← Back to Docs

Tunnel Groups

What It Does

A tunnel group is a set of VPN tunnels with automatic failover. TLSOps runs periodic health checks and throughput measurements against each member, then promotes the top-scoring challenger for new connections after repeated evaluations. If the active tunnel becomes unhealthy, TLSOps can switch immediately to the strongest-scoring alternative.

A tunnel group counts as one routing target — you can assign it to a device or a domain route exactly like a single tunnel. Tunnel groups are available on Starter and higher plans.

Prerequisites

  • At least two VPN tunnels already added under VPN Tunnels
  • An active Starter, Pro, or Ultimate plan license

Creating a Tunnel Group

  1. Go to the Tunnel Groups tab in the dashboard
  2. Click Add Group
  3. Give the group a name — for example Fast EU Tunnels
  4. Select two or more VPN tunnels to include in the group
  5. (Optional) Set a probe interval if this group should be checked more or less often than the default background cadence
  6. Click Save — TLSOps immediately begins background health checks and periodic throughput sampling

How Failover Works

  • Health checks run on the configured cadence, and throughput sampling runs less frequently on top of that cadence
  • New connections stay on the current selector until another member builds a clear score lead across repeated evaluations
  • If the active tunnel becomes unhealthy, TLSOps switches immediately to the top-scoring challenger
  • Existing sessions only move immediately when interruption is enabled; otherwise they drain naturally and only new connections use the newly selected member

Assigning a Group to a Device or Route

Once a tunnel group is created it appears as a routing option everywhere a tunnel can be used. Go to Devices or Routing Rules and select the tunnel group as the outbound.