tunnixv0.4.0

Encrypted Proxy Tunnel

When HTTP is all you've got.

Route SOCKS5 and HTTP(S) proxy traffic through plain HTTP, end-to-end encrypted with ChaCha20-Poly1305. Built for environments that serve HTTP but block direct TCP.

Works behind:

Cloud ShellCodespacesGitpodRailwayRenderFly.io

Architecture

CLIENTSOCKS5 / HTTP:1080SSE STREAMHTTP/1.1REVERSEPROXYSERVERtunnix:8080TARGETTCPChaCha20-Poly1305 ENCRYPTEDAUTO-DETECT0x05 = SOCKS5MULTIPLEXED CONNECTIONS

Features

0x05 = SOCKS5

Dual-Protocol Listener

SOCKS5 and HTTP proxy on the same port, auto-detected from the first byte.

256-bit keys

End-to-End Encryption

ChaCha20-Poly1305 AEAD with per-message random nonce, Argon2id key derivation.

AtomicU32 conn_id

Connection Multiplexing

Many local connections share a single SSE stream to the server.

--header

Custom Header Injection

Cookie-authenticated reverse proxies like Cloud Shell and Codespaces.

ArcSwap

Hot Reload

Poll config.toml every 3s and swap password, headers, and routing via ArcSwap — no restart.

Message::Reset

Resilient Reconnect

15s SSE keepalive and 30s client read timeout auto-recover from server restarts and dropped links.

--allow-transfer

Encrypted File Transfer

push and pull files or directories over the tunnel, streamed as zstd-compressed tar archives.

--allow-exec

Remote Shell

Open an interactive PTY session over the tunnel with full terminal resize and exit-code relay.

Installation

Homebrew

brew install aeroxy/tap/tunnix

From Source

cargo install --git https://github.com/aeroxy/tunnix

Quick Start

1

Start the server

tunnix server \
  --listen 0.0.0.0:8080 \
  --password "your-secret"
2

Connect the client

tunnix client \
  --server https://your-host \
  --password "your-secret" \
  --local-addr 127.0.0.1:7890
3

Use it

Configure your application to use the proxy.

curl --socks5 127.0.0.1:7890 https://ifconfig.me
+

Transfer files

requires --allow-transfer

Push and pull over the encrypted tunnel (v0.4.0+).

tunnix push ./build --server https://your-host --password "your-secret"
tunnix pull /var/log/app.log --server https://your-host --password "your-secret"

Changelog

Recent releases

All releases
v0.4.0Jun 6, 2026
  • push / pull file transfer over the tunnel
  • Streaming zstd-compressed tar archives
  • Global config discovery via XDG path
v0.3.0Jun 4, 2026
  • tunnix remote-exec interactive PTY sessions
  • Exec / Resize / ExitStatus protocol messages
  • SSE init race condition hardened
v0.2.3May 18, 2026
  • Message::Reset for graceful restart recovery
  • 15s SSE keepalive + 30s client read timeout
  • Concurrency fix: no mutex across async sends

Stack

Language:Rust
Transport:HTTP/1.1 + SSE
Crypto:ChaCha20-Poly1305
KDF:Argon2id
Built with v0