Skip to content
mytunnel

Security model

mytunnel treats the edge daemon as the security boundary. Client flags are convenient input, not authority.

Trust boundaries

Section titled “Trust boundaries”
BoundaryRule
Client to edgeSSH authenticates the remote OS user.
Owner identitymytunneld derives owner from the SSH OS user.
Control commandsForced-command keys should allow only mytunneld ctl shapes.
Lease DBOnly the daemon/control command path should mutate leases.
Caddy Admin APIMust be reachable only from loopback.
Public HTTP trafficUntrusted internet traffic reaches the local app through Caddy and SSH.
ScriptsInstall and upgrade scripts can write privileged files; run them from trusted source.

Owner scoping

Section titled “Owner scoping”

The server ignores client-supplied owner values. For allocate, the effective owner is the SSH OS user running mytunneld ctl allocate. For list, heartbeat, release, and delete, the same SSH user must own the lease.

This prevents one SSH user from stopping or deleting another user’s leases.

Admin users and slug takeover

Section titled “Admin users and slug takeover”

--force can replace an existing active slug only when the caller is privileged. Privileged callers are:

  • root
  • Usernames listed in MYTUNNEL_ADMIN_USERS

Set admin users on the edge:

Terminal window
sudoedit /etc/mytunneld/mytunneld.env
sudo systemctl restart mytunneld

Example value:

MYTUNNEL_ADMIN_USERS=admin,ops

Then:

Terminal window
mytunnel http 3000 --edge admin@edge.example.com --base-domain tunnel.example.com --name portal --force

Use admin users sparingly. Force takeover deletes the existing lease and route for that slug.

SSH forced-command model

Section titled “SSH forced-command model”

Install a dedicated tunnel SSH user and key:

Terminal window
sudo ./scripts/install-edge-ssh-key.sh mytunnel-client ./id_ed25519.pub

The gate allows:

  • Empty remote command for long-running reverse tunnel sessions.
  • mytunneld ctl allocate
  • mytunneld ctl heartbeat
  • mytunneld ctl release
  • mytunneld ctl delete
  • mytunneld ctl list
  • mytunneld ctl health
  • mytunneld ctl reconcile
  • mytunneld ctl stats

The gate rejects daemon config override flags, including:

  • --db-path
  • --base-domain
  • --caddy-admin-url
  • --caddy-server
  • --min-port
  • --max-port
  • --lease-ttl
  • --cleanup-interval
  • --reconcile-interval
  • --health-timeout
  • --log-format
  • --max-leases-per-owner
  • --admin-users

Test gate behavior locally:

Terminal window
./scripts/test-ssh-gate.sh

Caddy Admin API

Section titled “Caddy Admin API”

The Admin API can add, remove, and edit routes. Keep it on loopback:

{
  admin 127.0.0.1:2019
}

mytunneld refuses non-loopback Admin API hosts. check-edge.sh also fails when the configured Admin API URL is not loopback-scoped.

Do not firewall-publish 2019/tcp.

Filesystem permissions

Section titled “Filesystem permissions”

Expected defaults:

PathExpected modeWhy
/etc/mytunneld/mytunneld.env0600 or 0640May contain sensitive operational config.
/var/lib/mytunneld/leases.db0600 or 0660Contains lease state and owner data.
/var/lib/mytunneldsetgid daemon groupAllows the service and forced-command user group to coordinate safely.
/usr/local/bin/mytunneld0755Executable by systemd and ctl users.

Check permissions:

Terminal window
sudo ./scripts/check-edge.sh

Secrets handling

Section titled “Secrets handling”

DNS provider tokens should:

  • Be scoped to the smallest feasible DNS zone and permission set.
  • Live in systemd environment drop-ins or another secret manager.
  • Not be committed to the repo.
  • Not be echoed in install logs.

For Infomaniak bootstrap, the installer writes a restricted systemd drop-in for INFOMANIAK_API_TOKEN when --infomaniak-token is passed.

Public exposure warnings

Section titled “Public exposure warnings”

mytunnel publishes your local HTTP service. It does not add:

  • Login screens.
  • Request authorization.
  • CSRF protection.
  • Rate limiting.
  • Data redaction.

Before tunneling a service, decide whether it is safe for any internet client to reach it. For real production traffic, put authentication and authorization in the app or in a reverse-proxy layer in front of the app.

Section titled “Recommended edge hardening”
  • Use key-only SSH.
  • Use a dedicated tunnel SSH user where practical.
  • Use the forced-command gate for tunnel users.
  • Keep Caddy Admin API loopback-only.
  • Expose only SSH, 80/tcp, and 443/tcp.
  • Use UFW ALLOW, not LIMIT, on the tunnel SSH port.
  • Keep fail2ban or equivalent enabled.
  • Keep DNS provider tokens scoped and rotated.
  • Test rollback before relying on upgrades.