How AppTunnel Works

Three steps from setup to users launching apps — on infrastructure you own and control.

01

Deploy the Server

Install the AppTunnel server binary on your own infrastructure — a Windows Server, Linux VM, or cloud instance. You own and operate it entirely. AppTunnel never has access to your environment or your data.

The server exposes a web admin UI where you configure tenants, applications, tunnels, and users. Once running, it contacts the AppTunnel.io license server once every 24 hours to validate your license — that's the only outbound connection we require.

  • · Single binary, no dependencies
  • · SQLite database — no external DB to manage
  • · TLS on all ports, self-signed or your own cert

Server Architecture

flowchart TD
    Admin("🖥️ Admin Browser") -->|"HTTPS :8443"| Server

    subgraph Your["  Your Infrastructure  "]
        Server["AppTunnel\nServer"]
        DB[("SQLite")]
        Server --- DB
    end

    Server -.->|"License check\nonce per 24h"| License("AppTunnel.io")
    Server <-->|"WebSocket :8765\nTunnels + Control"| Trays("Tray Clients")

    classDef at fill:#064e3b,stroke:#34d399,color:#d1fae5
    classDef ext fill:#27272a,stroke:#52525b,color:#a1a1aa
    classDef db fill:#1c1917,stroke:#52525b,color:#a1a1aa
    class Server at
    class Admin,License,Trays ext
    class DB db
02

Users Run the Tray Client

From the admin panel, generate a single pre-configured .exe for your tenant. It has your server address and tenant config already embedded. Send it to users however you want — email, shared drive, intranet.

Users run it, sign in once, and immediately see their assigned applications. All permitted tunnels connect automatically in the background. No setup wizard, no config files, no IT involvement.

  • · Single executable — no installer or ZIP
  • · Tray self-updates silently when new versions release
  • · Ed25519-signed — verified before any update applies

User Onboarding Flow

flowchart LR
    EXE("Single .exe\npre-configured") --> Login("Sign In")
    Login --> Catalog("App catalog\nloads")
    Login --> Tunnels("Tunnels\nauto-connect")
    Catalog --> Ready("Apps ready\nto launch ✓")
    Tunnels --> Ready

    classDef at fill:#064e3b,stroke:#34d399,color:#d1fae5
    classDef step fill:#27272a,stroke:#52525b,color:#d4d4d8
    class Ready at
    class EXE,Login,Catalog,Tunnels step
03

One Click — App Launches, Tunnel Active

The user clicks their app in the tray. AppTunnel checks whether it's installed and current, downloads only changed files if an update is needed, runs any required install actions (COM registration, MSI execution, INI configuration), then launches the executable.

Meanwhile, the always-on tunnel is already running. The application connects to localhost:1433 (or whichever port you configured) exactly as it always has — completely unaware it's talking through an encrypted tunnel to a database on the other side of the internet.

  • · Zero application changes required
  • · Any TCP/UDP protocol — not just SQL Server
  • · Real sessions — transactions, long queries, stateful protocols all work

Tunnel Connection Flow

flowchart LR
    App("Legacy App\nVB6 · Delphi\n(unmodified)") -->|"localhost:PORT\nno changes"| Tray("AppTunnel\nTray")
    Tray -->|"Encrypted\nWebSocket"| Server("AppTunnel\nServer\nyour infra")
    Server -->|"TCP/UDP\ndirect"| Backend("SQL Server\nor any backend")

    classDef at fill:#064e3b,stroke:#34d399,color:#d1fae5
    classDef ext fill:#27272a,stroke:#52525b,color:#d4d4d8
    class Tray,Server at
    class App,Backend ext

The app connects to localhost. AppTunnel handles the rest.

Ready to see it in action?

Self-hosted, on your infrastructure. Up and running in under an hour.

See Pricing → Explore Features