Adds a way to make the outer-TLS SNI rotate among popular Russian-language
domains so that Russian carriers — who may start metering "foreign traffic"
separately — see the user's first hop as a domestic CDN/site request, not
as an exotic foreign destination.
- aura-crypto::masks:
- SNI_PALETTE_RUSSIAN (15 real domains: mail.yandex.ru, vk.com, www.ozon.ru,
dzen.ru, ya.ru, www.gosuslugi.ru, www.wildberries.ru, rutube.ru,
news.rambler.ru, hh.ru, www.tinkoff.ru, lenta.ru, www.kinopoisk.ru,
afisha.yandex.ru, music.yandex.ru).
- enum SniPalette { Default, Russian, Mixed } (Default = v2 behavior).
- derive_mask_for_msk_date_with_palette(...): pick from chosen palette,
Mixed flips ~50/50 by HKDF okm[8]&1. Old derive_mask_for_msk_date kept
as a thin wrapper -> byte-for-byte unchanged Default.
- aura-cli::masks::MaskRotator gains new_with_palette(...); the spawn loop
uses the stored palette. Old new() preserves Default.
- aura-cli config: [transport.masks] palette = "default"|"russian"|"mixed"
(serde rename_all = "lowercase", default Default).
- server.rs/client.rs read cfg.transport.masks.palette and pass it to the
rotator at startup; logged at INFO so the operator sees the choice.
- docs/deployment.md: new §7 "Сервер в РФ против тарификации иностранного
трафика" — context, ASCII topology, recommended RF providers, full
server.toml + client.toml examples wiring [server.relay] + russian
palette + LE outer cert + multi-hop, plus an honest list of what this
does and does not give.
- config/{server,client}.toml.example updated with palette = "default".
Workspace: 284 tests passed (+8 new = 4 crypto + 2 cli masks + 2 config),
clippy -D warnings clean, fmt clean. 276 baseline tests untouched.
Backward-compatible: configs without palette default to Default, identical
to v2 wire behavior.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
deployment.md §6 updated:
- Moved CRL from "remaining" to "resolved" (now in-band via signed
control-envelope with magic prefix).
- Added bullets for the new v2 features: port-knocking + cover traffic
(anti-surveillance), `aura server-init` / `aura provision-client`
(automation), `no_logs` field redaction, `bridges` list.
- Remaining honest limits trimmed to genuine v3 work: native Go phone
client (sing-box, explicitly excluded by user) and multi-hop routing.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
§5: TCP/443 fallback now described as real outer TLS-443 (was the lighter
HTTP/1.1 masquerade in v1).
§6 rewritten "Честные ограничения v1" -> "v2 — что устранено и что остаётся":
- Resolved: UDP multi-client demux, server IP pool + per-client routing,
OS-level split-tunnel (no more send_direct stub), real TLS-443, auto-NAT,
privilege drop, Windows admin named pipe, daily protocol-mask rotation
at 05:00 MSK.
- Remaining honest limits: TUN creation still needs root (privilege drop
shrinks the window), IPv6 in OS routes / iptables not yet, Windows OS
routes stubbed, CRL still out-of-band (in-band push deferred), native
phone client via sing-box still a plan, no auto-detect of egress iface.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30