OpenTunnels Protocol

OpenTunnels runs over QUIC with TLS 1.3. The connector dials the edge, but the edge opens a stream back over that connection for each public request.

Registration carries the identity token or key-mode credential, the service manifest, and a signed proof bound to the current TLS session’s channel binding. This prevents a stolen managed token from being enough to register a different connector when holder-of-key claims are present.

For protocol details, see documentation/opentunnels-whitepaper.md and documentation/transport.md.