications built on top of the SDKs.

Step 1: Use Nabto Provided Standalone Apps

A typical workflow is to first use the ready-made applications for a proof-of-concept project to evaluate the platform: In both ends (client and embedded device) you just download, configure and run the existing applications. Your existing TCP client can then connect through the Nabto applications on the client and embedded device, respectively, to your existing TCP service. We have described this in the Tunnel Step-by-Step Guide.

For video streaming scenarios to a mobile phone, we have specific quick-start guides for iOS and Android with ready-to-use apps.

Step 2: Client Integration Through SDK

After the quick evaluation, a typical next step is to integrate tighter on the client side: Instead of using a standalone tunnel application, the Nabto Edge Client SDK is integrated with the client application to start the tunnel endpoint.

The integration effort is still minimal; the existing client TCP client still just connects to the TCP endpoint spawned by Nabto Edge Client SDK. In this step, the embedded tunnel endpoint application as described above is typically still used.

Step 3: Embedded Device Integration Through SDK

As an optional final step, some customers prefer to further tailor the integration on the embedded device - in some scenarios this is mandatory, for instance for platforms where the standalone tunnel applications are not supported (this includes all RTOSes).

This means using the Nabto Embedded Edge SDK to start the Nabto TCP tunnel server endpoint - still a very simple exercise. In most production scenarios on higher level systems where the ready-made tunnel applications exist, these are typically used as-is for production purposes - or slightly modified for customer specific requirements.

Also see the client side tunnel integration guide with code examples. It describes tunnelling to an RTSP server, but all code samples and instructions apply for any TCP service (ie, just configure a different TCP service than RTSP, e.g. HTTP or SSH).


In addition to the full commandline tunnel app and the video demo apps for iOS and Android, we provide a simple tunnel example application demonstrates Nabto Edge Tunnels: See the simple_tunnel example and its client counterpart.

Also see the general embedded examples section.