Security

Restunnel is designed for users who will install it and forget about it for months. The security model assumes the hub will never be updated after installation. Every default is the safe option.

Threat Model

The hub is invisible

From the perspective of the internet, the hub's tunnel port does not exist. Unauthenticated connections are silently dropped — no error response, no handshake rejection, no banner. Port scanners see nothing. nmap shows the port as closed or filtered.

Even if a vulnerability exists in the hub code, it is only exploitable by someone who already possesses a valid device key — which means only the owner's own paired devices.

No open relay

The system cannot become a relay for arbitrary third parties, even if misconfigured. Every proxy connection requires the hub to route through an authenticated exit node. No exit node connected = no proxy traffic flows.

No plaintext visibility

The hub and exit nodes relay encrypted TLS bytes. They never decrypt, inspect, or log the content of proxied HTTPS traffic.

Exit Node Protection

Outbound only — Exit nodes never listen on any port. All connections are outbound to the hub. Zero inbound attack surface on the user's network.
Hub verification — Each hub connection is authenticated independently. The node verifies the hub's identity cryptographically. If it's not a hub the node is paired with, no traffic flows.
Private IP blocking — Exit nodes refuse TCP connections to private and reserved IP ranges before opening any connection. This prevents the hub (or an attacker who compromised the hub) from reaching devices on the exit node's local network.

Blocked ranges:
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — RFC1918 private
- 100.64.0.0/10 — RFC6598 carrier-grade NAT
- 127.0.0.0/8 — Loopback
- 169.254.0.0/16 — Link-local
- 0.0.0.0/8, 224.0.0.0/4, 255.255.255.255 — Special/multicast/broadcast
- IPv6 equivalents: ::1, fc00::/7, fe80::/10, ff00::/8
- Transition addresses: ::ffff:x.x.x.x, 64:ff9b::/96, 2002::/16 — embedded IPv4 is checked
DNS resolution happens on the exit node, so the hub cannot trick it by sending a hostname that resolves to a private IP.

Hub Protection

Localhost-only services — The SOCKS5 proxy, HTTP CONNECT proxy, and dashboard all bind to 127.0.0.1. They are unreachable from outside the server. There is no configuration option to bind to 0.0.0.0 without an explicit override.
No public-facing services — The tunnel port uses a cryptographic handshake that silently drops unauthorized connections. The dashboard binds to localhost only. From the outside, the hub is invisible.

Authentication

Enrollment tokens

256-bit random, generated by the hub
Valid for 15 minutes
One-time use — burned after first successful enrollment
Encoded in a noise:// URL or QR code

Post-enrollment

After pairing, all reconnections authenticate via the Noise_IK handshake using the device's X25519 static key. The key is proven during the handshake itself — no bearer tokens on the wire.

Revocation

Delete the node's public key from the hub (via dashboard or config). The node can still try to connect, but the hub silently drops it. Immediate, no propagation delay.

Key Storage

Device private keys are stored using the best available platform mechanism:

Platform	Storage	Hardware-Backed
Android	Keystore-wrapped (AES-256-GCM wrapping key in Android Keystore)	Yes (on supported devices)
macOS	Keychain (generic password item)	Yes on Apple Silicon / T2
iOS	Secure Enclave (planned)	Yes
Linux	`<data-dir>/node_key.bin` (file, chmod 600)	No

Keys are never transmitted over the network.

What Restunnel Is Not

Not an anonymity tool. Traffic exits through your own real IPs. Your ISP sees the exit node's connections.
Not a way to access the exit node's local network. Private IP blocking is enforced in the relay code, not configurable.
Not multi-user. One owner controls all hubs and exit nodes. No sharing, no team features, no accounts.