Published TCP tunnels
rstream can now publish TCP services on a public hostname and port. This provides a direct path for SSH and other protocols that handle their own encryption and authentication, without mapping them into HTTP or terminating TLS at the edge.
Running rstream forward 22 --tcp allocates an ephemeral address for the lifetime of the tunnel. For a stable port, reserve an address from the dashboard or with rstream project tcp-address reserve, then select its port with --tcp-port. Reservations remain attached to the project while agents reconnect, and the dashboard shows which live tunnel currently uses each address.
Published TCP is available on Pro and Enterprise projects and can be disabled in project security settings. rstream forwards the downstream byte stream without adding encryption or authentication, so the application protocol remains responsible for both. Applications that expect rstream to terminate TLS should use a TLS tunnel instead.
The dashboard, API, and CLI can manage reserved addresses and show the live tunnel using each one. Published TCP tunnels can also be declared in YAML, Docker labels, and Kubernetes resources, or opened through the Go, JavaScript, Python, Java, and C++ SDKs.
See TCP Tunnels for commands, project policy, reserved addresses, and declarative configuration.