Client v0.16.0

Published at September 8, 2025 ·  12 min read

We’re excited to release v0.16.0 of the Packetriot client. This version is a significant update to our client and introduces new features that we’ve been developing for some time.

After many months of effort, the Packetriot client now has a web UI for configuring tunnels, managing traffic for HTTPS and TCP, and also managing your custom domains, reserved subdomains, and their assignments. All the details are below.

We also want to thank those users who reported issues and sent feature requests!

Daemon Mode

This release introduces a new mode of operation called daemon mode. As the name suggests, for those familiar with Unix/Linux, a daemon is a process that runs in the background all the time. For the Packetriot client to function in this manner and remain uninterrupted, we needed to add a web-based dashboard or API to manage it.

Currently, the Packetriot client needs to be restarted between making traffic rule changes or allocating TCP ports. daemon mode enables users to use their web browser or API to configure a tunnel from scratch and then set up traffic rules.

Running the pktriot as a daemon is simple, we added a new sub-command called daemon

[user@host ] pktriot daemon

We updated the systemd service unit for Linux to use daemon by default. If you want to revert it so that the start command is used, you can run this command: sudo systemctl edit pktriot and then make these changes:

[Service]
ExecStart=/usr/bin/pktriot --config /etc/pktriot/config.json start

This will customize the service unit and persist between upgrades to the pktriot client.

For those using Docker to run the pktriot client, we’ve updated our Dockerfile to set the ENTRYPOINT as /usr/bin/pktriot --config /data/config.json and the default CMD to daemon --dashboard-address 0.0.0.0. Here’s an example command and compose file.

[user@host ] docker run -d --restart unless-stopped -v ./pktriot-data:/data --name pktriotd

And an example compose file.

services:
  pktriotd:
    image: packetriot/pktriot:0.16.0
    container_name: pktriotd
    restart: unless-stopped
    volumes:
      - ./pktriot-data:/data
    ports:
      - 4100:4100

daemon mode provides a web-based UI for managing the entire life-cycle of the client and tunnel. The web dashboard is available at https://127.0.0.1:4100. By default, the listening address is 127.0.0.1, but you may want to use a specific address or listen on all addresses, e.g. 0.0.0.0.

Using 0.0.0.0 is recommended for running the pktriot daemon in a container since it’s behind a privately NAT’d virtual network. If you’re running the container using host networking, then you can use the default 127.0.0.1 or specify a non-local IP address that the host uses.

daemon mode also provides API endpoints as well. The base endpoint is `https://127.0.0.1:4100/api/client/v1.0/. The docs for the client API are available here.

The dashboard and API are both served over HTTPS and use a self-signed certificate. In the future, we’re to add the ability to use a customized certificate. With the dashboard, you can:

• Configure a tunnel
• Toggle the tunnel on and off
• Manage traffic rules and port allocations
• Manage your custom domains and reserved subdomains
• Change settings such as the tunnel name, reconnect intervals, networking, and uptime monitoring
• Download the tunnel configuration for easy backups
• Change security settings such as dashboard password and API token.
• Terminate the tunnel

We’re really excited about this release and hope you enjoy all these features. The sections below will review the web dashboard and all its major areas and the tunnel configuration workflow.

Dashboard

The web dashboard streamlines the creation and management of tunnels. It also enables the management of custom domains and reserved subdomains within the client. You can now manage all features available in Packetriot, as well as a specific tunnel, in one place.

The dashboard supports configuring tunnels with your Packetriot account, with self-hosting instances of the Spokes server, or importing a configuration from a previously created tunnel.

We’ll do a quick review and walkthrough of how the dashboard works.

Configure

When you visit the web dashboard for the first time, https://127.0.0.1:4100, for the first time, you will find options to use:

• Packetriot login credentials
• Single-sign on using your Google Account (if that is how you created your Packetriot account)
• Configure a tunnel on a self-hosted Spokes instance (or fully managed)
• Importing a tunnel configuration from a backup

When you configure a tunnel with the Packetriot network, you will be asked to choose a region, similar to the command-line interface pktriot configure.

After configuring a tunnel, you’ll be presented with a page to set up a password to log in and use the web dashboard. We recommend you set up a password.

You can also set up an API token. This API token is used to authenticate all calls to the client API. The API token is used by adding the header field X-API-Key: <token value> to your HTTPS requests.

You can clear or reset these values in the Security settings page of the web dashboard in the future. You can skip this step, but we recommend you protect your Packetriot client, especially if you’re hosting it using the 0.0.0.0 address.

Login

After configuring a tunnel, or importing a past configuration, you’ll be prompted for a passphrase if you set one up.

We’ll repeat it… we really recommend setting up a password for the dashboard.

Main Dashboard

Once authenticated, you’ll be presented with the main dashboard for the Packetriot client. In the top-right-hand side, you’ll find a toggle button to connect or disconnect the tunnel to the assigned server. In this page, you’ll discover sub-areas to manage HTTP and TCP traffic rules.

Click on HTTP or TCP to manage rules and allocate ports. We’ve designed forms for both traffic types to simplify how to set up traffic rules.

Custom Domains

Managing custom domains is possible with the web dashboard in the Packetriot client. Click on the Verify Domain button to specify a domain you own. It will communicate with the Packetriot to create a DNS challenge.

Follow the exact instructions documented here. You don’t need to log into the main Packetriot dashboard to set up custom domains.

Once you follow the instructions to create the DNS TXT records to verify ownership of domains, it will show up as verified on this page.

Custom domains can be used on the free tier and by subscribers.

Subdomains

Subscribers can reserve subdomains with a customized name and assign them to tunnels. This feature allows users to reserve a tunnel hostname that persists beyond the lifespan of a tunnel and is very useful if you want to host a long-running service.

Earlier, all management for reserved subdomains had to be performed in the portal on Packetriot.com, which would mean more windows/tabs and steps to reserve and then assign a subdomain to a tunnel. Now you can do it all using the web dashboard.

The screenshot below provides an example of all the subdomains reserved and their tunnel assignments.

You can reserve new subdomains from the web dashboard as well/

You can assign a reserved subdomain to a tunnel in this page as well, and delete assignments or release the subdomain.

Managing reserved subdomains in the web dashboard makes them a more useful feature, and we hope more subscribers make use of them.

Inspector

We added the inspector back in 2020 and haven’t made many updates to it since. It’s not a feature requested by many of our users. It made sense to make some minor updates and integrate them into the new web dashboard.

You can enable the inspector by checking off the Inspect box for an HTTP traffic rule.

Settings

You can now configure all settings for the tunnel in the web dashboard. This includes:

• Changing the tunnel name
• Setting reconnection parameters for the time between attempts to reconnect and the maximum number of attempts to make
• Uptime monitor settings, which enable an uptime monitor that can be used to check if any of the services hosted behind the tunnel can be reached successfully
• Network monitoring checks that determine if the network you’re on has changed, and restarts the tunnel when that happens

You can also change the log level too if you want to get more information on what’s happening inside the client. We are planning improvements to our logging to make this feature more helpful and less noisy.

Finally, you can download the tunnel configuration so that you can make backups. You can terminate the tunnel as well, which will reset the client. You don’t have to restart pktriot to configure a new tunnel; you’ll be returned to the configuration screen right away.

Note, users on the free tier will have to log into Packetriot.com to terminate tunnels. This is a limitation to reduce abuse of our free tier.

Security Settings

The addition of the web dashboard and expanded API required new features from a security perspective. The first is that the web dashboard and API are always served using HTTPS:

• Dashboard https://127.0.0.1:4100
• Client API https://127.0.0.1:4100/api/client/v1.0

These endpoints are always printed when the client is run in daemon mode. The next feature was to protect the dashboard with the passphrase and the API with a token (secret). These parameters can be set during the tunnel configuration workflow or later in the Security Settings area of the web dashboard.

We highly recommend setting up a passphrase for the dashboard and a token for the API if your client is listening on 0.0.0.0 or can be accessed by other hosts, via Docker port mapping or listening on a non-local IP address.

New API Endpoints

The introduction of daemon mode for the Packetriot client required new API endpoints to be implemented so that a tunnel could be managed end-to-end programmatically by another application. These new endpoints need to configure new tunnels and eventually terminate them.

We also need a mechanism to secure the client API when a tunnel is not yet configured.

Our client documentation has been updated to include these new endpoints as well. You can now manage a Packetriot client programmatically, making it simpler to integrate with devices that use Packetriot for accessing local services.

Request Structure

Below is an example of an HTTP request including the API token in the headers with the X-API-Key header field.

GET /api/client/v1.0/<endpoint path HTTP/1.1
X-API-Key: <api token secret>
Content-Type: application/json

The Content-Type is almost universally application/json, but there are some exceptions, one of them is documented below with a new endpoint we added to import existing tunnel configurations.

Authentication Tokens

We added support for a new environment variable called PKTRIOT_API_TOKEN, which is used to authenticate the API. It will work alongside an API token set up during the configuration process, which means that two tokens will be valid for authentication API calls.

Here is an example of setting it for a Docker container using a compose file:

services:
  pktriotd:
    image: packetriot/pktriot:0.16.0
    container_name: pktriotd
    restart: unless-stopped
    environment:
      - PKTRIOT_APK_TOKEN=ajhdfq7eqhdajh1198
    volumes:
      - ./pktriot-data:/data
    ports:
      - 4100:4100

This adds a layer of authentication when external applications want to configure a new tunnel.

Configure

Two new endpoints have been added to enable tunnel configuration via the API:

• /api/client/v1.0/config/server
• /api/client/v1.0/config/import

The ../config/server endpoint is used to configure a new tunnel using the same inputs and options when configuring a tunnel with a self-hosted instance of Spokes. Below is an example of a JSON request:

{
  "token": "92838qyhfaf...",
  "id": "",
  "hostname": "spokes.example.com",
  "name": ""
}

The id field in the request can be any string value, but typically we use email addresses, or strings that conform to the format of a email address. Here is an example customer-name@deployment-name.

The name field is used to provide a humanly readable name for the tunnel that is also searchable using the search field in the tunnels page in Spokes.

The ../config/import endpoint is used to upload an existing tunnel configuration to the client and utilize that as the baseline. The content type for this HTTP request must be Content-Type: multipart/form-data, and the request body must be multipart form encoded.

API Roadmap

We plan on adding another API endpoint for configuring a tunnel on the Packetriot network using a token, similar to the endpoint for configuring a new tunnel with a self-hosted Spokes instance. We plan to provide token authentication support to Packetriot in Q4 of 2025.

Terminate

The /api/client/v1.0/terminate API endpoint terminates the tunnel on the server side and renames the configuration to config.json.backup. The client will go back to an initial state and can be configured once again.

The process for the client will not be interrupted or cease. Callers can configure a tunnel immediately afterwards.

Bug Fixes & Improvements

We fixed several bugs reported by our users and implemented slight improvements.

When you install the Windows service using pktriot windows install, we added a new flag --tls-insecure in case you’re deploying the Packetriot client in Windows and on a network that performs TLS inspection for DLP (data leakage protection). The Packetriot client does not accept unverified TLS certificates, and these types of network inspection systems for DLP, and security in general, cause these kinds of issues.

We fixed domain name normalization in the client API.

We have added support for HTTPS to the client API, and it is now used by default. This is the case when you start the Packetriot client using pktriot start or pktriot daemon.

Roadmap

Since the Packetriot client can run as a daemon in the background, we are planning on making updates to the client so that sub-commands for managing traffic and allocating ports will use the client API. This would allow us to maintain a CLI that works with the daingemon. We are planning for this feature to drop in our next release.

Thanks

This release marks a significant milestone for our client and paves the way for the v1.0.0 release. We expect some bug fixes and minor iterations following this release, and once we believe the dust has settled, we intend to release version 1.0.0 of our client.

This release makes significant improvements for ease-of-use via the web dashboard, and we think it’ll open the door for more casual and non-technical users. The potential in automation and integration that daemon mode and the updated client API provide should significantly improve the quality of life for many of our business and enterprise customers who ship our client with their devices or software.

We appreciate all the inputs and bug reports you’ve sent us! Let us know if we can focus on new features or improvements for our client.

Cheers!