The documentation is split by job. Read the quick start first if you are running the reference server. Read the protocol specification first if you are building a compatible client.
The net parameter selects which ingress transports listen on the configured
port. It does not restrict the Portal to one proxy payload type.
net value |
Listener | TCP proxy path | UDP proxy path |
|---|---|---|---|
tcp |
TLS/TCP | Dedicated authenticated connection | UoT on a dedicated authenticated connection |
udp |
QUIC/UDP | Bidirectional QUIC stream | QUIC DATAGRAM |
mix |
Both | Both paths | Both paths |
UoT uses the reserved request target uot.nowhere.invalid:0, followed by one
target setup frame and length-prefixed UDP packets. It is part of the v1 wire
protocol and requires no separate server option.
| Document | Scope |
|---|---|
| Quick start | Build, run, and smoke-check a local Portal. |
| Configuration reference | URL shape, query parameters, listener rules, TLS inputs, and examples. |
| Operations guide | Logging, event records, rate limits, runtime controls, shutdown, and deployment habits. |
| Security notes | Shared-key handling, TLS trust, authentication failure behavior, and exposure guidance. |
| Protocol specification | Normative v1 wire format, derivation, TCP, QUIC DATAGRAM, UoT, limits, and conformance checks. |
For operators:
For client authors:
For release maintainers:
- Quick start
- Operations guide
- The GitHub release workflow in
.github/workflows/release.yml
The docs use the same naming throughout:
Portalmeans this Rust server.clientmeans a peer that dials the Portal and opens target flows.shared keymeans the URL username after percent decoding.effective_specmeans the resolvedspecvalue after defaults.effective_alpnmeans the resolvedalpnvalue after defaults.UoTmeans the UDP-over-TCP packet path carried by one authenticated TLS/TCP connection.rateis client-to-target traffic.etaris target-to-client traffic.