Skip to main content


How does all of this work?

The Autotunnel Virtual Appliance advertises it's public IP address and port to the Autotunnel Registry server. A technique known as UDP hole punching is used to "punch" a hole through any upstream firewall/NAT device. The Autotunnel Controller enables the node and peer virtual appliance to discover one another's IP address and port information, as well as other parameters required to negotiate the secure tunnel. This way, a node and peer virtual appliance can establish a connection without having to configure edge devices as would be needed in a traditional VPN setup. The virtual appliance takes care of ensuring that secure parameters are used when provisioning the tunnel.

How is data traversing the tunnel protected?

All tunnels are protected using robust and well-established cryptographic algorithms. We use AES-256 in GCM mode for confidentiality (encryption) and integrity. DH Group 20 (384-bit EC) is used for key exchange.

Do you store or have access to the encryption keys used to encrypt data?

No. The node and peer virtual appliances generate a common key based on a randomly generated secret that is combined with an 8–16 character shared secret. This is then fed into a memory-hard key derivation function (Argon2). This is also why we recommend a minimum of 2 GB of memory for the virtual appliance, as the key derivation function requires 1 GB of memory.

Is my traffic routed through your servers?

No. All tunnels are established directly between a node and peer virtual appliance. Your tunnel traffic never traverses our servers or infrastructure.