Not allowed
- Spam. Outbound SMTP (25 / 465 / 587 / 2525) is rejected at the node by an iptables chain installed at first boot. You cannot relay mail through the tunnel.
- DDoS or other denial-of-service attacks.
- Credential stuffing (high-volume authenticated requests against third-party login endpoints).
- CSAM or any content prohibited by EU / German law.
- Anything illegal in the user’s jurisdiction or the exit-node’s jurisdiction.
How to report
Email abuse@tunnelbyte.dev with:- The exit IP (verify it’s ours at tunnelbyte.dev/ip/<addr>).
- The destination (your URL / IP / mailserver).
- A UTC timestamp window (we can’t act on “sometime last week”).
- A short description of the abuse.
What we log (and what we don’t)
- ✅ Flow metadata: session id, exit IP, peer pubkey, bytes-in, bytes-out, session start / end timestamps.
- ❌ Packet contents: never. We don’t run DPI. We can’t tell anyone what URLs you visited because we don’t have that data.
- Act on a specific abuse report (timestamp + destination → identify session → terminate + warn).
- Compute your invoice.
- Not enough to:
- Tell anyone what you were doing through the tunnel.
- Respond to a “give us all traffic from this IP” subpoena with anything but session metadata.
Anti-abuse layered design
We make abuse expensive enough to dissuade casual misuse, not impossible. Layered:- Anonymous tier is small. 1 GiB per rolling 7 days, 30 min per rolling 24 h, device-bound install token, PoW on token issuance, per-ASN caps. Datacenter ASNs (where bot farms live) get a much smaller cap than residential. Mobile-residential proxy ASNs (a known abuse vector) get the lowest cap.
- Free tier needs an email. Disposable-domain check, MX-record sanity check, two-step magic-link confirm so link-preview crawlers can’t burn the one-shot token. No SMS, no KYC docs.
- Paid tier requires a card. Stripe Radar scores cards; suspicious cards never charge.
- At the data plane. Every exit node runs an iptables egress chain: SMTP and IRC ports rejected, DNS pinned to a single resolver (no open-resolver amplification, no DNS tunnelling to attacker-controlled authoritatives), anti-spoof DROP on
wg0for any source outside the assigned peer subnet. - Cross-tier: trust scoring, destination ASN blocklist, per-IP rate limiter, public IP-attribution page (tunnelbyte.dev/ip), per-provider abuse circuit breaker. We run on multiple independent VPS providers; if any single provider location starts getting more abuse complaints than we can handle, we can rotate that node out within hours and keep capacity in the region via the others.
Privacy commitments
We do not:- Inspect packet contents.
- Sell flow metadata to anyone, including for “anonymized analytics.”
- Run our own ASN reputation reseller.
- Have a “law enforcement portal.”
hello@tunnelbyte.dev. We comply with valid orders from German courts; we have very little to comply with on most other orders because the data doesn’t exist.
Trade-offs of not logging destinations
For privacy reasons we do not log destination IPs / hostnames. If a specific abuse complaint can’t be tied to a session in our logs (because the only identifier is the destination we never recorded), the response is necessarily coarse - typically a temporary tightening on the offending tier’s quota or a node rotation. We accept that occasional failure mode rather than build a logging system that exposes paying customers’ destination metadata.See also
- Tiers - quota caps per tier are the primary abuse-defense lever.
- Logging posture - exactly what’s in the database.
GET /v1/ip/{addr}- the public attribution endpoint complaints land on first.