diff --git a/TransitTunnel.h b/TransitTunnel.h
index 3d3571f7..e71c16e1 100644
--- a/TransitTunnel.h
+++ b/TransitTunnel.h
@@ -67,7 +67,8 @@ namespace tunnel
 			TransitTunnelEndpoint (uint32_t receiveTunnelID,
 			    const uint8_t * nextIdent, uint32_t nextTunnelID, 
 	    		const uint8_t * layerKey,const uint8_t * ivKey):
-				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey) {};
+				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey),
+				m_Endpoint (false) {}; // transit endpoint is always outbound
 
 			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
 			size_t GetNumTransmittedBytes () const { return m_Endpoint.GetNumReceivedBytes (); }
diff --git a/Tunnel.h b/Tunnel.h
index 8ae3e392..63adadc5 100644
--- a/Tunnel.h
+++ b/Tunnel.h
@@ -81,7 +81,7 @@ namespace tunnel
 	{
 		public:
 
-			InboundTunnel (TunnelConfig * config): Tunnel (config) {};
+			InboundTunnel (TunnelConfig * config): Tunnel (config), m_Endpoint (true) {};
 			void HandleTunnelDataMsg (I2NPMessage * msg);
 			size_t GetNumReceivedBytes () const { return m_Endpoint.GetNumReceivedBytes (); };
 
diff --git a/TunnelEndpoint.cpp b/TunnelEndpoint.cpp
index d9189fe8..254c56ab 100644
--- a/TunnelEndpoint.cpp
+++ b/TunnelEndpoint.cpp
@@ -1,8 +1,10 @@
 #include "I2PEndian.h"
 #include <string.h>
 #include "Log.h"
+#include "NetDb.h"
 #include "I2NPProtocol.h"
 #include "Transports.h"
+#include "RouterContext.h"
 #include "TunnelEndpoint.h"
 
 namespace i2p
@@ -194,7 +196,28 @@ namespace tunnel
 				i2p::transports.SendMessage (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
 			break;
 			case eDeliveryTypeRouter:
-				i2p::transports.SendMessage (msg.hash, msg.data);
+				if (msg.hash == i2p::context.GetRouterInfo ().GetIdentHash ()) // check if message is sent to us
+					i2p::HandleI2NPMessage (msg.data);
+				else
+				{	
+					// to somebody else
+					if (!m_IsInbound) // outbound transit tunnel
+					{
+						if (msg.data->GetHeader()->typeID == eI2NPDatabaseStore)
+						{
+							// catch RI
+							auto ds = NewI2NPMessage ();
+							*ds = *(msg.data);
+							i2p::data::netdb.PostI2NPMsg (ds);
+						}
+						i2p::transports.SendMessage (msg.hash, msg.data);
+					}
+					else // we shouldn't send this message. possible leakage 
+					{
+						LogPrint ("Message to another router arrived from an inbound tunnel. Dropped");
+						i2p::DeleteI2NPMessage (msg.data);
+					}
+				}
 			break;
 			default:
 				LogPrint ("TunnelMessage: Unknown delivery type ", (int)msg.deliveryType);
diff --git a/TunnelEndpoint.h b/TunnelEndpoint.h
index 749c3e3f..d9fa4bb6 100644
--- a/TunnelEndpoint.h
+++ b/TunnelEndpoint.h
@@ -20,7 +20,7 @@ namespace tunnel
 		
 		public:
 
-			TunnelEndpoint (): m_NumReceivedBytes (0) {};
+			TunnelEndpoint (bool isInbound): m_IsInbound (isInbound), m_NumReceivedBytes (0) {};
 			~TunnelEndpoint ();
 			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
 			
@@ -34,6 +34,7 @@ namespace tunnel
 		private:			
 
 			std::map<uint32_t, TunnelMessageBlockEx> m_IncompleteMessages;
+			bool m_IsInbound;
 			size_t m_NumReceivedBytes;
 	};	
 }