Can LRO see my traffic?

No. When a tunnel carries your data, that data is end-to-end encrypted between the two agents. The LRO core in the middle moves bytes it cannot read — it never holds a key that would let it decrypt your SSH session, your database connection or anything else inside the tunnel.

End-to-end encryption between agents

The two agents at the ends of a tunnel establish their own encryption, independently of the server. They exchange ephemeral X25519 public keys and derive a per-tunnel session key with HKDF-SHA256. Every chunk of your traffic is then sealed with ChaCha20-Poly1305, an authenticated cipher: if a single byte were altered in transit, decryption would fail rather than hand over tampered data.

Because the key exchange happens between the agents, the relay only ever sees ciphertext. It routes the encrypted records to the right peer and forgets them. There is no key escrow and no server-side decryption step in the path.

The control channel is encrypted too

Separately from your traffic, the connection an agent keeps open to the core is itself encrypted using the Noise XK handshake pattern (Noise_XK_25519_ChaChaPoly_BLAKE2s). After a three-message handshake the agent and core share a transport key, and every control frame after that is encrypted and authenticated. So both layers — the commands that manage tunnels and the tunnel payload itself — are protected, with different keys.

What the server does and doesn’t know

The core knows the routing facts it needs to do its job: which agents are connected, which tunnel is open to which endpoint, and how many bytes were relayed (that is what billing counts). It does not know the contents of those bytes. Treat the payload as opaque ciphertext from the moment it leaves one agent until it arrives at the other.