AdminDroid Endpoint Bridge — Secure Tunneling

Comprehensive Tunneling Solution

Everything you need to securely expose local services with enterprise-grade features

Tunnel Types & Transport

🌐

HTTP Tunneling

Subdomain-based routing for web applications, APIs, and webhooks.

Custom subdomain support
WebSocket pass-through
Session cookie continuity
X-Forwarded-* headers

🔌

TCP Tunneling

Port-based routing for any TCP protocol - databases, SSH, custom services.

Dynamic port allocation
Binary-safe forwarding
Full duplex communication
End-of-stream detection

🎮

UDP Tunneling

Session-based UDP forwarding for gaming, VoIP, and DNS servers.

Virtual session tracking
60-second session timeout
Bidirectional data flow
SignalR transport only

📡

SignalR Transport

WebSocket-based transport - firewall-friendly, no SSH required.

Works through firewalls
MessagePack binary protocol
Automatic reconnection
30-second heartbeat

🔐

SSH Transport

Traditional SSH reverse tunneling for maximum compatibility.

SSH key authentication
Reverse tunnel support
Port forwarding
OpenSSH compatible

Security & Access Control

🛡️

Path Filtering

Whitelist or blacklist URL paths to expose only specific endpoints.

Glob pattern support (**, *)
URL decoding protection
Path traversal prevention
404 response for blocked paths

🔑

Tunnel Access Key

Protect HTTP tunnels with end-user authentication.

Browser login page
Session cookie support
Header-based API access
Per-tunnel unique keys

🌍

IP-Based Access Control

Three-level IP restriction system for granular control.

Organization-level rules
Per-key restrictions
Per-tunnel filtering
CIDR notation support

🔒

TLS Encryption

End-to-end encrypted communication for all tunnels.

TLS 1.2/1.3 support
X.509 certificates
HTTPS enforcement
Secure WebSocket (WSS)

Additional Features

🏷️

Custom Subdomains

Choose your own subdomain name for memorable URLs.

User-specified names
Instant activation
Collision detection

⏰

Tunnel Expiration

Time-limited access with automatic cleanup.

Configurable lifetime
Expiry warnings
Auto-closure

🖥️

Cross-Platform

Works on Windows and Linux without modifications.

Native executables
Docker support
Service mode

🔁

Retry Policies

Resilient connections with configurable retry logic.

Unlimited retries
Limited attempts
Custom intervals

🌙

Silent/Background Mode

Run tunnels as background services for production deployments.

Silent log level
File logging support
Endpoint file output

📝

Comprehensive Logging

4 log levels with multiple output destinations.

Silent, Normal, Detailed, Verbose
Console, File, or Both
Web debug mode

🌐

Manager Integration

Centralized orchestration for multi-bridge deployments.

Automatic bridge assignment
Health monitoring
Remote key validation

🔗

WebSocket Support

Full bidirectional WebSocket tunneling for real-time apps.

Native WebSocket pass-through
Session cookie continuity
Real-time communication

Quick Start

Get your local service online in seconds. Download the client and run a single command.

🪟

Windows

Download .exe

🐧

Linux

Download x64

Basic HTTP Tunnel

# Expose local port 8080
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key

# With custom subdomain
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -Subdomain myapp

TCP Tunnel

# Expose a database or any TCP service
EndpointBridgeClient -LocalPort 5432 -ApiKey your_api_key -Tcp

# Expose multiple ports in one command (range, list, or mix - TCP/UDP only)
EndpointBridgeClient -LocalPort 5000-5005,5008 -ApiKey your_api_key -Tcp

UDP Tunnel

# Expose a game server, DNS, or VoIP service
EndpointBridgeClient -LocalPort 27015 -ApiKey your_api_key -Udp

SignalR Transport (Firewall-Friendly)

# Use WebSocket transport instead of SSH
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -Transport signalr

Path Filtering

# Expose only a single path (exact match)
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -AllowedPaths "/api/webhook"

# Expose multiple paths with wildcards
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -AllowedPaths "/api/webhook/**,/callback"

# Block sensitive paths
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -DeniedPaths "/admin/**,/internal/**"

Tunnel Access Key Protection

# Require end-user authentication
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -EnableTunnelAccessKey

# Output includes the tunnel access key:
Tunnel Access Key: tak_live_a1b2c3d4e5f6...
(Share this key with authorized users)

IP Restrictions

# Allow only specific IPs
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -AllowedIps "192.168.1.0/24,10.0.0.5" -IpRestriction

# Block specific IPs
EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key -DeniedIps "1.2.3.4" -IpRestriction

Full Featured Example

EndpointBridgeClient -LocalPort 8080 -ApiKey your_api_key \
  -Transport signalr \
  -Subdomain myapp \
  -ExpiresIn 8 \
  -WarnBeforeExpiry \
  -AllowedPaths "/api/**" \
  -DeniedPaths "/api/internal/**" \
  -EnableTunnelAccessKey \
  -AllowedIps "10.0.0.0/8" \
  -IpRestriction \
  -LogLevel detailed \
  -RetryPolicy Unlimited

Config File Support

Create an endpoint-bridge.config JSON file for persistent settings. The client auto-discovers config files in the current directory, executable directory, or ~/.endpoint-bridge/.

CLI Reference

Complete command-line options for the EndpointBridge client.

Option	Description
`-LocalPort`	Local port(s) to expose (required). Accepts a single port (`5000`), a range (`5000-5005`), a list (`5000,5001,5002`), or a mix. Ranges and lists are TCP/UDP only, capped at 64 ports.
`-ApiKey`	API key for authentication
`-Server`	Manager URL for Bridge assignment (if not default)
`-Transport`	Transport mode: `ssh` or `signalr`
`-LocalScheme`	Force local protocol: `auto` (default), `http`, or `https`
`-Tcp`	Enable TCP tunnel mode (default: HTTP)
`-Udp`	Enable UDP tunnel mode (requires SignalR transport)
`-FailFast`	With a multi-port `-LocalPort`: abort all tunnels and exit on the first failed startup registration
`-Subdomain`	Custom subdomain name
`-ExpiresIn`	Tunnel lifetime in hours
`-WarnBeforeExpiry`	Warn 5 minutes before expiry
`-AllowedIps`	IP whitelist (comma-separated, CIDR supported)
`-DeniedIps`	IP blacklist (comma-separated, CIDR supported)
`-IpRestriction`	Enable IP restriction checking
`-AllowedPaths`	URL path whitelist (HTTP only, glob patterns)
`-DeniedPaths`	URL path blacklist (HTTP only, glob patterns)
`-PathFiltering`	Enable path filtering
`-EnableTunnelAccessKey`	Require end-user authentication (HTTP only)
`-SshKeyPath`	Custom SSH key directory (SSH mode, service/system deployment)
`-WebDebug`	Enable HTTP request logging
`-ShowTimestamps`	Show timestamps in console output (useful for debugging)
`-Debug`	Debug mode — shortcut for verbose logging + timestamps
`-LogLevel`	`silent`, `normal`, `detailed`, `verbose`
`-Output`	`console`, `log`, `both`
`-LogLocation`	Log file path
`-RetryPolicy`	`NoRetry`, `Limited`, `Unlimited`
`-RetryCount`	Max retry attempts (for Limited policy)
`-RetryInterval`	Seconds between retries
`-EndpointFile`	Write tunnel URL to file
`-Config`	Path to config file
`-Help`	Show help information

Troubleshooting

Ensure outbound traffic to the tunnel server is allowed on your network.
Use -Transport signalr if SSH is blocked by your firewall.
Make sure no firewall or antivirus software terminates long-lived socket connections.
Mobile networks may drop persistent connections due to carrier restrictions.
If path filtering returns unexpected 404s, check your pattern syntax (/api/** for recursive, /api/* for single segment).
Verify your API key is valid and has the required scopes.
Enable -LogLevel verbose and -WebDebug for detailed diagnostics.