Stowaway
Stowaway is a multi-hop proxy tool written in Go, designed for penetration testers to route external traffic through multiple internal network nodes, bypassing access restrictions and building tree-structured proxy networks. It supports encrypted tunneling, SOCKS5/HTTP proxying, SSH tunneling, and file transfer across chained nodes.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ph4ntonn/Stowaway |
| Owner | ph4ntonn |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 3.4k |
| Forks | 441 |
| Open issues | 6 |
| Latest release | v2.2 (2024-03-29) |
| Last updated | 2026-03-03 |
| Source | https://github.com/ph4ntonn/Stowaway |
What Stowaway is
Go-based proxy framework enabling multi-stage network traversal via TCP/HTTP/WebSocket transports with TLS and AES-256-GCM encryption, node authentication, SSH tunneling, remote shell access, and dynamic port forwarding/reuse. Supports Linux, macOS, Windows, MIPS, and ARM platforms.
Get the Stowaway source
Clone the repository and explore it locally.
git clone https://github.com/ph4ntonn/Stowaway.gitcd Stowaway# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- All nodes (admin and agents) must share the same encryption key (-s parameter); key derivation, rotation, or multi-key scenarios are not documented.
- Port reuse on Linux (iptables mode) requires root privileges and manual iptables cleanup if agent is killed with -9; SO_REUSEPORT mode is less reliable on Linux than Windows/macOS.
- Upstream and downstream protocol (TCP/HTTP/WS) must match between connected nodes; protocol mismatch breaks communication. HTTP mode is half-duplex and not compatible with nginx reverse proxies.
- Agent reconnection is enabled per-node via --reconnect flag; no global reconnection policy or circuit breaker. Network instability may cause cascade reconnection storms.
- TLS and AES-256-GCM encryption are mutually exclusive; enabling TLS disables AES. Verify your transport choice aligns with threat model and firewall inspection requirements.
When to avoid it — and what to weigh
- Production systems without explicit written authorization — README explicitly disclaims liability for any non-authorized or illegal use. Tool is designed for offensive testing; deployment without signed rules of engagement creates legal and operational risk.
- Defensive/monitoring-focused security operations — Stowaway is offensive-oriented (red team, pentest). If you need network monitoring, IDS/IPS, or defensive proxy management, choose defensive-centric platforms instead.
- Environments requiring formal audit trails and compliance logging — No clear documentation of built-in audit logging, compliance reporting, or integration with SIEM/centralized logging. Manual logging configuration required; not designed for regulated (HIPAA, PCI, SOC2) contexts.
- Teams unfamiliar with Go, network protocols, or proxy concepts — Requires hands-on expertise in TCP/UDP, SOCKS5, TLS, SSH tunneling, and potentially iptables/SO_REUSEPORT mechanics. Steep learning curve; best suited for experienced security engineers.
License & commercial use
MIT License (MIT). Permissive open-source license permitting commercial use, modification, and distribution with attribution and no warranty.
MIT License permits commercial use. However, the README includes a liability disclaimer stating the tool is for 'network security research and teaching only' and explicitly forbids 'any illegal use.' Distributors and users are responsible for ensuring all use is authorized and compliant with applicable law. Requires review of internal legal/compliance policy before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | High |
Stowaway supports TLS (with configurable SNI/domain for certificate validation) and AES-256-GCM encryption for inter-node traffic. Node authentication is implicit (shared symmetric key). No documented key rotation, forward secrecy, or resistance to replay attacks beyond TLS. AES-256-GCM is industry-standard, but absence of perfect forward secrecy, certificate pinning options, or public-key infrastructure suggests threat model is lighter adversaries. Shared symmetric key across all nodes is a single point of failure. No documented hardening against timing attacks, side-channel leaks, or cryptanalysis. For high-assurance operations, conduct independent security review.
Alternatives to consider
Metasploit Framework (Meterpreter multi-stage pivoting)
Integrated payload generation, agent staging, and multi-hop proxying; mature forensics and logging; but proprietary, heavier footprint, less flexible for custom network topologies.
Chisel (lightweight Go tunneler)
Simpler binary, single-hop focus, easy SOCKS5 setup; good for quick proxying but lacks multi-hop tree management, node authentication, and admin console that Stowaway provides.
Ligolo-ng (modern multi-hop tunneler)
Designed for multi-hop pivoting with web UI, automatic routing, and cleaner UX; newer project, less battle-tested, smaller community than Stowaway.
Build on Stowaway with DEV.co software developers
Stowaway provides encrypted node chaining, dynamic proxying, and admin console management. Evaluate licensing, security requirements, and network complexity with your team before deployment. Contact us to discuss integration with your security framework.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
Stowaway FAQ
Can I use Stowaway without explicitly shared encryption keys (-s parameter)?
How do I prevent Stowaway agents from auto-reconnecting, for stealth?
Is Stowaway detectable by intrusion detection systems?
Can I use Stowaway in a Docker container or Kubernetes cluster?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like Stowaway. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Need secure multi-hop tunneling for authorized penetration tests?
Stowaway provides encrypted node chaining, dynamic proxying, and admin console management. Evaluate licensing, security requirements, and network complexity with your team before deployment. Contact us to discuss integration with your security framework.