Protocol

Restunnel uses the Noise Protocol Framework for transport encryption and a custom binary message protocol for tunnel operations.

Why Noise, Not TLS

TLS requires the server to respond to any client's handshake — even unauthenticated ones. This creates a fingerprintable surface. Port scanners can identify TLS servers, probe for vulnerabilities, and build target lists.

Noise (specifically Noise_IK) provides:

Identity-first handshake — The client must prove it holds an authorized key in the very first message. No anonymous connections possible.
Silent rejection — The server sends no response to unauthorized clients. The port appears closed to scanners.
Mutual authentication — Both hub and exit node verify each other's identity.
Forward secrecy — Ephemeral keys per session.
No certificate infrastructure — No CAs, no Let's Encrypt, no certificate expiration.

Handshake

The tunnel runs over raw TCP on port 9000. The Noise handshake uses X25519 keys for Diffie-Hellman key exchange.

Enrollment (first connection):

Node knows the hub's public key from the QR code / enrollment URL
Node initiates Noise_IK handshake
Hub accepts the handshake (node's key is unknown but allowed during enrollment)
Node sends ENROLL message with the one-time token
Hub validates the token, stores the node's public key, burns the token
Hub sends ENROLL_OK — enrollment complete

Reconnection (subsequent connections):

Node initiates Noise_IK handshake using stored keys
Hub checks the node's public key against its authorized list
If recognized → tunnel established
If unknown → silent drop, no response

Message Protocol

After the Noise handshake, the encrypted channel carries binary-framed messages:

┌──────────┬──────────┬───────────┬──────────────┐
│ Type (1B)│ ID (4B)  │ Len (4B)  │ Payload      │
└──────────┴──────────┴───────────┴──────────────┘

The ID field is the stream identifier — it multiplexes many TCP streams over a single tunnel per exit node.

Message Types

Type	Name	Direction	Purpose
`0x01`	ENROLL	Node → Hub	One-time enrollment (token + public key)
`0x02`	ENROLL_OK	Hub → Node	Enrollment accepted
`0x03`	PING	Both	Keepalive (every 30s)
`0x04`	PONG	Both	Keepalive response (must reply within 10s)
`0x10`	CONNECT	Hub → Node	Open TCP connection to target host
`0x11`	CONNECT_OK	Node → Hub	TCP connection established
`0x12`	CONNECT_FAIL	Node → Hub	Connection failed (with reason)
`0x20`	DATA	Both	Raw TCP data for a stream
`0x21`	CLOSE	Both	Close a stream
`0x30`	STATUS	Node → Hub	Periodic status (IP, battery, bandwidth)

Enrollment Failure

There is no ENROLL_FAIL message. If the token is invalid or expired, the hub silently drops the connection — consistent with the "invisible to unauthorized" security model.

Stream Multiplexing

A single Noise session between hub and exit node carries many logical TCP streams simultaneously. The ID field in CONNECT, DATA, and CLOSE messages identifies which stream a frame belongs to.

When a SOCKS5 client on the server connects to example.com:443 through the proxy, the hub:

Assigns a new stream ID
Sends CONNECT example.com:443 to the exit node with that ID
The exit node opens a TCP connection to the target
All subsequent DATA and CLOSE frames use the same stream ID

This means one exit node can handle hundreds of concurrent connections over a single tunnel.

Keepalive

Both sides send PING every 30 seconds. The other side must respond with PONG within 10 seconds. If no response arrives, the connection is considered dead and the node begins reconnecting with exponential backoff.