This document tracks the features that have already shipped and ideas planned for future releases. It is a living reference — items may be re-prioritised or added as the project evolves.
- HTTP tunnel proxying with automatic subdomain routing (
<id>.yourdomain.com) - Custom subdomain support (
--subdomain myapp) - TCP tunnel proxying with dynamic port allocation from a configurable range
- yamux stream multiplexing over a single WebSocket connection
- Automatic client reconnection with configurable retry logic
- Independent data WebSocket reconnect — data plane failures no longer tear down the control session; tunnels keep their subdomain/port (v0.4.10+)
- Graceful shutdown — drains active sessions with a 30-second timeout on SIGINT/SIGTERM
- TLS termination on the HTTPS edge using rustls
- Static PEM certificate support (BYO cert from Let's Encrypt, Certbot, etc.)
- Built-in ACME client for automatic certificate provisioning and renewal (Cloudflare DNS-01 challenge)
- Per-tunnel request rate limiting (requests/second)
- Per-source-IP rate limiting
- Request body size cap
- Maximum tunnels per session limit
- Maximum concurrent connections per tunnel limit (semaphore)
- Admin token authentication (static secret in server config)
- Database-backed API tokens (create, list, delete)
- Token scope field for future RBAC use
- Token last-used timestamp tracking
- Per-token tunnel count tracking
- Tunnel history page in the dashboard (paginated table with protocol filter, duration, token attribution)
- Token management via CLI (
rustunnel token create / list / delete) - Token management via Dashboard UI
- Live dashboard built with Next.js (static export embedded in server binary)
- Active sessions panel with real-time polling
- Active tunnels panel (HTTP and TCP)
- Live request inspector (captures HTTP requests proxied through tunnels)
- API token management panel (create / view / delete tokens with one-time raw token display)
- Per-token tunnel usage counter
- Structured JSON logging (via
tracing+tracing-subscriber) - Append-only audit log (JSON-lines) for auth, tunnel, and token events
- Prometheus metrics endpoint (
/metricson:9090)rustunnel_active_sessionsrustunnel_active_tunnels_httprustunnel_active_tunnels_tcp
- SQLite-backed tunnel activity log (
tunnel_logtable with token attribution)
- Multi-stage Dockerfile for minimal production images
- Docker Compose stack (server + optional Prometheus + Grafana)
- systemd service unit with dedicated system user
-
make deploy/make update-serverhelpers for bare-metal deployments - Pre-built Grafana dashboard for tunnel metrics
- Cargo workspace with separate
rustunnel-server,rustunnel-client, andrustunnel-protocolcrates - Integration test suite (spins up a real server on random ports, tests auth, HTTP/TCP tunnels, reconnection)
- GitHub Actions CI (format check + Clippy + full test suite)
- Pre-push git hook mirroring CI checks (
make install-hooks) - Local development config (
deploy/local/server.toml) and self-signed cert setup instructions - Pre-built release binaries for Linux (x86_64, aarch64) and macOS via GitHub Releases
-
rustunnel setup— interactive wizard that creates~/.rustunnel/config.ymlwith prompted server, auth token, and region values
- Public website at rustunnel.com with marketing page, pricing, and documentation
- Self-service user registration and email verification — no manual token issuance
- User dashboard — API key management (create, label, revoke), usage stats, tunnel history
- Free tier — up to 3 tunnels, TLS/HTTPS termination included
- Pay-as-you-go plan — unlimited tunnels, custom subdomains, TLS/HTTPS termination
- Stripe billing integration — $3/month minimum + $0.10/GB overage above 30 GB
- Spend cap setting — users can cap their monthly PAYG spend from the dashboard
- Payment method management via Stripe Customer Portal
- Invoice history in the user dashboard
- Custom subdomains gated by plan (PAYG and self-hosted only)
- PostgreSQL-backed
regionstable with region metadata (id, name, location, host, control_port, active) -
region_idcolumn ontunnel_logfor per-region tunnel attribution -
[region]section inserver.toml— each instance declares its own region identity -
GET /api/regionsendpoint — returns active region list for client discovery -
--region <id>CLI flag forrustunnel http/rustunnel tcp(eu,us,ap,auto) -
region:field in~/.rustunnel/config.yml - Parallel TCP latency probing across all regions — auto-selects nearest on
region: auto - Three-tier region list resolution: local cache → API fetch → hardcoded fallback compiled into binary
- 24-hour region list cache at
~/.rustunnel/regions.json - Global edge fleet: EU (Helsinki), US (Hillsboro, OR), AP (Singapore)
- Sentry integration for error tracking and distributed tracing
- Accurate bytes-proxied tracking per tunnel session
- Per-request body size capture via RAII
CaptureGuard -
GET /api/admin/metrics/users-over-time— user growth metrics for admin dashboard
- Google OAuth sign-in for the managed service
-
rustunnel-mcpbinary — MCP server with stdio transport -
create_tunneltool — spawnsrustunnelCLI subprocess and polls API for the public URL -
list_tunnelstool — REST wrapper forGET /api/tunnels -
close_tunneltool — REST wrapper forDELETE /api/tunnels/:id+ kills spawned process -
get_connection_infotool — returns CLI command for cloud/sandbox agents -
get_tunnel_historytool — REST wrapper forGET /api/history -
GET /api/openapi.json— machine-readable API spec for agent discovery - Claude Code plugin —
/plugin install rustunnelwith secure token storage, skill definition, and zero-config MCP setup -
list_regionsMCP tool — callsGET /api/regions, returns region list to the agent -
regionparameter oncreate_tunnelandget_connection_infoMCP tools
Items below are not committed to any release timeline. They represent directions the project may grow in.
- Shell completions for the CLI (bash, zsh, fish)
-
rustunnel statuscommand to inspect the active connection and registered tunnels - Extended Prometheus metrics (bytes proxied, request latency histograms, error rates)
-
rustunnel setup --updateflag to edit an existing config file non-destructively - Token-scoped tunnel isolation —
list_tunnelsandclose_tunnelrestricted to tunnels owned by the calling token
- x402 middleware on
POST /api/tokens— gate token creation behind USDC micropayment - Token TTL + tier metadata (
expires_at,tier,tunnel_limitcolumns) - Token expiry enforcement at tunnel registration time
-
purchase_tunnel_passMCP tool — drives x402 payment flow using agent's wallet - Coinbase facilitator integration for on-chain payment verification
- Streamable HTTP transport — deploy MCP server as
mcp.tunnel.example.com - OAuth 2.1 on the remote MCP endpoint
-
GET /api/usage— tunnel-hours, bytes, request counts per token
- Token RBAC — enforce scope restrictions (e.g.
http-only,tcp-only, read-only dashboard) - Bandwidth limiting per tunnel
- Webhook notifications on tunnel connect / disconnect events
- Dashboard dark mode
- Windows support for the client binary
- Config file hot-reload (SIGHUP) without restarting the server
- Health check / heartbeat endpoint for load balancer probing
- Dashboard fan-out queries — active tunnels aggregated across all regions via parallel API calls
- Per-region health indicators in the dashboard header (one dot per region)
- Region column in active tunnels table and tunnel history table
- Region-aware request inspector — routes to the correct regional server via
region_id - Cross-region token validation (tokens issued on one region accepted by all — already works via shared PostgreSQL)
-
list_regionsMCP tool — callsGET /api/regions, returns region list to the agent -
regionparameter oncreate_tunnelMCP tool — passes--region <id>to CLI subprocess -
regionparameter onget_connection_info— included in the CLI command string and JSON response
- SSH tunnel support (
rustunnel ssh) - Custom domain per tunnel (BYOD — bring your own domain with DNS verification)
- Multi-user / team management with role-based access control
- Traffic inspector with request replay in the dashboard
- Tunnel persistence across server restarts (reconnect to the same subdomain/port)
- mTLS client authentication
- Plugin / middleware system for request transformation and filtering
- Distributed server mode (multiple instances sharing state via a database)
| Version | Highlights |
|---|---|
| 0.1.0 | Initial release — HTTP/TCP tunnels, TLS, admin token auth, dashboard, Prometheus metrics |
| 0.2.0 | API token management (create/list/delete), tunnel activity log, per-token tunnel counts |
| 0.3.0 | Tunnel history dashboard page, stale tunnel cleanup on restart, MCP server (Phase 1), OpenAPI spec |
| 0.3.1 | Multi-region server infrastructure — regions table, region_id on tunnel log, GET /api/regions, [region] server config |
| 0.3.2 | Multi-region client — --region flag, region: config field, parallel latency probing, auto-select, 3-tier region discovery |
| 0.3.6 | Unified dashboard — per-region health dots, region column in tunnels + history, region-aware request inspector; MCP list_regions tool + region param on create_tunnel |
| 0.4.0 | Public platform launch — rustunnel.com with self-service registration, user dashboard, API key management, free tier |
| 0.4.2 | Stripe billing — PAYG plan with metered bandwidth ($0.10/GB), spend cap, Stripe Customer Portal integration |
| 0.4.6 | PAYG minimum fee — $3/month floor covering first 30 GB; overage charged via invoice webhook; TLS/HTTPS termination listed on all plans; custom subdomains gated by plan |
| 0.4.10 | Zero-downtime data WebSocket reconnect — when the data plane drops (NAT timeout, network blip), the client reconnects only the data WebSocket without re-authenticating or re-registering tunnels; same subdomain/port preserved. Server-side change is backwards compatible with older clients. |
| 0.4.12 | Sentry integration for error tracking and distributed tracing |
| 0.4.13 | Fix bytes-proxied tracking — tunnels now report actual transfer instead of 0 |
| 0.4.14 | Accurate per-request body size capture via RAII CaptureGuard |
| 0.4.16 | Admin metrics — GET /api/admin/metrics/users-over-time for user growth charts |
| 0.4.18 | Claude Code plugin (/plugin install rustunnel), Google OAuth sign-in, plugin configuration docs |