Architecture
HashRelay is a relay proxy that tunnels Stratum mining traffic over an encrypted channel between your miners and the upstream mining pool.
Overview
┌─────────────────────────────────────────────────────────┐
│ Mining Farm (LAN) │
│ │
│ Miner ──┐ │
│ Miner ──┼──► HashRelay Client ──── Encrypted ──────► │
│ Miner ──┘ (local IP) Tunnel │ │
└──────────────────────────────────────────────────── │ ──┘
│
HashRelay Server
(public cloud VPS)
│
▼
Pool F2Pool / AntPool / …Key Components
Relay Server
The server runs on a cloud VPS with a stable public IP. It handles client authentication, port mapping, traffic routing, the admin REST API, and the web dashboard.
Relay Client
The client runs on a machine in the same LAN as the miners. It connects to the server over TLS/QUIC, opens local TCP listeners for miners based on mappings pushed by the server, and handles automatic reconnection.
Transport Layer
The tunnel uses TLS for transport security and can layer an additional application-level frame encryption on top. The transport protocol is notset on the client — it is determined by each port mapping's protocol field, pushed from the server via ConfigSync.
| Setting | Description | Best For |
|---|---|---|
| TCP (TLS) | TCP tunnel secured with TLS | Stable internet with firewall restrictions |
| QUIC | UDP/QUIC tunnel | Lossy or high-latency networks |
| Frame encryption | Optional app-layer cipher: AES-GCM or ChaCha20 | Defense in depth on top of TLS |
pin_sha256.Security Model
- Token auth — Each client authenticates with a per-node access token (anti-replay timestamp checks)
- TLS — All tunnel traffic encrypted in transit (self-signed, ACME, or file-based certs)
- Optional frame encryption — AES-GCM or ChaCha20 layered over TLS
- Cert pinning — Pin self-signed server certs with
pin_sha256 - No credential exposure — Pool wallet addresses never leave the tunnel