Security Model

OpenTunnel is an ephemeral, relay-routed, end-to-end encrypted remote command tunnel. The relay coordinates active connections but does not decrypt command traffic. This page describes the boundaries precisely, including what OpenTunnel does not protect against.

Trust boundaries

The host and client establish an end-to-end encrypted secure channel using invite material generated by the host. Command traffic is end-to-end encrypted, and the relay forwards encrypted frames.

The relay sees role and session routing metadata, timing, frame sizes, and network metadata. It should not receive plaintext host-provided application metadata, commands, stdout, stderr, remote exit codes, the full invite code, the client secret, or the host public key.

Relay state

The relay keeps only in-memory active connection state while sessions are connected. It does not persist sessions, invites, payloads, command logs, audit logs, client metadata, or outputs.

This is why the hosted relay does not require trust in its operator, and why self-hosting needs no database: there is nothing to store.

Invite handling

The invite is bearer-secret material. Anyone with a valid invite can attempt to connect while the host session is active. Do not copy invites into shared logs, tickets, summaries, or long-lived notes.

The host owner revokes access by pressing Ctrl+C or letting the foreground process exit. There is no separate revocation mechanism because none is needed: access is exactly coterminous with the host process.

/cli and checksums

The /cli bootstrapper downloads the matching OpenTunnel binary and verifies the same-origin checksum before execution. This detects corruption or mismatched artifacts from the trusted relay origin.

Same-origin checksums are not a strong supply-chain security boundary. If the relay origin or the transport serving /cli is compromised, an attacker can change both the bootstrapper and the checksum. Use HTTPS and operate the relay origin as trusted infrastructure.

Execution semantics

Commands execute without per-command approval while the foreground host session is running. OpenTunnel v1 intentionally keeps the model simple: one active client and one active command at a time. Granting a tunnel means granting command execution for the lifetime of the session. Scope what the agent can reach accordingly, and end the session when the task is done.

Host-side logs

Host logs are local status messages. They help the host owner understand connection, command, timeout, truncation, and close events. They are not sent to the relay as plaintext.