Docs
Advanced Topics

Tunneling

Create secure tunnels and proxy connections for exposing local services through WebSocket bridges

dxflow provides powerful tunneling capabilities through its proxy-bridge architecture, enabling you to expose local services securely over WebSocket connections with automatic subdomain allocation.

Secure Access: dxflow tunneling uses authenticated WebSocket connections to route traffic between proxy hubs and bridge nodes, enabling secure access to local services from anywhere.

How It Works

Proxy and Bridge Architecture

dxflow tunneling uses a hub-and-spoke model with two main components:

Proxy Hub

Central Router

  • Allocates unique subdomains to bridges
  • Routes incoming traffic to connected bridges
  • Manages authentication and traffic limits
  • Maintains connection pools for efficiency

Bridge Node

Local Gateway

  • Connects to proxy hub via WebSocket
  • Receives unique subdomain allocation
  • Routes traffic to local upstream services
  • Handles reconnection automatically

Connection Flow

Internet User → Proxy Hub → WebSocket Tunnel → Bridge Node → Local Service

Each bridge gets a unique subdomain (e.g., ab1234567890.yourhub.com) that routes all traffic through the secure tunnel.

Setting Up Tunnels

Using the Default Hub

dxflow provides dxflow.ai as a ready-to-use public hub:

Zero Setup Required: The default hub is already running and ready to accept bridge connections. No configuration or deployment needed on your part.

Hub Features:

  • Always available at dxflow.ai
  • Unlimited connections and traffic from hub perspective
  • Automatic subdomain allocation for each bridge
  • Managed infrastructure - no maintenance required

Start Your Own Proxy Hub

For private tunneling with your own infrastructure:

Enterprise Feature: Running your own proxy hub requires a specific license. Contact us for enterprise licensing and private hub deployment. Learn more about licensing.

Private Hub Benefits:

  • Full control over authentication and traffic limits
  • Private infrastructure - no shared resources
  • Custom domain and subdomain allocation

Connect Bridge Nodes

Connect bridge nodes to expose local services:

Requires Bridge-Enabled License: Bridge functionality is not included in the general license. You need a bridge-enabled license to connect bridge nodes. See licensing documentation for details.
# Start bridge connecting to default hub (dxflow.ai)
dxflow boot up --bridge --daemon

# Bridge receives subdomain from hub
# Default: 1 connection, 10MB traffic limit

Manual Management

# List active proxies on hub
dxflow proxy list

# Create new proxy allocation
dxflow proxy create

# Remove unused proxies
dxflow proxy prune

Identity System

Unique Identifiers

Every proxy-bridge connection uses a 12-character alphanumeric identity:

PropertyDetails
Format12-byte alphanumeric (e.g., ab1234567890)
UsageSubdomain allocation and traffic routing
GenerationAutomatically created during connection

Authentication

Proxy Credentials

Auto-Generated

  • Username: 6-character random nonce
  • Password: 24-character random nonce
  • Required for WebSocket connections

Gateway Authorization

Optional Security

  • Authorization tokens in query parameters
  • Prevents unauthorized subdomain allocation
  • Additional security layer

Traffic Management

Connection Pooling

dxflow optimizes performance through intelligent connection pooling:

  • 8-second pairing window for matching connections
  • Automatic cleanup of unpaired connections
  • Thread-safe operations with mutex protection
  • Connection reuse to reduce overhead

Default Configuration

dxflow tunneling comes with different defaults for hubs and nodes:

dxflow.ai Hub

  • Default hub: dxflow.ai (public)
  • Connection limit: Unlimited
  • Traffic limit: Unlimited
  • Purpose: Central routing for all users

Security Features

Network Security

dxflow tunneling includes several security measures:

Upstream Validation

Private IP Only

  • Bridge must connect to private IPs
  • Prevents exposing public services
  • Enforces local network boundaries

TLS Support

Encrypted Connections

  • HTTPS gateway connections
  • Proper SNI handling for subdomains
  • Certificate validation for secure tunnels

Protocol Security

The hijack protocol enables efficient routing:

<identity|fingerprint>
ElementDescription
identity12-byte bridge identifier
fingerprintUUID for connection tracking

Performance Characteristics

Latency Comparison

Connection TypeCharacteristics
Direct ProxyMinimal overhead, production-ready, low latency
Bridge TunnelWebSocket overhead, development/testing scenarios

Traffic Statistics

Hub Metrics

  • User traffic (incoming from internet)
  • Bridge traffic (to/from bridge nodes)
  • Format: (↓ download) (↑ upload)
  • Real-time bandwidth tracking

Troubleshooting

Common Issues

"Proxy not available"

  • Identity doesn't exist on hub
  • Proxy was removed or never created
  • Check proxy list on hub

"Proxy not connected"

  • WebSocket connection dropped
  • Network interruption occurred
  • Verify bridge status and connectivity

Debugging Steps

  1. Enable debug logging: dxflow --log-level=debug boot up --proxy
  2. Monitor connection pools: Check pool sizes and timeout messages
  3. Track traffic stats: Use API for real-time bandwidth monitoring
  4. Test connectivity: Verify upstream services and WebSocket connections

Best Practices

Production Deployment

Security First

  • Use HTTPS for all gateway connections
  • Set appropriate traffic limitations
  • Rotate credentials regularly
  • Monitor traffic patterns

Performance

  • Tune buffer sizes for workload
  • Optimize timeout values
  • Use connection pooling effectively
  • Monitor statistics for bottlenecks

Reliability

  • Implement retry logic for failures
  • Monitor connection pool health
  • Set up automated cleanup tasks
  • Plan for horizontal scaling

API Integration

The tunneling system provides REST APIs for programmatic control:

Proxy Hub APIs

# List active proxies
curl http://hub/api/proxy/

# Create new proxy
curl -X POST http://hub/api/proxy/

# Remove inactive proxies
curl -X DELETE http://hub/api/proxy/prune/

Bridge Node APIs

# List bridge connections
curl http://node/api/bridge/

# Reconnect specific bridge
curl -X POST http://node/api/bridge/{identity}/connect/

# Clean up inactive bridges
curl -X DELETE http://node/api/bridge/prune/
Production Ready: dxflow tunneling has been tested in production environments, providing reliable secure access to local services with automatic reconnection, traffic management, and comprehensive monitoring.

The tunneling architecture enables secure, scalable access to distributed services while maintaining simplicity in configuration and management.

Streaming

Enable high-performance data streaming for large datasets and real-time updates

FAQs

Frequently Asked Questions about dxflow, covering common queries and troubleshooting tips to help users navigate