How It Works
The connector runs on your machine and dials out to the edge. The edge owns a public domain and accepts visitor HTTPS. The control plane issues identity and receives liveness/metering when configured, but it is not in the visitor request path.
The serving path is:
visitor -> edge route -> OpenTunnels stream -> connector -> localhost serviceAt registration, the connector declares services, access policies, and route controls. The edge verifies connector identity or API-key authorization, pins each route host to the declared app/account/device namespace, and evaluates route policy before proxying.