Captures the empirical evidence that the AuraVPN PQ-tunnel itself is
functional end-to-end in the safe-mode configuration that doesn't touch
the host's default route. This is the deliberate "small win" baseline we
lock in before tackling the harder coexist-with-Clash routing question.
Includes: factual ping output (5/5, RTT 58ms), client+server admin
status snapshots (rx/tx counter parity confirms #42 fix wired correctly,
rx=4969 confirms cover-traffic generation, peer name from cert CN
confirms mutual auth), the exact one-paste config recipe, and a section
on why the "what's my IP" external test cannot be conclusive in safe
mode (only tunnel-internal /24 goes through Aura — public IPs still
egress via Clash, which happens to also egress from 187.77.67.17 so the
two look identical).
The §9 follow-up section sketches the hybrid coexist-routing problem the
user wants tackled next (track via new tasks #53 / #54): when Clash Verge
stays alive but turns Tun mode off, Aura should snapshot which CIDRs the
other VPN is still holding via its daemon-installed routes, compute the
complement, and install Aura's routes only in the holes.
Includes a deliberate screenshot checklist for the user to capture
(connected UI state, terminal verification, ping output, both-sides
admin counters, untouched LAN default, Clash tray still alive, browser
showing pre-existing Frankfurt egress).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30