Private Tunnels

A private tunnel is a tunnel that is not published as an Internet-reachable endpoint. The engine still maintains tunnel state and forwards traffic, but connections require an rstream client or SDK that can dial the tunnel directly.

Private tunnels are useful when the upstream protocol is not HTTP, when a public hostname must not be exposed, or when the application needs full control over connection behavior such as retries, timeouts, and multiplexing.

Creating a private tunnel

In the CLI, private tunnels are created by disabling publishing:

rstream forward 8080 --no-publish

In the engine model, private tunnels reject public exposure options such as HTTP version configuration and edge authentication settings. The tunnel remains accessible through rstream dialing APIs.

Connecting to a private tunnel

Private tunnels are dialed by tunnel id or name from an SDK client. In the Go SDK:

conn, err := client.Dial(ctx, rstream.Addr{IdOrName: "my-tunnel"})

Datagram tunnels use the packet API:

pc, err := client.PacketDial(ctx, rstream.Addr{IdOrName: "my-dgram-tunnel"})

SSH as a motivating example

SSH is a common example of a protocol that is not exposed as a first-class published tunnel endpoint. A private tunnel allows the SSH client to remain local while the rstream dialer carries traffic to the private environment.