AuraVPN

xah30/AuraVPN

Fork 0

Commit Graph

Author	SHA1	Message	Date
xah30	15c7da12fe	fix(server): v3.6 — implicit auto-NAT on Linux (root cause of full-VPN dying) Symptoms: in default = "VPN" full-VPN mode external internet was dead even though tunnel-internal ping (10.7.0.1) worked perfectly. The tunnel itself was assembled and AEAD-encrypted (see TEST_CASES.md), but packets sent through it died on the server side. Root cause: server's `[server.nat]` was opt-in. On the production server (187.77.67.17) deployed before v2, the section is absent in /etc/aura/server.toml, so `aura server` never ran the iptables MASQUERADE plan. Packets egressed to the upstream router with src = 10.7.0.10 (RFC1918), which the provider's reverse-path filter dropped — full-VPN clients saw "internet is dead". Tunnel-internal pool addresses worked because they don't need NAT. Fix: * `server.rs`: when `[server.nat]` is absent in server.toml AND we are on Linux, attempt auto-NAT with an auto-detected egress_iface. If detection or the iptables call fails we DON'T bail — we log a loud error and let the server come up so safe-mode clients keep working. * `config.rs`: `ServerNatSection::default()` now defaults `auto = true`. A bare `[server.nat]` header (no `auto =`) now means "yes, enable it" instead of the silent-noop it used to be. * New tests for both bare-header and explicit `auto = false` opt-out paths. * `docs/server_nat_fix.md`: step-by-step instructions for fixing the existing 187.77.67.17 server (binary upgrade vs. manual server.toml patch vs. fully-manual sysctl + iptables). * `docs/deployment.md`: replaces "manual mandatory step" wording with the new auto-NAT story. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-01 14:11:24 +03:00

Author

SHA1

Message

Date

xah30

15c7da12fe

fix(server): v3.6 — implicit auto-NAT on Linux (root cause of full-VPN dying)

Symptoms: in default = "VPN" full-VPN mode external internet was dead even
though tunnel-internal ping (10.7.0.1) worked perfectly. The tunnel itself
was assembled and AEAD-encrypted (see TEST_CASES.md), but packets sent
through it died on the server side.

Root cause: server's `[server.nat]` was opt-in. On the production server
(187.77.67.17) deployed before v2, the section is absent in
/etc/aura/server.toml, so `aura server` never ran the iptables MASQUERADE
plan. Packets egressed to the upstream router with src = 10.7.0.10 (RFC1918),
which the provider's reverse-path filter dropped — full-VPN clients saw
"internet is dead". Tunnel-internal pool addresses worked because they
don't need NAT.

Fix:
* `server.rs`: when `[server.nat]` is absent in server.toml AND we are on
  Linux, attempt auto-NAT with an auto-detected egress_iface. If detection
  or the iptables call fails we DON'T bail — we log a loud error and let
  the server come up so safe-mode clients keep working.
* `config.rs`: `ServerNatSection::default()` now defaults `auto = true`.
  A bare `[server.nat]` header (no `auto =`) now means "yes, enable it"
  instead of the silent-noop it used to be.
* New tests for both bare-header and explicit `auto = false` opt-out paths.
* `docs/server_nat_fix.md`: step-by-step instructions for fixing the
  existing 187.77.67.17 server (binary upgrade vs. manual server.toml
  patch vs. fully-manual sysctl + iptables).
* `docs/deployment.md`: replaces "manual mandatory step" wording with
  the new auto-NAT story.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-01 14:11:24 +03:00

1 Commits