feat: add TunnelDomain option to separate API and tunnel URLs

Adds a new `--tunnel-domain` / `TUNNELD_TUNNEL_DOMAIN` option that
allows specifying a different domain for tunnel URLs than the API
base URL. This enables split-horizon deployments where:

- Both internal and external servers respond to the same API URL
  (e.g., sharing.io)
- Internal server returns tunnel URLs on local domain (*.sharing.io)
- External server returns tunnel URLs on external domain
  (*.fly.sharing.io)

If TunnelDomain is not set, BaseURL is used for tunnel URLs
(preserving backwards compatibility).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Hippie Hacker

cmd/tunneld/main.go

@@ -56,9 +56,14 @@ func main() {
 			&cli.StringFlag{
 				Name:    "base-url",
 				Aliases: []string{"u"},
-				Usage:   "The base URL to use for the tunnel, including scheme. All tunnels will be subdomains of this hostname.",
+				Usage:   "The base URL to use for the API, including scheme. Used for routing API requests.",
 				EnvVars: []string{"TUNNELD_BASE_URL"},
 			},
+			&cli.StringFlag{
+				Name:    "tunnel-domain",
+				Usage:   "The domain to use for tunnel URLs, including scheme. All tunnels will be subdomains of this hostname. If not set, base-url is used.",
+				EnvVars: []string{"TUNNELD_TUNNEL_DOMAIN"},
+			},
 			&cli.StringFlag{
 				Name:    "wireguard-endpoint",
 				Aliases: []string{"wg-endpoint"},
@@ -142,6 +147,7 @@ func runApp(ctx *cli.Context) error {
 		verbose                = ctx.Bool("verbose")
 		listenAddress          = ctx.String("listen-address")
 		baseURL                = ctx.String("base-url")
+		tunnelDomain           = ctx.String("tunnel-domain")
 		wireguardEndpoint      = ctx.String("wireguard-endpoint")
 		wireguardPort          = ctx.Uint("wireguard-port")
 		wireguardKey           = ctx.String("wireguard-key")
@@ -206,6 +212,13 @@ func runApp(ctx *cli.Context) error {
 	if err != nil {
 		return xerrors.Errorf("could not parse base-url %q: %w", baseURL, err)
 	}
+	var tunnelDomainParsed *url.URL
+	if tunnelDomain != "" {
+		tunnelDomainParsed, err = url.Parse(tunnelDomain)
+		if err != nil {
+			return xerrors.Errorf("could not parse tunnel-domain %q: %w", tunnelDomain, err)
+		}
+	}
 	wireguardServerIPParsed, err := netip.ParseAddr(wireguardServerIP)
 	if err != nil {
 		return xerrors.Errorf("could not parse wireguard-server-ip %q: %w", wireguardServerIP, err)
@@ -248,6 +261,7 @@ func runApp(ctx *cli.Context) error {
 
 	options := &tunneld.Options{
 		BaseURL:                baseURLParsed,
+		TunnelDomain:           tunnelDomainParsed,
 		WireguardEndpoint:      wireguardEndpoint,
 		WireguardPort:          uint16(wireguardPort),
 		WireguardKey:           wireguardKeyParsed,

tunneld/options.go

@@ -35,11 +35,17 @@ var newHostnameEncoder = base32.HexEncoding.WithPadding(base32.NoPadding)
 type Options struct {
 	Log slog.Logger
 
-	// BaseURL is the base URL to use for the tunnel, including scheme. All
-	// tunnels will be subdomains of this hostname.
+	// BaseURL is the base URL to use for the API, including scheme. This is
+	// used for routing API requests.
+	// e.g. "https://tunnel.example.com"
+	BaseURL *url.URL
+
+	// TunnelDomain is the domain to use for tunnel URLs, including scheme.
+	// All tunnels will be subdomains of this hostname.
 	// e.g. "https://tunnel.example.com" will place tunnels at
 	//      "https://xyz.tunnel.example.com"
-	BaseURL *url.URL
+	// If not set, BaseURL is used for tunnel URLs.
+	TunnelDomain *url.URL
 
 	// WireguardEndpoint is the UDP address advertised to clients that they will
 	// connect to for wireguard connections. It should be in the form
@@ -181,21 +187,27 @@ func (options *Options) WireguardPublicKeyToIPAndURLs(publicKey device.NoisePubl
 	// the first 64 bits of the hash of the public key.
 	copy(addrBytes[8:], keyHash[:8])
 
+	// Determine which domain to use for tunnel URLs
+	tunnelBase := options.BaseURL
+	if options.TunnelDomain != nil {
+		tunnelBase = options.TunnelDomain
+	}
+
 	// Good format:
 	goodFormatBytes := make([]byte, 8)
 	copy(goodFormatBytes, keyHash[:8])
 	goodFormat := newHostnameEncoder.EncodeToString(goodFormatBytes)
-	goodFormatURL := *options.BaseURL
-	goodFormatURL.Host = strings.ToLower(goodFormat) + "." + goodFormatURL.Host
+	goodFormatURL := *tunnelBase
+	goodFormatURL.Host = strings.ToLower(goodFormat) + "." + tunnelBase.Host
 
 	// Old format:
 	oldFormatBytes := make([]byte, 16)
 	copy(oldFormatBytes, addrBytes[:])
 	prefixLenBytes := options.WireguardNetworkPrefix.Bits() / 8
 	copy(oldFormatBytes[prefixLenBytes:], keyHash[:16-prefixLenBytes])
 	oldFormat := hex.EncodeToString(oldFormatBytes)
-	oldFormatURL := *options.BaseURL
-	oldFormatURL.Host = strings.ToLower(oldFormat) + "." + oldFormatURL.Host
+	oldFormatURL := *tunnelBase
+	oldFormatURL.Host = strings.ToLower(oldFormat) + "." + tunnelBase.Host
 
 	urls := []*url.URL{&goodFormatURL, &oldFormatURL}
 	if version == tunnelsdk.TunnelVersion1 {