CHAN.RUN

Restunnel
Quick Start

Exit Nodes

Exit nodes are apps running on your personal devices. They connect outbound to your hub and relay traffic using the device's internet connection. No port forwarding needed — if the device can browse the web, it can be an exit node.

Android

Your phone on LTE is the most valuable exit node — it provides a mobile carrier IP that websites trust completely.

Install: Download the latest APK from GitHub Releases.

If you have a locally-built APK installed, uninstall it first — Android rejects signature mismatches on the same package.

Pair: Open the Restunnel app, tap Scan QR to Enroll, and scan the QR code from your hub's dashboard. To add more hubs, scan again.

Background behavior:

  • Foreground service with persistent notification (prevents Android from killing it)
  • Auto-reconnects on network changes (WiFi ↔ mobile, airplane mode)
  • Auto-starts on boot if any hubs are enrolled
  • Prompts to disable battery optimization

macOS

The desktop app runs as a menu bar app. It connects to your hubs and relays traffic using your Mac's internet connection.

Install: Download the .dmg from GitHub Releases, open it, and drag Restunnel to Applications.

If macOS says the app is "damaged", run:

xattr -cr /Applications/Restunnel.app

This is a Gatekeeper issue with unsigned apps — code signing is planned for a future release.

Pair: Click the Restunnel icon in the menu bar → Add Hub → paste the noise:// enrollment URL from your hub.

Background behavior:

  • Runs at login via LaunchAgent
  • Auto-reconnects on network changes
  • Menu bar icon shows connection status
  • Keypair stored in macOS Keychain (hardware-backed on Apple Silicon and T2)

CLI (Linux / macOS)

A single binary that runs on any Linux or macOS machine — a Raspberry Pi, a home server, a laptop.

Install:

curl -fsSL https://raw.githubusercontent.com/zerocity/tunnel.chan.run/main/install-node.sh | sh

:::tip Private repo? Set a token first: export GITHUB_TOKEN=ghp_..., then run the install command. :::

Enroll using the URL from your hub's token generation:

restunnel-node \
  --hub "noise://<your-public-ip>:9000?token=<token>&pubkey=<pubkey>" \
  --label vienna-home
  • --hub — Enrollment URL (required on first run, stored for reconnection)
  • --label — Human-readable name for this node
  • --data-dir — Persistent state directory (default node-data/)

After enrollment, just run restunnel-node to reconnect — no token needed.

Run as a service for always-on exit nodes:

# /etc/systemd/system/restunnel-node.service
[Unit]
Description=Restunnel Exit Node
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/restunnel-node --data-dir /var/lib/restunnel-node
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
sudo systemctl enable --now restunnel-node

Multiple Hubs

A single device can connect to multiple hubs simultaneously. Each connection is independent — separate encryption, separate authentication.

  • Android / macOS — enroll with each hub separately. The app manages all connections.
  • CLI — run separate instances with different --data-dir paths:
restunnel-node --data-dir /var/lib/restunnel-node-a  # Hub A
restunnel-node --data-dir /var/lib/restunnel-node-b  # Hub B