Portunus

Portunus

Remote TCP and UDP forwarding with a Rust data plane, central control plane, RBAC, metrics, and QoS.

Portunus

Remote TCP and UDP forwarding for teams that need more than a static port map. Run edge clients on remote hosts, push forwarding rules from a central server, and keep L4 traffic as byte passthrough while adding RBAC, metrics, audit logs, and traffic caps.

Just one host? The single-binary standalone forwarder runs the same data plane from a local TOML file — no server, no enrollment, no control plane.

Start in 60 seconds

Open the architecture guide

Read the performance report

Performance

Starting in v1.3.0, plain TCP rules with no bandwidth cap use a Linux kernel splice(2) fast path. On the same Linux host that produced the v0.11 baseline, single-flow uncapped throughput doubled from 9.9 Gbit/s to 21.9 Gbit/s (2.20×). An offered-load sweep through 20 Gbit/s tracks both direct iperf3 and iptables REDIRECT within iperf3 short-run noise — the v0.11 "Portunus saturates ≥ 12.5 Gbit/s" caveat disappears for uncapped TCP.

Offered bandwidthWhat to expect (v1.3.0)
100 Mbit/s - 10 Gbit/sHits the offered rate. Indistinguishable from a direct iperf3 baseline.
12.5 - 20 Gbit/sWith splice on, single-flow throughput stays within iperf3 noise of direct loopback and iptables REDIRECT (95-109 %).
Rate-limited rulesBandwidth-capped rules stay on the canonical userspace path — metrics, counters, and audit byte-identical to v1.2.0.

Methodology, raw numbers, and caveats

What it gives you

AreaCapabilities
ForwardingTCP and UDP rules, port ranges, DNS-name targets, multi-target failover.
L4 routingTLS SNI routing without TLS termination, optional PROXY protocol headers.
Control planeCLI, operator HTTP API, embedded Web UI, hot rule updates over pinned TLS.
Multi-tenancyRBAC by user, client, protocol, and port range, with server-enforced ownership.
QoSPer-rule and per-owner bandwidth, new-connection, and concurrent-flow caps.
OperationsPrometheus metrics, structured logs, audit trail, bundled SQLite, backup and restore.

Feature highlights

TCP & UDP forwarding

Port-range rules

DNS-name targets

Multi-target failover

TLS SNI routing

PROXY protocol

Rate limiting & QoS

Multi-user RBAC

Web UI

SQLite storage

Where it fits

Use Portunus when you need centrally managed edge listeners, tenant-aware access control, observability, or per-owner quotas around plain L4 forwarding. For a single static rule on one Linux host where only peak throughput matters, kernel-space forwarding has a simpler, faster execution path. Want the Portunus data plane (port ranges, multi-target failover, PROXY protocol, splice) on a single host but none of the control plane? Reach for the standalone forwarder — the same forwarding code, driven entirely by a TOML file.

Install in 60 seconds

CLI walkthrough

Architecture

Configuration reference

Standalone forwarder

CLI reference

Operator HTTP API

License

Licensed under the GNU Affero General Public License v3.0 (AGPL-3.0-only).

Installation

Install Portunus as a server + client control plane or as a single-binary standalone forwarder, with the one-line script, Docker, or a source build.

On this page

PortunusPerformanceWhat it gives youFeature highlightsWhere it fitsQuick linksLicense