CHAN.RUN

Restunnel

Route your server's traffic through your own devices

Your server runs on Hetzner, AWS, or DigitalOcean — but websites see a datacenter IP and block it. Captchas, rate limits, geo-restrictions. Meanwhile your phone on LTE and your laptop on home WiFi have IPs that websites trust completely.

Restunnel connects the two. Your server's requests exit through your own personal devices. The website on the other end sees a normal residential IP.

How it works

A hub runs on your server as a local SOCKS5/HTTP proxy. Your personal devices run exit node apps that connect to the hub over encrypted tunnels. When your software makes a request through the proxy, the hub routes it through one of your connected devices.

Your Server (Hetzner)
┌──────────────────────────┐
│  Your Software           │
│       │                  │
│       ▼                  │
│  restunnel-hub           │
│  socks5://localhost:1080 │
└───────┬──────────────────┘
        │ encrypted tunnels
        │
   ┌────┴──────────────┐
   │                    │
   ▼                    ▼
📱 Phone (LTE)    💻 Laptop (WiFi)

No port forwarding on your devices. Exit nodes connect outbound to the hub — if the device can browse the web, it can be an exit node.

Quick start

1. Install the hub on your server

curl -fsSL https://raw.githubusercontent.com/zerocity/tunnel.chan.run/main/install-hub.sh | sh

2. Start it

restunnel-hub --listen 0.0.0.0:9000 --host <your-public-ip>:9000

On first startup the hub prints a QR code for pairing your first device.

3. Connect a device

Phone (Android) — scan the QR code with the Restunnel app. Your phone is now an exit node.

Mac — paste the noise:// enrollment URL in the menu bar app.

Linux/CLI — run restunnel-node --hub "noise://...".

4. Use it

# Direct from server — datacenter IP
curl https://httpbin.org/ip
# → {"origin": "95.217.x.x"}

# Through Restunnel — your phone's residential IP
curl --proxy socks5://localhost:1080 https://httpbin.org/ip
# → {"origin": "178.115.x.x"}

Works with any tool that supports SOCKS5 or HTTP CONNECT: curl, Playwright, Puppeteer, Python requests, scrapy, and more.

Features

Invisible to scanners — Noise protocol handshake silently drops unauthorized connections. Port scanners see nothing.
Zero config on devices — No port forwarding, no firewall rules. Exit nodes connect outbound.
Install and forget — Apps auto-reconnect, run in the background, start on boot. QR code pairing.
No external dependencies — No third-party accounts, no cloud services. Each hub is self-contained.
Multi-hub — One phone can connect to multiple hubs on different servers simultaneously.
Standard proxy — SOCKS5 (:1080) and HTTP CONNECT (:1081) on localhost.
Hardware-backed keys — Device keys stored in Android Keystore, macOS Keychain, or Secure Enclave.

Platforms

Platform	Type	Status
Linux	Hub + CLI exit node	Available
Android	Exit node app	Available
macOS	Menu bar exit node	Available
iOS	Exit node app	Planned
Windows	System tray exit node	Planned

Next steps

Server setup — full hub installation and configuration
Architecture — topology, protocol, security
Proxy configuration — tool-specific proxy examples