Portal uses a browser-based WASM ServiceWorker to perform end-to-end encryption directly in the client.
The relay only forwards encrypted frames and can`t terminate inspect traffic.
A few technical details:
- Every published service is addressed through subdomain routing (<id>.relay.domain.com)
- The relay maintains a multiplexed connection with the publisher using yamux
- The browser fetch path attaches to the ServiceWorker which decrypts and forwards bytes to the local service
- Anyone can run a relay; the protocol is designed to avoid central coordination
- No configuration is required on the publisher side except running portal-tunnel
Github:
Relay server — https://github.com/gosuda/portal
Client-side apps — https://github.com/gosuda/portal-toys