quicssh-rs-robust
| Crates.io | quicssh-rs-robust |
| lib.rs | quicssh-rs-robust |
| version | 0.1.6-dev |
| created_at | 2026-01-07 06:28:54.900224+00 |
| updated_at | 2026-01-07 06:28:54.900224+00 |
| description | A stabilized fork of quicssh-rs - QUIC proxy for SSH with enhanced network compatibility. WARNING: By default, QUIC certificate verification is disabled for ease of use; use at your own risk or enable verification with proper certificates. |
| homepage | https://github.com/hkatsuma/quicssh-rs-robust |
| repository | https://github.com/hkatsuma/quicssh-rs-robust |
| max_upload_size | |
| id | 2027615 |
| size | 109,081 |
Hidetoshi Katsumata (hkatsuma)
documentation
README
quicssh-rs-robust
This is a fork of oowl/quicssh-rs focused on stabilization and robustness for production use.
Fork Purpose
This fork aims to stabilize quicssh-rs for reliable SSH-over-QUIC connections in diverse network environments.
Key Modifications
- Configurable MTU Upper Bound: Control MTU discovery via
--mtu-upper-boundoption- Default: Uses Quinn's default (1452 bytes) for standard networks
--mtu-upper-bound safety: Conservative 1200 bytes per RFC 9000 §14.1 and RFC 8899 §5.1.2- Ensures compatibility with VPN tunnels (Tailscale, WireGuard) and IPv6 minimum MTU (RFC 8200)
- Prevents UDP packet rejection on constrained network interfaces
- Custom values: Specify any numeric MTU (e.g.,
--mtu-upper-bound 1300)
- Fixed Linux MTU Discovery: Corrected
cfgcondition to properly enable MTU discovery on Linux
About quicssh-rs
:smile: quicssh-rs is a QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server.
quicssh-rs is quicssh rust implementation. It is based on quinn and tokio
Why use QUIC? Because SSH is vulnerable in TCP connection environments, and most SSH packets are actually small, so it is only necessary to maintain the SSH connection to use it in any network environment. QUIC is a good choice because it has good weak network optimization and an important feature called connection migration. This means that I can switch Wi-Fi networks freely when remote, ensuring a stable SSH connection.
Demo
Why not mosh?
Because the architecture of mosh requires the opening of many ports to support control and data connections, which is not very user-friendly in many environments. In addition, vscode remote development does not support mosh.
⚠️ Security Notice
IMPORTANT: By default, this tool disables QUIC certificate verification for ease of use with self-signed certificates. This is acceptable for most SSH use cases because:
- SSH itself provides end-to-end encryption and host key verification
- The QUIC layer acts as a transport tunnel, similar to TCP
- The primary risk is DNS/IP spoofing leading to potential traffic analysis (not plaintext exposure)
However, you should be aware that:
-
Without QUIC certificate verification, an attacker who can spoof DNS or hijack IP routing could:
- Intercept encrypted traffic for future decryption attempts
- Perform traffic analysis (timing, packet sizes)
- Set up a man-in-the-middle position (though SSH host key verification would still protect the session)
-
To eliminate this risk, you can:
- Plan: use a future
--verify-certflag with proper TLS certificates (not implemented yet; not available in current releases) - Deploy in trusted network environments only
- Rely on SSH's host key verification as the primary security layer
- Plan: use a future
Recommendation: For sensitive environments, consider implementing certificate verification or using SSH's built-in security features (host key pinning, certificate authentication) as your primary defense.
Architecture
Standard SSH connection
┌───────────────────────────────────────┐ ┌───────────────────────┐
│ bob │ │ wopr │
│ ┌───────────────────────────────────┐ │ │ ┌───────────────────┐ │
│ │ ssh user@wopr │─┼────tcp──────┼▶│ sshd │ │
│ └───────────────────────────────────┘ │ │ └───────────────────┘ │
└───────────────────────────────────────┘ └───────────────────────┘
SSH Connection proxified with QUIC
┌─────────────────────────────────────┐ ┌───────────────────────┐
│ bob │ │ wopr │
│ ┌─────────────────────────────────┐ │ │ ┌───────────────────┐ │
│ │ssh -o ProxyCommand= │ │ │ │ sshd │ │
│ │ "quicssh-rs-robust client │ │ │ └───────────────────┘ │
│ │ quic://%h:4433" user@wopr │ │ │ ▲ │
│ └─────────────────────────────────┘ │ │ │ │
│ │ │ │ │ │
│ process │ │ tcp to localhost:22 │
│ │ │ │ │ │
│ ▼ │ │ │ │
│ ┌─────────────────────────────────┐ │ │ ┌───────────────────┐ │
│ │quicssh-rs-robust client │─┼─quic (udp)─▶│ │quicssh-rs-robust │ │
│ │ wopr:4433 │ │ │ │ server │ │
│ └─────────────────────────────────┘ │ │ └───────────────────┘ │
└─────────────────────────────────────┘ └───────────────────────┘
Usage
$ quicssh-rs-robust -h
A simple ssh server based on quic protocol
Usage: quicssh-rs-robust <COMMAND>
Commands:
server Server
client Client
help Print this message or the help of the given subcommand(s)
Options:
--log <LOG_FILE> Location of log, Default if
--log-level <LOG_LEVEL> Log level, Default Error
-h, --help Print help
-V, --version Print version
Client
$ quicssh-rs-robust client -h
Client
Usage: quicssh-rs-robust client [OPTIONS] <URL>
Arguments:
<URL> Server address
Options:
-b, --bind <BIND_ADDR> Client address
--mtu-upper-bound <MTU_UPPER_BOUND>
MTU upper bound: numeric value (e.g., 1200) or "safety" for RFC-compliant 1200 bytes
-h, --help Print help
-V, --version Print version
Client SSH Config
╰─$ cat ~/.ssh/config
Host test
HostName test.test
User root
Port 22333
ProxyCommand /path/to/quicssh-rs-robust client quic://%h:%p
╰─$ ssh test
Last login: Mon May 1 13:32:15 2023 from 127.0.0.1
Server
$ quicssh-rs-robust server -h
Server
Usage: quicssh-rs-robust server [OPTIONS]
Options:
-l, --listen <LISTEN> Address to listen on [default: 0.0.0.0:4433]
-p, --proxy-to <PROXY_TO> Address of the ssh server
-F, --conf <CONF_PATH>
--mtu-upper-bound <MTU_UPPER_BOUND>
MTU upper bound: numeric value (e.g., 1200) or "safety" for RFC-compliant 1200 bytes
-h, --help Print help
-V, --version Print version
