Fair usage enforcement is critical for any SaaS platform. Here's a transparent look at how Tunels enforces plan limits — from tunnel counts to bandwidth and request rates.

The Challenge

When a user starts a tunnel, we need to answer several questions in real-time:

  • How many tunnels does this user currently have open?
  • Is this user within their bandwidth allowance?
  • Is the request rate within their plan's RPS limit?
  • Does their plan support the requested protocol (HTTP, TCP, UDP)?

These checks must be fast (under 100ms) and correct (no bypasses).

Centralized Enforcement

Our tunnel server communicates with the Tunels API for enforcement decisions. When a client requests a new tunnel:

  1. The tunnel server sends a check request to POST /api/v1/enforcement/check-tunnel-limit
  2. The API queries the active_tunnels table with a PostgreSQL advisory lock to prevent race conditions
  3. If allowed, the tunnel is registered in the database
  4. If denied, the client receives an error with the reason and a suggestion to upgrade

Fail-Closed Design

If the enforcement API is unreachable, the tunnel server denies the request. We chose fail-closed over fail-open because security and fairness are more important than availability during an API outage. Existing tunnels continue to work — only new tunnel creation is affected.

Rate Limiting

Each plan has a requests-per-second (RPS) limit enforced using a token bucket algorithm. The bucket refills at the plan's RPS rate with a burst multiplier (typically 3x-10x depending on plan) to handle traffic spikes gracefully.

Bandwidth Tracking

Bandwidth is tracked per-tunnel and aggregated per-user monthly. We record bytes in and bytes out after each proxied connection closes. When a user approaches their limit (95%), we send a warning. At 100%, new connections receive an HTTP 509 Bandwidth Limit Exceeded response. A 5% grace period prevents hard cutoffs during active transfers.

Why Transparency Matters

We publish our plan limits clearly on the pricing page. There are no hidden caps or throttling. If you're on the Pro plan with 5 tunnels and 75 GB bandwidth, that's exactly what you get.