DEV.co
Open-Source Security · ph4ntonn

Stowaway

Stowaway is a multi-hop proxy tool written in Go, designed for penetration testers to route external traffic through multiple internal network nodes, bypassing access restrictions and building tree-structured proxy networks. It supports encrypted tunneling, SOCKS5/HTTP proxying, SSH tunneling, and file transfer across chained nodes.

Source: GitHub — github.com/ph4ntonn/Stowaway
3.4k
GitHub stars
441
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryph4ntonn/Stowaway
Ownerph4ntonn
Primary languageGo
LicenseMIT — OSI-approved
Stars3.4k
Forks441
Open issues6
Latest releasev2.2 (2024-03-29)
Last updated2026-03-03
Sourcehttps://github.com/ph4ntonn/Stowaway

What Stowaway is

Go-based proxy framework enabling multi-stage network traversal via TCP/HTTP/WebSocket transports with TLS and AES-256-GCM encryption, node authentication, SSH tunneling, remote shell access, and dynamic port forwarding/reuse. Supports Linux, macOS, Windows, MIPS, and ARM platforms.

Quickstart

Get the Stowaway source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ph4ntonn/Stowaway.gitcd Stowaway# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized penetration testing with network segmentation

Tunneling through multiple firewalled segments to reach isolated internal services during authorized security assessments, with encrypted node-to-node communication and command history.

Red team infrastructure and simulation

Building resilient multi-hop command-and-control topologies with automatic reconnection, heartbeat keep-alives, and socks5 proxying for team-wide traffic routing through compromised nodes.

CTF competitions requiring network pivoting

Quick deployment of chained proxy nodes on CTF platforms to pivot through staged challenges, with minimal binary size (25% reduction vs v1.0) and support for port reuse to blend into existing services.

Implementation considerations

  • All nodes (admin and agents) must share the same encryption key (-s parameter); key derivation, rotation, or multi-key scenarios are not documented.
  • Port reuse on Linux (iptables mode) requires root privileges and manual iptables cleanup if agent is killed with -9; SO_REUSEPORT mode is less reliable on Linux than Windows/macOS.
  • Upstream and downstream protocol (TCP/HTTP/WS) must match between connected nodes; protocol mismatch breaks communication. HTTP mode is half-duplex and not compatible with nginx reverse proxies.
  • Agent reconnection is enabled per-node via --reconnect flag; no global reconnection policy or circuit breaker. Network instability may cause cascade reconnection storms.
  • TLS and AES-256-GCM encryption are mutually exclusive; enabling TLS disables AES. Verify your transport choice aligns with threat model and firewall inspection requirements.

When to avoid it — and what to weigh

  • Production systems without explicit written authorization — README explicitly disclaims liability for any non-authorized or illegal use. Tool is designed for offensive testing; deployment without signed rules of engagement creates legal and operational risk.
  • Defensive/monitoring-focused security operations — Stowaway is offensive-oriented (red team, pentest). If you need network monitoring, IDS/IPS, or defensive proxy management, choose defensive-centric platforms instead.
  • Environments requiring formal audit trails and compliance logging — No clear documentation of built-in audit logging, compliance reporting, or integration with SIEM/centralized logging. Manual logging configuration required; not designed for regulated (HIPAA, PCI, SOC2) contexts.
  • Teams unfamiliar with Go, network protocols, or proxy concepts — Requires hands-on expertise in TCP/UDP, SOCKS5, TLS, SSH tunneling, and potentially iptables/SO_REUSEPORT mechanics. Steep learning curve; best suited for experienced security engineers.

License & commercial use

MIT License (MIT). Permissive open-source license permitting commercial use, modification, and distribution with attribution and no warranty.

MIT License permits commercial use. However, the README includes a liability disclaimer stating the tool is for 'network security research and teaching only' and explicitly forbids 'any illegal use.' Distributors and users are responsible for ensuring all use is authorized and compliant with applicable law. Requires review of internal legal/compliance policy before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

Stowaway supports TLS (with configurable SNI/domain for certificate validation) and AES-256-GCM encryption for inter-node traffic. Node authentication is implicit (shared symmetric key). No documented key rotation, forward secrecy, or resistance to replay attacks beyond TLS. AES-256-GCM is industry-standard, but absence of perfect forward secrecy, certificate pinning options, or public-key infrastructure suggests threat model is lighter adversaries. Shared symmetric key across all nodes is a single point of failure. No documented hardening against timing attacks, side-channel leaks, or cryptanalysis. For high-assurance operations, conduct independent security review.

Alternatives to consider

Metasploit Framework (Meterpreter multi-stage pivoting)

Integrated payload generation, agent staging, and multi-hop proxying; mature forensics and logging; but proprietary, heavier footprint, less flexible for custom network topologies.

Chisel (lightweight Go tunneler)

Simpler binary, single-hop focus, easy SOCKS5 setup; good for quick proxying but lacks multi-hop tree management, node authentication, and admin console that Stowaway provides.

Ligolo-ng (modern multi-hop tunneler)

Designed for multi-hop pivoting with web UI, automatic routing, and cleaner UX; newer project, less battle-tested, smaller community than Stowaway.

Software development agency

Build on Stowaway with DEV.co software developers

Stowaway provides encrypted node chaining, dynamic proxying, and admin console management. Evaluate licensing, security requirements, and network complexity with your team before deployment. Contact us to discuss integration with your security framework.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

Stowaway FAQ

Can I use Stowaway without explicitly shared encryption keys (-s parameter)?
Yes, communication defaults to unencrypted if -s is omitted. However, this is not recommended in any adversarial context; always set a strong -s value for all nodes.
How do I prevent Stowaway agents from auto-reconnecting, for stealth?
Do not set the --reconnect flag on agents. Agents without --reconnect will exit if the parent node drops; those without it persist and re-listen on the original port.
Is Stowaway detectable by intrusion detection systems?
No detailed documentation on IDS/WAF evasion. TLS and WebSocket modes may bypass some signatures; raw TCP is identifiable. Conduct network behavior analysis and log monitoring in your threat model.
Can I use Stowaway in a Docker container or Kubernetes cluster?
Unknown. No documented examples or guidance for containerization. Port reuse (iptables mode) may not work in container namespaces; networking must be reviewed per environment.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like Stowaway. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Need secure multi-hop tunneling for authorized penetration tests?

Stowaway provides encrypted node chaining, dynamic proxying, and admin console management. Evaluate licensing, security requirements, and network complexity with your team before deployment. Contact us to discuss integration with your security framework.