Upgrades and rollback
The edge upgrade path is intentionally more cautious than the client path. It can back up the current binary, DB, and env file, install a new daemon, restart, verify health, and roll back on failure.
Upgrade the edge with local Go
Section titled “Upgrade the edge with local Go”Run on the edge:
cd ~/tunneledsudo ./scripts/upgrade-edge.sh --buildUpgrade the edge with Docker
Section titled “Upgrade the edge with Docker”Run on the edge:
cd ~/tunneledsudo ./scripts/upgrade-edge.sh --docker-build --goos linux --goarch amd64Useful flags:
| Flag | Meaning |
|---|---|
--binary <path> | Install a prebuilt mytunneld binary. |
--service <name> | systemd service name, default mytunneld. |
--build | Build with local Go before install. |
--docker-build | Build with Docker before install. |
--docker-image <image> | Docker image for build, default golang:1.25. |
--goos <os> | Target GOOS, default linux for edge. |
--goarch <arch> | Target GOARCH, default inferred from host. |
--upgrade-backup-dir <dir> | Backup root, default /var/backups/mytunneld. |
--no-backup | Skip backup, advanced only. |
--skip-restart | Install binary but skip restart and verification. |
What edge upgrade verifies
Section titled “What edge upgrade verifies”After installing the new binary, upgrade-edge.sh verifies:
systemctl restart <service>succeeds.- The service is active.
- Caddy Admin API responds at the configured URL.
mytunneld ctl health --jsonreturnsstatus: ok.
If verification fails and backup is enabled, the script restores the previous binary and DB snapshot, then restarts the service.
Find backups
Section titled “Find backups”Default backup root:
/var/backups/mytunneldEach upgrade creates a timestamped directory:
/var/backups/mytunneld/upgrade-YYYYMMDDTHHMMSSZ/It can contain:
mytunneld.prevleases.db.prevmytunneld.env.prev
Upgrade the client
Section titled “Upgrade the client”Local Go:
cd ~/tunneled./scripts/upgrade-local.sh --buildDocker:
cd ~/tunneled./scripts/upgrade-local.sh --docker-build --goos darwin --goarch arm64Prebuilt binary:
./scripts/upgrade-local.sh --binary ./bin/mytunnelRoll back manually
Section titled “Roll back manually”If the automatic rollback could not run, restore from the backup directory.
sudo install -m 0755 /var/backups/mytunneld/upgrade-YYYYMMDDTHHMMSSZ/mytunneld.prev /usr/local/bin/mytunneldsudo cp -f /var/backups/mytunneld/upgrade-YYYYMMDDTHHMMSSZ/leases.db.prev /var/lib/mytunneld/leases.dbsudo systemctl restart mytunneldmytunneld ctl health --jsonOnly restore the DB snapshot if you accept losing lease changes made after that backup.
Uninstall and recovery
Section titled “Uninstall and recovery”Dry-run edge uninstall:
sudo ./scripts/uninstall-edge.sh --dry-runRemove edge service, binary, and config while preserving data:
sudo ./scripts/uninstall-edge.shRemove data too:
sudo ./scripts/uninstall-edge.sh --purge-dataClient uninstall dry-run:
./scripts/uninstall-local.sh --dry-runClient uninstall:
./scripts/uninstall-local.shRelease-quality verification
Section titled “Release-quality verification”Before cutting a public release:
go test -race ./...go test ./... -count=1go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./...make buildmake release-clientmake checksumsIf local Go or shellcheck is unavailable:
make verify-docker