Completes v3.1 multi-hop / onion routing (2 hops: client → entry-relay →
exit-server). Combined with the scaffold commit (6c14c0d), the property
holds: entry-relay knows the client IP + client_id but cannot decrypt the
data; exit knows the destination but sees the relay's IP as source.
- aura-cli::circuit: dial_circuit(&[entry, exit], proto_cfg, udp_opts) →
CircuitConnection. Connects to entry as a normal UdpClient, sends an
ExtendBridge control envelope, awaits CircuitReady, then runs a SECOND
Aura handshake to the exit through a local loopback UDP proxy — the
forwarder ferries datagrams between that proxy socket and the outer
relay PacketConnection. The inner handshake therefore authenticates the
EXIT cert (verified by the integration test asserting
circuit.peer_id() == "localhost-exit"); the relay never sees the inner
session keys.
- aura-cli::relay: rendezvous(conn, whitelist) -> Bridged{bridge} |
Fallback{first_pkt} | Refused. 2-second window after handshake to receive
ExtendBridge. Whitelist enforced; CircuitFailed on miss. Empty whitelist
logs a warning and runs open. Timeout / non-control → Fallback so the
same server can be both relay (for circuit clients) and exit (for direct
clients) simultaneously.
- aura-cli::client: when [client.circuit] enabled → dial_circuit; falls
back to normal aura_transport::dial when disabled.
- aura-cli::server: relay rendezvous wired before pool/CRL/router path.
run_bridge spawns two forwarder tasks (conn↔bridge UDP socket).
- 3 integration tests: end-to-end (with peer_id assertion), whitelist
rejection, back-compat (relay disabled → Err). 3 unit tests in relay.rs.
Workspace: 253 tests passed (247 baseline + 6 new), clippy -D warnings clean,
fmt clean. No new workspace deps. All 28 tracked tasks (v1 + v2 + v3.1) now
complete.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Reduces manual setup steps and trims user-identifying data exposed by the
server/client, in the spirit of the deployment story: an operator on the
wire sees less, and the admin types fewer commands.
New CLI subcommands:
- `aura server-init`: one shot — pki init + issue-server + writes a ready
server.toml with auto-detected egress iface; flags --enable-knock,
--enable-cover-traffic, --no-nat, --run-as toggle the new transport
defenses and privilege drop.
- `aura provision-client`: issues a client cert and assembles the full
bundle (ca.crt + client.crt + client.key + client.toml in one directory)
ready to hand over to the client device. --id is optional (defaults to
a fresh UUIDv4, so client identities don't have to encode anything real).
Identity / log minimization:
- `aura pki issue-client --id` is now optional — UUIDv4 by default.
- `[server]/[client] no_logs = true` filters peer_id, client_ip,
source_addr, client_id, local_ip, user, id, assigned_ip, peer field
values through a custom tracing FormatFields layer (events still fire
but the identifying fields are redacted before being written).
- `[client] bridges = [...]`: secondary server addresses; build_dial_targets
shuffles them after the primary, so blocking one IP doesn't kill the
client.
- Auto-detect egress iface in [server.nat] (via detect_default_egress_iface);
egress_iface in config becomes optional with graceful fallback.
Config examples updated; backward-compatible (all new sections optional with
serde defaults). Workspace: 207 tests passed (+22), clippy -D warnings clean,
fmt clean. No new workspace deps.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DIRECT-destination traffic now bypasses the TUN entirely via OS routing
table edits, instead of going through user-space and hitting the v1
send_direct stub. The user-space router only sees VPN-bound packets,
making the split-tunnel real.
- aura_cli::os_routes::OsRouteGuard: RAII install + rollback of OS routes.
Linux: `ip route show default` parser -> DIRECT CIDRs via original gw,
VPN default via TUN with metric 50. macOS: `route -n get default`
parser -> `route add -net/-host ... <gw>` for DIRECT, `route add -net
... -interface <tun>` for VPN. Windows: stub + warning (v3).
- dry_run works on every platform (logs `would run: ...`); useful for
tests and operator confidence-checks.
- SplitRoutes::from_config folds [[tunnel.split.direct]]/[[...vpn]] +
resolved domains (via AuraDns) into one declarative plan.
- New [tunnel.os_routes] {enabled (default true), dry_run, gateway,
egress_iface}; absent section = old user-space behavior (back-compat).
- client::run installs routes after AuraTun::create, before privdrop;
guard's Drop reverts everything on shutdown.
- aura-tunnel::router unchanged; AuraRouter::send_direct kept as a
defensive fallback (in v2 it should never fire — OS routes prevent
DIRECT packets from reaching the TUN at all).
20 new tests (linux/macos parser unit tests, install dry-run, config
back-compat). Workspace: 174 tests passed (+19), clippy -D warnings
clean, fmt clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three v2-hardening features in aura-cli, one pass:
- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
works on every platform (logs "would run: ..."). Reverts everything in
Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
Windows no-op with warning. New [server] / [client] run_as = "..."
(optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
named-pipe modules sharing one JSON-line serve/request flow over
AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".
Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Both server and client deterministically rotate the on-wire obfuscation mask
(SNI, HTTP Host/User-Agent/Server headers, UDP padding profile) at 05:00 Moscow
time (02:00 UTC) every day, derived from the CA fingerprint + UTC date — no
network coordination needed.
- aura-crypto::masks: MaskSet + 4 palettes (16 SNI, 10 UA, 5 Server, 4 padding
profiles); derive_mask_for_msk_date via HKDF-SHA256(salt="aura-mask-v1-salt",
ikm=ca_fp||"YYYY-MM-DD", info="aura-mask-v1"); ca_fingerprint with built-in
base64 PEM decode (no new deps).
- aura-cli::masks: MaskRotator (Arc<RwLock<MaskSet>>) + Hinnant's civil_from_days
for manual UTC date math; scheduler picks next 02:00 UTC strictly (avoids
busy-loop at boundary); spawned at startup in server::run/client::run.
- aura-transport: PADDING_PROFILES + next_bucket_for_profile (profile 0 byte-for-
byte equals legacy pad_to_https_size); TcpOpts gains user_agent/server_header;
UdpOpts gains padding_profile; MultiServer holds Arc<UdpServer>/Arc<TcpServer>
with set_udp_opts/set_tcp_opts so rotation propagates without restart.
- Backward-compatible: defaults preserve previous behavior; existing 97 tests
unchanged. 17 new tests (derive determinism + date variation, civil-from-days
known points incl. 1970-01-01/2000-02-29/2024->2025, next-rotation boundary,
msk_today offset, profile equivalence, base64 round-trip, full mask-driven
UDP loopback). Total: 114 passed, clippy/fmt clean. No new workspace deps.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
aura-cli: clap command tree (pki init/issue-server/issue-client/revoke/list,
server, client, route add/list/remove, status, bench-crypto); TOML config with
~ expansion and split-tunnel rules -> RouteTable; JSON-over-Unix-socket admin
IPC; server/client data paths wiring transport + tunnel (TUN run needs root).
config/{server,client}.toml.example. 15 tests (pki roundtrip, config parse,
admin-socket roundtrip, loopback connection). Verified the real binary: --help,
bench-crypto, and a full CA->server->client cert workflow.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30