Crate zlayer_tunnel 

ZLayer Tunnel - Secure tunneling for ZLayer services

Provides secure tunnel functionality for accessing ZLayer services through authenticated tunnels, including:

• SSH to containers - Tunnel SSH access to specific containers without exposing overlay network
• Database access - Securely expose PostgreSQL/MySQL through tunnel with auth
• Game server tunneling - TCP/UDP tunneling for game servers
• Node-to-node bridging - Connect ZLayer nodes across different networks/datacenters
• On-demand access - Like Cloudflare Access, users request temporary access to hidden services via CLI

Architecture

The tunnel system consists of:

• Control Channel: WebSocket over TLS for authentication and coordination
• Data Channels: Direct TCP/UDP connections for actual traffic
• Registry: Tracks active tunnels and their services

Protocol

Uses a compact binary message format:

+----------+----------+----------------------------------+
| Type(1)  | Len(4)   | Payload (variable)               |
+----------+----------+----------------------------------+

Example

use zlayer_tunnel::{TunnelClientConfig, ServiceConfig};

// Create a client configuration
let config = TunnelClientConfig::new(
    "wss://tunnel.example.com/tunnel/v1",
    "tun_abc123"
)
.with_service(ServiceConfig::tcp("ssh", 22).with_remote_port(2222))
.with_service(ServiceConfig::tcp("postgres", 5432));

// Validate the configuration
config.validate().expect("invalid config");

Re-exports

pub use access::AccessManager;

pub use access::AccessSession;

pub use access::SessionInfo;

pub use client::AgentState;

pub use client::ConnectionCallback;

pub use client::ControlCommand;

pub use client::ControlEvent;

pub use client::LocalProxy;

pub use client::RegisteredService;

pub use client::ServiceStatus;

pub use client::TunnelAgent;

pub use config::ServiceConfig;

pub use config::TunnelClientConfig;

pub use config::TunnelServerConfig;

pub use error::Result;

pub use error::TunnelError;

pub use node::NodeTunnel;

pub use node::NodeTunnelManager;

pub use node::TunnelState;

pub use node::TunnelStatus;

pub use overlay::DynOverlayResolver;

pub use overlay::DynTunnelDnsRegistrar;

pub use overlay::OverlayReachability;

pub use overlay::OverlayResolver;

pub use overlay::RoutingMode;

pub use overlay::TunnelDnsRegistrar;

pub use protocol::Message;

pub use protocol::MessageType;

pub use protocol::ServiceProtocol;

pub use protocol::HEADER_SIZE;

pub use protocol::MAX_MESSAGE_SIZE;

pub use protocol::PROTOCOL_VERSION;

pub use server::accept_all_tokens;

pub use server::hash_token;

pub use server::ControlHandler;

pub use server::ControlMessage;

pub use server::ListenerManager;

pub use server::TokenValidator;

pub use server::Tunnel;

pub use server::TunnelInfo;

pub use server::TunnelRegistry;

pub use server::TunnelService;

Modules

access

On-demand access tunneling

client

Tunnel client components

config

Configuration types for tunnel server and client

error

Error types for tunnel operations

node

Node-to-node tunneling infrastructure

overlay

Overlay network integration for tunnel routing

protocol

Binary message protocol for tunnel communication

server

Tunnel server components

Enums

ExposeType

Exposure type