I’ve always found traditional nc frustrating when dealing with modern networks. It assumes one side has a reachable IP and a listening port—conditions rarely met when both peers are behind NATs, CGNATs, or firewalls. I built a Go-based netcat-style tool that enables ad-hoc P2P connections using only a shared high-entropy passphrase. No inbound ports, no known IPs, and no manual coordination required. Both peers just run the same command, e.g. nc -p2p <passphrase>
Practical example:
like a FRP alternative, no public server doing reverse-proxy, no exposed ports. For example, if you frequently need to reach 10.0.0.1:22 inside your company network, run this on any host inside the company LAN:
gonc -p2p <passphrase> -linkagent
Later, from home you can initiate a tunnel with the same passphrase:
gonc -p2p passphrase -link 3080;3080
After that, both sides can proxy to any IP:port on the peer LAN using the local SOCKS5 listener.
The "Magic" behind it:
Instead of a central relay or a complex VPN, it uses a three-stage handshake:
1. Rendezvous: The passphrase deterministically derives a unique MQTT topic and a self-signed TLS certificate/key pair.
2. Discovery: Both peers connect to a public MQTT broker (acting as a "bulletin board") to exchange STUN-discovered candidate addresses. The broker never sees the passphrase or the raw traffic.
3. Connectivity: It tries direct TCP first, then falls back to UDP hole punching. If the NAT is particularly "difficult," it uses a "birthday paradox" strategy (spraying 600+ ports) to force a collision.
4. Security: Once connected, the MQTT channel is dropped. All data flows P2P over mTLS. Since the TLS certs are derived from the secret, impersonation is impossible without the passphrase.
Key Features:
- No "Client" or "Server": Both sides run the exact same command.
- Zero Infrastructure: Uses public MQTT/STUN servers; no need to host your own signaling server.
- Familiar Interface: Supports stdin/stdout piping and -e for executing programs (like a p2p reverse shell or service portal).
- SOCKS5 Built-in: Can act as a persistent tunnel/agent to access internal LANs (FRP/NGROK alternative without the central proxy).
Why not just use Tailscale/Wireguard?
Tailscale is great for a permanent mesh, but sometimes you just want to pipe a 500MB tarball or a quick shell to a friend's laptop right now without managing nodes, ACLs, or login providers. This is meant to be a "throwaway" secure pipe.