derptun 0.1.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +12 -2
  2. package/package.json +1 -1
  3. package/vendor/aarch64-apple-darwin/derptun/derptun +0 -0
  4. package/vendor/aarch64-unknown-linux-musl/derptun/derptun +0 -0
  5. package/vendor/x86_64-apple-darwin/derptun/derptun +0 -0
  6. package/vendor/x86_64-unknown-linux-musl/derptun/derptun +0 -0
package/README.md CHANGED
@@ -8,6 +8,7 @@ It supports:
8
8
  - text, file, and directory transfer with `send` and `receive`
9
9
  - local TCP service sharing with `share` and `open`
10
10
  - SSH access exchange with `ssh invite` and `ssh accept`
11
+ - durable TCP tunnels with the companion `derptun` package
11
12
 
12
13
  `derphole` uses the public Tailscale [DERP](#what-is-derp) relay network for rendezvous and relay fallback. It is **not** affiliated with Tailscale, does **not** require a Tailscale account or tailnet, and does **not** use `tailscaled` for transport.
13
14
 
@@ -34,7 +35,7 @@ Session tokens carry authorization, and receive-code flows resolve into the same
34
35
 
35
36
  ## Quick Start
36
37
 
37
- `listen` receives bytes and prints a token. `pipe` sends stdin into that token. `share` and `open` use the same token shape for local TCP services.
38
+ `listen` receives bytes and prints a token. `pipe` sends stdin into that token. `share` and `open` use the same token shape for local TCP services. Use `derptun` when the service needs a reusable token and longer-lived tunnel.
38
39
 
39
40
  ### Stream a Raw File
40
41
 
@@ -178,6 +179,12 @@ Host alpha-derptun
178
179
 
179
180
  `derptun` keeps trying when the network path drops, and it can reconnect while both `derptun` processes stay alive. If either process exits, the token can bring the tunnel back, but an already-open TCP session is gone. Use `tmux` or `screen` on the remote host when shell continuity matters.
180
181
 
182
+ Tokens default to seven days. Set a relative lifetime with `--days`, or use an absolute expiry:
183
+
184
+ ```bash
185
+ npx -y derptun@latest token --expires 2026-05-01T00:00:00Z
186
+ ```
187
+
181
188
  The first `derptun` release is TCP-only. UDP forwarding is planned for use cases like Minecraft Bedrock servers, but it is not part of this release.
182
189
 
183
190
  ### Useful Extras
@@ -186,6 +193,7 @@ Use the development channel for the latest commit from `main`:
186
193
 
187
194
  ```bash
188
195
  npx -y derphole@dev version
196
+ npx -y derptun@dev version
189
197
  ```
190
198
 
191
199
  By default, `listen`, `pipe`, `send`, `receive`, `share`, and `open` keep transport status quiet. `listen` and `share` print tokens, `open` prints the local listening address, and `send` / `receive` print the receiver command or code needed to complete the transfer. Known-size transfers show wormhole-shaped progress on stderr. Use `--hide-progress` to suppress the progress bar. Use `--verbose` to see state transitions like `connected-relay` and `connected-direct`:
@@ -219,6 +227,7 @@ DERP provides **rendezvous** and **relay fallback**. If the term is new, see [Wh
219
227
  The data plane is selected per session:
220
228
 
221
229
  - `share/open` uses multiplexed QUIC streams over `derphole`'s relay/direct UDP transport, so one claimed session can carry many independent TCP connections to the shared service.
230
+ - `derptun` uses a stable tunnel token and the same relay/direct UDP transport to carry reconnectable TCP streams. It is built for longer-lived access, such as SSH to a host behind NAT.
222
231
  - `listen/pipe` uses a one-shot byte stream. By default, `derphole` coordinates through DERP, promotes to rate-adaptive direct UDP when traversal succeeds, and stays on encrypted relay fallback when no direct path is available.
223
232
  - `send/receive` wraps the same one-shot stream with text, file, directory, and progress metadata.
224
233
 
@@ -259,12 +268,13 @@ In practice: move bytes early, keep them moving through relay if needed, then sh
259
268
 
260
269
  ## Security Model
261
270
 
262
- The session token is a **bearer capability**. Anyone with the token can claim the session until it expires, so share it over a trusted channel. Tokens expire after one hour.
271
+ Tokens are **bearer capabilities**. Anyone with a token can claim the matching session or tunnel until it expires, so share tokens over a trusted channel. `derphole` session tokens expire after one hour. `derptun` tokens default to seven days and can be shortened or extended with `--days` or `--expires`.
263
272
 
264
273
  DERP relays do **not** get the secret material needed to read or impersonate the session:
265
274
 
266
275
  - On the default `listen/pipe` and `send/receive` direct UDP path, payload packets are encrypted and authenticated with session AEAD derived from the token bearer secret.
267
276
  - On `share/open`, stream traffic uses authenticated QUIC streams for the claimed session.
277
+ - On `derptun`, stream traffic uses authenticated QUIC streams pinned to the stable tunnel identity in the token.
268
278
  - If packets are relayed through DERP, DERP only forwards encrypted session bytes.
269
279
 
270
280
  Important security property: `derphole` does not trade speed for plaintext shortcuts:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "derptun",
3
- "version": "0.1.0",
3
+ "version": "0.8.1",
4
4
  "license": "BSD-3-Clause",
5
5
  "bin": {
6
6
  "derptun": "bin/derptun.js"