flexaccess.dev / flextunnel
flextunnel
The rootless split tunnel for private TCP services.
- Access level
- TCP via local SOCKS5 / HTTP proxy listeners
- Privileges
- None — no root or admin on either end
- DNS
- Resolved on the server's side of the network
- Coexistence
- Runs alongside another VPN, including on iOS
flextunnel gives you proxy-level access to hosts behind a server — without a VPN. The client runs local SOCKS5 and HTTP proxy listeners; targets on the server-pushed tunnel list are carried over an encrypted QUIC connection to the server, which resolves DNS and makes the outbound TCP connection from its own network. Everything else connects directly from your device.
Because it uses ordinary userspace sockets — no TUN device — neither the client nor the server needs root or admin rights. And because it isn't a VPN, it sidesteps iOS's one-active-VPN-at-a-time restriction and runs happily alongside one.
How it works
local app ──SOCKS5/HTTP──▶ flextunnel client (127.0.0.1 · no root)
│ one encrypted QUIC connection
▼
flextunnel server (no root · no open port)
│ resolves DNS, connects from its own network
▼
target host:portFeatures
Zero privileges
Ordinary userspace sockets on both ends — no TUN device, so no root, no admin, no elevation prompts.
Server-side DNS
Reach names that only resolve on the server's network — or the server's own localhost.
Split by default
Only targets on the server-pushed tunnel list go through the tunnel; everything else connects directly.
No inbound ports
The same dial-by-identity transport: the server needs no public IP and no port forwarding.
Coexists with VPNs
It isn't a VPN, so it runs alongside one — sidestepping iOS's one-active-VPN-at-a-time limit.
Per-client tokens
Every client authenticates with its own token; whoever runs the server decides who gets in.
Apps & repos
- CLI · Linux / macOS / Windowsflextunnel
The core — command-line client and server.
- iOSflextunnel-ios
Browse private networks in a built-in browser, or forward local ports so other apps can reach them.
Good for
- Web UIs, SSH, RDP, and databases that are only reachable from the server's network
- Shared or locked-down machines where you can't get admin rights
- Running next to a corporate or personal VPN — including on iOS