GNOME tray applet to manage multiple SSH SOCKS5 tunnels and toggle the system proxy
Project description
Tunly
Quick SSH tunnels, tidy tray.
GNOME tray applet to manage multiple named SSH dynamic (SOCKS5) tunnels and toggle the system proxy in one click. Exclusive model: at most one tunnel active at a time — it drives the system proxy and is reverted on stop, drop, or quit.
- One click — pick a tunnel in the tray, ssh comes up, system proxy follows.
- Always reverted — stop, crash, drop, or quit: your proxy never stays pointed at a dead port.
- Multiple tunnels — named profiles, each with its own host, port, and auth.
- Any auth — ssh-agent, a specific key file, or password (GNOME keyring / prompt; never written to disk).
- Self-healing — health-checks the tunnel and cleans up if ssh dies underneath.
- No daemons, no root — a single Python/GTK process running as you.
📖 Full user guide — first run, auth setup, troubleshooting.
Quick install (Debian/Ubuntu)
wget https://github.com/thelinuxer/tunly/releases/latest/download/tunly_0.1.1_all.deb
sudo apt install ./tunly_0.1.1_all.deb
Requirements
System packages (all preinstalled on a standard GNOME desktop; no pip):
python3+python3-gi(GTK 3 introspection)gir1.2-appindicator3-0.1orgir1.2-ayatanaappindicator3-0.1gir1.2-notify-0.7(optional — desktop notifications)ssh,curl
Optional, per auth method:
- Password auth works out of the box via an
SSH_ASKPASShelper (no extra deps). Ifsshpassis installed it is used instead. - Remember password in keyring needs
secret-tool(libsecret-tools). Without it, password-auth tunnels prompt on each connect.
Install
The GTK/AppIndicator bindings are system packages (GObject-Introspection typelibs), not PyPI wheels — so sandboxed formats (Flatpak/Snap) can't drive the host proxy and are not used. Pick one:
A. Debian / Ubuntu (.deb) — recommended for clean system integration
make deb # produces tunly_<ver>_all.deb (needs dpkg-deb)
sudo apt install ./tunly_*.deb # pulls gir1.2-* deps automatically
B. pipx (any distro)
Because AppIndicator has no PyPI package, the venv must see the system bindings:
sudo apt install python3-gi gir1.2-gtk-3.0 \
gir1.2-ayatanaappindicator3-0.1 openssh-client
pipx install --system-site-packages . # from a checkout
# then, for the app menu + icon:
tunly --install-desktop --autostart
C. Arch Linux
A PKGBUILD ships in packaging/aur/:
cd packaging/aur && makepkg -si
D. From source (make install)
sudo make install PREFIX=/usr/local # installs launcher + .desktop + icon
Run
After install, launch tunly (from the app menu or the shell). An icon appears
in the top-bar tray (green = a tunnel is active, grey = none). Click it → per-tunnel
start/stop, Manage tunnels…, Quit.
Run in place without installing:
PYTHONPATH=src python3 -m tunly &
Menu/autostart integration for a pipx or in-place run:
tunly --install-desktop # add --autostart to launch on login
tunly --uninstall-desktop # remove it
Managing tunnels
Manage tunnels… opens a window listing every tunnel with a status dot and
Start/Stop, Edit, Delete buttons, plus + Add tunnel. Each tunnel has a
unique name and its own SOCKS port.
SSH auth methods (per tunnel)
| auth | behaviour |
|---|---|
agent |
ssh-agent + default keys (default) |
key |
private key file (-i <path> -o IdentitiesOnly=yes) |
password |
GTK prompt at connect (or keyring); fed to ssh with no plaintext on disk |
Config
~/.config/tunly/tunnels.json — created on first run. A legacy
config.ini (single-tunnel format) is auto-migrated to tunnel default.
Passwords are never written here (keyring or prompt-only).
Self-test
Real end-to-end check (spawns ssh, sets + reverts proxy, prints exit IP). Point it at your own reachable SSH server via env vars — nothing is hardcoded:
SSTRAY_TEST_HOST=vps.example.com SSTRAY_TEST_USER=alice \
PYTHONPATH=src python3 -m tunly --selftest # or: tunly --selftest
Security notes
- Passwords are never written to
tunnels.json. They come from the GNOME keyring (secret-tool) or a prompt, and reachsshviasshpass -eor anSSH_ASKPASShelper — no plaintext on disk. The password does transit the ssh child's environment (as withsshpass), readable only by the same user via/proc/<pid>/environ. - Host-key policy is
StrictHostKeyChecking=accept-new: unknown host keys are trusted on first connect (TOFU) so the non-interactive tunnel can come up; a changed key is still refused. If you need strict first-connect verification, pre-populate~/.ssh/known_hosts. - Runs entirely as your user; it changes only your GNOME proxy settings and spawns
ssh. No privileged operations, no shell interpolation of user input.
Releasing
Versions are tag-driven; pyproject.toml is the single source of truth
(the .deb version derives from it at build time). To cut a release:
# 1. bump `version` in pyproject.toml (and the Quick install URL above), commit
# 2. tag and push — CI builds wheel/sdist + .deb and attaches them to a GitHub Release
git tag v0.2.0 && git push origin v0.2.0
CI fails the release if the tag and pyproject.toml version disagree.
Unit tests run on every push (.github/workflows/ci.yml); live SSH integration
tests run locally with SSTRAY_TEST_HOST=<server> pytest tests/.
Enabling PyPI publishing (one-time): on pypi.org → Publishing → add a trusted
publisher with repository thelinuxer/tunly, workflow release.yml, environment
pypi; create a matching pypi environment in the GitHub repo settings; then
uncomment the pypi job in .github/workflows/release.yml. After that every tagged
release also lands on PyPI (pipx install tunly).
Design
See docs/2026-07-05-tunly-design.md.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tunly-0.1.1.tar.gz.
File metadata
- Download URL: tunly-0.1.1.tar.gz
- Upload date:
- Size: 29.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac5e5fcb17ed5a5a9af547376636884bf2116acbbd3776c278c07593b16058ec
|
|
| MD5 |
00d4fd92dd2846ede22b5d15e75a3f7d
|
|
| BLAKE2b-256 |
4a18a48969a62fb9f5cea2d8bd2b273a7e4e16f17f99c2b25d46c2f36c3006b0
|
File details
Details for the file tunly-0.1.1-py3-none-any.whl.
File metadata
- Download URL: tunly-0.1.1-py3-none-any.whl
- Upload date:
- Size: 19.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6f7970e42c4d77fae9d625b701eca7a8d0670ea32c4207b394f49f7b05912e3e
|
|
| MD5 |
42d0038e868725f1a1c807f4772584a7
|
|
| BLAKE2b-256 |
b95ea6818ff8ac79caba9989f3ab7af19dd84e452e25ead5bf1b36e77de49f5e
|