Network tunnels allow you to securely connect your local infrastructure to the platform. This guide walks you through downloading the tunnel client, configuring target subnets, and generating the gateway connection tokens required to establish a secure link.
flowchart LR
A["Platform Gateway"] <-->|Secure Token Connection| B("Tunnel Client")
B <-->|Routes Traffic| C["Target Subnet (Local Network)"]Setting up your tunnel
To get started, navigate to the Network Configuration panel in your dashboard.
- 1
Download the Tunnel Client
Locate the Step 1: Download Tunnel Client section. You will see a list of available binaries tailored for different operating systems and architectures (e.g., Linux, Windows, macOS). Click the button corresponding to your system to download the client.
- 2
Configure the Target Subnet
Under Step 2: Run Tunnel Client, locate the Target Subnet (CIDR) input field. Enter the network range you want the tunnel to access using standard CIDR notation (for example,
192.168.1.0/24). - 3
Generate the Connection Token
As you type, the system validates your subnet. Once a valid CIDR block is detected, the system will display a cyan "Valid subnet, generating command..." message and automatically generate your secure gateway token.
- 4
Run the Client
Copy the generated command provided in the UI and run it in your terminal to start the tunnel client and establish the connection.
# Example generated command ./tunnel-client --token <YOUR_GENERATED_TOKEN>
Subnet Validation Rules
The platform strictly validates your target subnet to ensure routing works correctly. You must provide a valid IPv4 address range in CIDR format.
| Requirement | Description | Example |
|---|---|---|
| Format | Must use CIDR notation (IP address followed by a slash and routing prefix). | 10.0.0.0/16 |
| Valid IPs | Each octet in the IP address must be between 0 and 255. | 192.168.1.0 |
| Prefix | The routing prefix must be between 0 and 32. | /24 |
If you enter an invalid format or an IP address with numbers exceeding 255, the input field will display a red error message ("Invalid CIDR format" or "Invalid IP address"), and the token generation will be paused.
Token Lifecycle and Security
To keep your infrastructure secure, gateway connection tokens are generated with strict scopes and short-lived expiration windows.
How long are connection tokens valid?
Every generated token has a strict expiration time of 36 minutes (36m). You must start your tunnel client within this window. Once the client connects, the session is established, but unused tokens will quickly expire to prevent unauthorized access.
How are tunnels identified?
When a token is generated, the system automatically assigns it a unique label (e.g., threatexploit-tunnel-482910). This helps you identify and audit active tunnel connections in your infrastructure logs.
Can I route multiple subnets?
Currently, the UI token generator scopes the connection strictly to the single allowed_subnet you provide in the input field.
