A TCP tunnel is a connection within a connection. You take a TCP stream — SSH, database traffic, HTTP, anything — and wrap it inside another TCP connection that carries it across a network boundary the original stream could not cross on its own.
The Basic Concept
In the simplest form, a tunnel works like this: your client wants to talk to a server behind a firewall. It cannot reach the server directly because there is no open port. But there is a tunnel endpoint — a machine that can reach both the client's network and the server's network. The client sends its traffic to the tunnel endpoint, the endpoint forwards it to the server, and the response comes back the same way.
How ProxyPass Builds on This
ProxyPass builds on this concept with one important variation: the tunnel is initiated from the inside. The ProxyPass node — sitting inside the remote network, next to the devices you want to reach — makes an outbound TCP connection to the ProxyPass cloud. This connection is encrypted with TLS and stays open as a persistent tunnel.
When your client sends a request, it goes to the ProxyPass cloud, which routes it through the existing tunnel to the node. The node handles the request locally — connecting to a target, reading a file, forwarding an API call — and sends the response back through the same tunnel.
Key Properties
The key properties of this approach are:
- No inbound ports required — the tunnel is outbound from the remote network
- Encryption in transit — TLS on the tunnel protects all data
- Persistence — the tunnel stays open and reconnects automatically if interrupted
- Double encryption for CONNECT — your client negotiates its own TLS session with the target, inside the already-encrypted tunnel
Scenario: Explaining It to a Non-Technical Stakeholder
"Think of it like a phone call. Normally, to call someone in a locked building, you need them to open a window and shout. With ProxyPass, the person inside the building calls you first — on a secure line. Once the call is connected, you can have any conversation you want through it. The building's doors stay locked. Nobody from outside can even tell there is a phone line — it looks like any normal outbound call."
TCP tunneling is not new technology. What ProxyPass adds is the operational layer: fleet management, access control, monitoring, and automation on top of a proven networking concept.