cuocuo: Best Encrypted Tunnel Relay for DevOps Engineers in 2026

What Is cuocuo?

cuocuo is a Go-based encrypted tunnel relay tool built by Nyarime / Naixi Networks; it forwards traffic across TCP, TLS, and WebSocket while encrypting payloads with XChaCha20-Poly1305 and maintaining a 20-connection relay pool. cuocuo is one of the best Encrypted Tunnel Relay tools for DevOps Engineers, self-hosters, and network operators who need a self-hosted forwarding path with no license gate and backward-compatible v4.x JSON configs. The v5.0.0 rewrite is also presented as a tribute to the original ryzen.moe project.

Quick Overview

Who Should Use cuocuo?

• Self-hosted infrastructure teams that need to expose internal services through an encrypted relay they control end to end.
• Operators migrating from v4.x who want the same JSON shape without rewriting their config pipeline or templating logic.
• Security-conscious builders who need authenticated encryption plus Proxy Protocol headers for logging and ACLs.
• Teams running mixed traffic across TCP, TLS, and WebSocket that want a relay with pooling and simple round-robin upstream selection.

Not ideal for:

• One-off usage where a plain ssh -R reverse tunnel already solves the problem.
• Commercial products that cannot accept AGPL-3.0 obligations.
• Teams expecting a hosted dashboard or GUI instead of file-driven config and CLI operations.

Key Features of cuocuo

• XChaCha20-Poly1305 AEAD — cuocuo uses authenticated encryption for relay traffic, so the tunnel is protecting payloads with an AEAD primitive rather than relying on transport secrecy alone. That matters when you want the relay layer itself to be encrypted and integrity-checked.
• Three transport modes — TCP, TLS, and WebSocket give cuocuo enough flexibility to fit clean networks, TLS-only egress, and HTTP-shaped environments. WebSocket is the escape hatch when a plain TCP socket gets filtered.
• 20-connection pool — the relay architecture prebuilds 20 persistent upstream connections and reconnects automatically. That reduces cold-start jitter and keeps the tunnel warm under intermittent loss.
• Round-robin upstream groups — the client-side fucks group can fan traffic across multiple nexts entries in default mode. This gives cuocuo a simple load-balancing layer without introducing a separate scheduler.
• Proxy Protocol v1/v2 — cuocuo can pass the original client IP and port to downstream services that understand Proxy Protocol. That is the right choice when your logs, rate limits, or firewall rules depend on the real source address.
• TLS offload and camouflage headers — entry nodes can terminate TLS with custom certs and set User-Agent, Referer, and Server headers. That lets cuocuo blend into existing traffic patterns without pretending to be something it is not.
• Auto restart window — the process can restart randomly every 24-48 hours to reduce memory leak risk in long-running deployments. It is a blunt mechanism, but it is operationally useful for a relay that stays up for weeks.

cuocuo vs Alternatives

If you are wiring cuocuo into a larger deployment workflow, it pairs well with djevops for repeatable service rollout and with MachineAuth when you want host identity checks before a node is allowed into the path. For broader discovery, you can also browse all DevOps Automation tools.

Pick cuocuo over frp when you want the Go rewrite, the encryption model, and direct control over relay transports. Pick frp when you care more about ecosystem familiarity than about cuocuo's relay-specific design.

Pick gost when your topology needs exotic proxy chaining or you want a broader protocol matrix. Pick SSH reverse tunnels when the job is temporary, the risk surface is small, and you do not need pooling, load balancing, or Proxy Protocol propagation.

How cuocuo Works

cuocuo is built around a three-part path: client, relay node, and target. The client opens upstream connections to a relay, the relay decrypts and forwards traffic, and the target receives a normal inbound connection on the far side. That model keeps the implementation simple enough to fit in a Go binary while still giving operators multiple transport choices and JSON-defined routing rules.

The data plane is centered on XChaCha20-Poly1305 and a small set of transport adapters. The control plane lives in config files, where the server declares listeners and the client declares nexts, fucks, and rules. The client-side group named fucks is an odd schema choice, but the behavior is clear: it acts as a load-balancing set that can rotate across multiple upstream nodes.

git clone https://github.com/Nyarime/cuocuo.git
cd cuocuo
make all
./cuocuo-server -c server.json
./cuocuo-client -c client.json

The commands above build both binaries from source and start them with their JSON configs. Expect the server to listen on the declared ports, the client to establish upstream links, and traffic to start flowing only after both sides share the same token and nonce.

Pros and Cons of cuocuo

Pros:

• Single-binary deployment — cuocuo is written in Go, so it fits static-binary workflows and simple systemd units.
• Config compatibility — v4.x JSON files are still accepted, which lowers the migration cost for existing operators.
• Multiple transports — TCP, TLS, and WebSocket let you choose the least-bad path for the network you actually have.
• Authenticated encryption — XChaCha20-Poly1305 protects relay payloads with modern AEAD semantics.
• Operational features — connection pooling, auto reconnect, load balancing, and Proxy Protocol support cover the boring parts that usually need wrapper scripts.
• Backward-compatible rewrite — the codebase is a clean Go reimplementation instead of a patchwork of legacy baggage.

Cons:

• AGPL-3.0 can be a non-starter for teams that need permissive licensing.
• No hosted control plane means you manage configs, secrets, and process supervision yourself.
• Schema naming is rough — fields like fucks are memorable but not exactly self-documenting.
• Secret handling is on you — the token and nonce must match on both sides, and operational mistakes here break the tunnel immediately.
• Limited UX — there is no web UI, no policy engine, and no opinionated orchestration layer in the repo text provided.

Getting Started with cuocuo

The fastest path is to build from source or install the two binaries with go install, then generate a shared token and nonce before you start the server and client. cuocuo expects both ends to use the same encryption material, and the server-side listener ports must match the remote ports the client points at.

git clone https://github.com/Nyarime/cuocuo.git
cd cuocuo
make all
export CUOCUO_ENCRYPTION_TOKEN=$(openssl rand -base64 48)
export CUOCUO_ENCRYPTION_NONCE=$(openssl rand -base64 48)
./cuocuo-server -c server.json
./cuocuo-client -c client.json

After those commands run, the only remaining work is to fill in the JSON configs with your transport type, listen address, upstream host, and routing rules. If you want to validate the path, cuocuo's own quick-start shows a curl --connect-to test against the local listener, which is the fastest way to confirm the relay is forwarding correctly.

Verdict

cuocuo is the strongest option for self-hosted encrypted relays when you need TCP/TLS/WebSocket transport choices, XChaCha20-Poly1305 encryption, and a config path that still accepts v4.x JSON. Its biggest strength is the low-friction Go deployment model, but AGPL-3.0 and hand-managed config files are real constraints. Recommended for operators who control both ends and want a direct, auditable tunnel relay.