Architecture

HashRelay is a relay proxy that tunnels Stratum mining traffic over an encrypted channel between your miners and the upstream mining pool.

Overview

┌─────────────────────────────────────────────────────────┐
│  Mining Farm (LAN)                                      │
│                                                         │
│  Miner ──┐                                              │
│  Miner ──┼──► HashRelay Client ──── Encrypted ──────►  │
│  Miner ──┘       (local IP)         Tunnel         │    │
└──────────────────────────────────────────────────── │ ──┘
                                                      │
                                              HashRelay Server
                                              (public cloud VPS)
                                                      │
                                                      ▼
                                           Pool  F2Pool / AntPool / …

Key Components

Relay Server

The server runs on a cloud VPS with a stable public IP. It handles client authentication, port mapping, traffic routing, the admin REST API, and the web dashboard.

Relay Client

The client runs on a machine in the same LAN as the miners. It connects to the server over TLS/QUIC, opens local TCP listeners for miners based on mappings pushed by the server, and handles automatic reconnection.

Transport Layer

The tunnel uses TLS for transport security and can layer an additional application-level frame encryption on top. The transport protocol is notset on the client — it is determined by each port mapping's protocol field, pushed from the server via ConfigSync.

SettingDescriptionBest For
TCP (TLS)TCP tunnel secured with TLSStable internet with firewall restrictions
QUICUDP/QUIC tunnelLossy or high-latency networks
Frame encryptionOptional app-layer cipher: AES-GCM or ChaCha20Defense in depth on top of TLS
TLS certificates can be self-signed (default, for LAN/no-domain), ACME-issued (Let's Encrypt), or supplied as files. With a self-signed cert, clients can pin the server via pin_sha256.

Security Model

  • Token auth — Each client authenticates with a per-node access token (anti-replay timestamp checks)
  • TLS — All tunnel traffic encrypted in transit (self-signed, ACME, or file-based certs)
  • Optional frame encryption — AES-GCM or ChaCha20 layered over TLS
  • Cert pinning — Pin self-signed server certs with pin_sha256
  • No credential exposure — Pool wallet addresses never leave the tunnel