RPort - remote access and remote management
Toggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tunnels Restricted


The tunnels_restricted permission property allows you to define restrictions for tunnel creation. To set up tunnel restrictions, follow the steps below:

  1. Create or update a user group with the tunnels: true permission.
  2. Add the tunnels_restricted property to the user group’s permissions object, defining the restrictions.

Two layers of command restrictions

RPort comes with two layers of tunnel restrictions

  1. Client side restrictions, Included in the open-source version
    After a tunnel is requested, the client validates the request it against a list of allowed tunnel targets.
    The server cannot leverage this validation. Client side restrictions are per client. They cannot be changed from the server. You cannot create user or user group specific restrictions.
  2. Server side restrictions, requires an rport-plus license
    These restrictions are implemented on the API. They prevent dispatching tunnel requests to the client based on user groups. If server side restrictions allow the request for a specific tunnel, client side restrictions may still deny it.
    Server side restrictions are per user group. They are combined with client access permissions.
    To request a tunnel on a client the user group first needs client access permissions. Furthermore, tunnel creation
    must be allowed and the tunnel request must pass the extended tunnel permission check.


The following JSON structure provides an exhaustive example of the tunnels_restricted property and its available options (each option should be considered separately):

    "tunnels_restricted": {
        "local": ["20000", "20001"],
        "remote": ["22", "3389"],
        "scheme": ["ssh", "rdp"],
        "acl": [""],
        "idle_timeout_minutes": { "min" : 5 },
        "auto_close": { "max" : "60m", "min" : "1m" },
        "protocol": ["tcp", "udp", "tcp-udp"],
        "skip_idle_timeout": false,
        "http_proxy": true,
        "host_header": ".*",
        "auth_allowed": true,
        "terminate_foreign_tunnels": false

Extended permissions are submitted via a PUT request to the /api/v1/user-groups/{group-name} endpoint.

Example payload:

   "permissions": {
      "auditlog": false,
      "commands": false,
      "monitoring": false,
      "scheduler": false,
      "scripts": false,
      "tunnels": true,
      "uploads": false,
      "vault": false
   "tunnels_restricted": {
      "local": [
      "remote": [
      "scheme": [
      "acl": [
      "idle_timeout_minutes": {
         "min": 5
      "auto_close": {
         "max": "60m",
         "min": "1m"
      "protocol": [
      "skip_idle_timeout": false,
      "http_proxy": true,
      "host_header": ".*",
      "auth_allowed": true,
      "terminate_foreign_tunnels": false

Breakdown of each property in the example above

local: Specifies the allowed local ports for tunnels. If omitted or an empty list, any local port can be used. In the example above, only tunnels using the local ports 20000 or 20001 are allowed. Omit, if you want to use a random free port.

remote: Specifies the allowed remote ports for tunnels. In the example above, only tunnels using the remote ports 22 or 3389 are allowed.

scheme: Defines the allowed tunnel schemes, such as SSH or RDP in this case.

acl: Specifies the allowed CIDR or IP addresses for tunnel ACL. With the above example all tunnel requests must have the given ACL value.

idle_timeout_minutes: Sets the minimum idle timeout (in minutes) for tunnel creation, 5 minutes in this case.

auto_close: Specifies the permitted values for auto_close. In this case the user will not be able to create a tunnel declaring an auto_close that is more than 60 minutes and that is less than 1 minute.

protocol: Defines the allowed tunnel protocols. In this case, any tunnel protocol is allowed.

skip_idle_timeout: Specifies whether the user can enable the “skip_idle_timeout” feature. In this case, the user is not allowed to enable this feature.

http_proxy: Specifies whether the user can enable the HTTP proxy feature. In this case, the user is allowed to enable it.

host_header: Defines the allowed host header for tunnels with a regular expression.

auth_allowed: Specifies whether the user can enable HTTP basic authentication for a tunnel. In this case, the user is allowed to enable it.

terminate_foreign_tunnels: Specified whether the user is allowed to terminate tunnels created by any user (true) or only own tunnels.

Omitting or using an empty list for any list property will remove the corresponding restriction.