alkdev/wraith
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4052c4f19e0e7a671acf63cc565dd42d8eb5463f
wraith/docs/architecture/decisions/006-no-logging-of-tunnel-destinations.md
glm-5.1 13b0991fb8 Resolve all architecture open questions, add 13 ADRs, update specs 
Resolved all 11 open questions based on project guidance:

Transport:
- OQ-01/OQ-07: ACME/Let's Encrypt with domain + IP paths (ADR-008)
- OQ-02: Default to n0 relay, --iroh-relay override (ADR-009)
- OQ-05: Transport chaining supported natively (ADR-010)

Client:
- OQ-06: Programmatic-first API, no ~/.ssh/config (ADR-011)

Server:
- OQ-04: Ed25519 + OpenSSH cert-authority, no password auth (ADR-012)
- OQ-08: fail2ban-friendly logging + built-in rate limiting (ADR-013)

TUN:
- OQ-03/OQ-09: Deferred entirely, recommend tun2proxy (ADR-014)
- tun-shim.md marked deprecated

NAPI:
- OQ-10: Expose both connect() and serve() (ADR-016)
- OQ-11: Use napi-rs for FFI bridge (ADR-015)

Additional ADRs created during review:
- ADR-006: No logging of tunnel destinations (was phantom reference)
- ADR-017: Stealth mode protocol multiplexing
- ADR-018: Control channel for pubsub over SSH

Fixed: ADR-002 status → Superseded, ADR-007 title typo,
WRAUTH_SERVER typo, ADR-005 stale wraith-tun refs,
undefined ACL feature removed from server.md,
--proxy semantic difference documented.
2026-06-01 17:31:28 +00:00

2.1 KiB
Raw Blame History

ADR-006: No Logging of Tunnel Destinations

Status

Accepted

Context

An SSH tunnel server sees every destination that clients connect to — hostnames, IP addresses, port numbers. This is extremely sensitive information. Logging it creates:

  • Privacy risks: Tunnel destinations reveal what services users access (internal databases, APIs, etc.)
  • Legal concerns: Server operators may be pressured to produce logs showing what clients accessed
  • Data retention liability: Stored destination logs are an attack surface (data breaches, subpoenas)

However, the server does need to log some information for operational purposes — particularly for fail2ban integration to detect and block abusive connections.

Decision

The server does NOT log:

  • channel_open_direct_tcpip destinations (host, port)
  • DNS resolutions performed by the server on behalf of clients
  • Bytes transferred through tunnel channels
  • Connection duration or throughput

The server DOES log (ADR-013):

  • Auth attempts (remote_addr, user, key_fingerprint, accept/reject)
  • Connection opened (remote_addr, transport kind)
  • Connection closed (remote_addr, duration)

This separation ensures fail2ban has enough data to detect abusive IPs while destination privacy is maintained.

Consequences

  • Positive: Tunnel destinations are never written to disk or any observable log. This is the same guarantee OpenSSH makes with LogLevel VERBOSE or below.
  • Positive: Reduces legal and privacy exposure for server operators.
  • Positive: fail2ban can still work — it needs source IPs and auth failures, not destinations.
  • Negative: Server operators cannot audit what destinations clients are accessing. If an operator needs this for compliance, they must implement it outside wraith (e.g., network-level logging at the target host).
  • Negative: Debugging connectivity issues is harder without destination logs. Mitigated by client-side logging (the client knows what it's connecting to).

References

Reference in New Issue View Git Blame Copy Permalink