# Aura VPN server configuration (project §9). # Copy to server.toml and adjust. Paths may begin with `~` (expands to your home directory). [server] # Human-readable name (also the server's inner-handshake identity). name = "aura-edge-1" # UDP socket to listen on. ":443" mimics HTTPS; binding it needs privileges. listen = "0.0.0.0:443" # Accept workers (advisory in v1). workers = 4 # Optional: drop privileges to this non-root user AFTER the TUN, low-port sockets and any # [server.nat] commands have been applied. Recommended on production hosts so the long-running # accept loop does not stay as root. Linux uses setresuid/setresgid (full triple-drop); macOS # uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or # already running as non-root) no privilege change happens. # run_as = "nobody" # Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events # still fire (so counters and rates are unaffected); only the offending fields are dropped before # formatting. Default: false. Set to true on production hosts to keep the log file from accumulating # the per-client identifiers Russian telcos may be compelled to forward on request. no_logs = false [pki] # Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM. # Generate with: aura pki init --ca-name "Aura CA" --out ~/.aura # aura pki issue-server --domain vpn.example.com --out ~/.aura --ca ~/.aura ca_cert = "~/.aura/ca.crt" cert = "~/.aura/server.crt" key = "~/.aura/server.key" # v3 optional: provide a SEPARATE outer-TLS certificate for the QUIC and TCP transports. When set, # a passive observer on :443 sees a CA-trusted handshake (e.g. Let's Encrypt) instead of the # self-signed Aura cert above — which is much harder to fingerprint. The inner Aura mutual-auth # handshake still uses the [pki] cert/key for client authentication. # # Both fields MUST be provided together. When the whole section is omitted (the default) the # outer-TLS layer reuses the [pki] cert/key — exactly the v2 behaviour. # # Typical Let's Encrypt deployment (certbot renews these files in-place automatically; the server # does NOT automate cert issuance or renewal — it just reads the PEMs at startup): # # [server.outer_cert] # cert_path = "/etc/letsencrypt/live/vpn.example.com/fullchain.pem" # key_path = "/etc/letsencrypt/live/vpn.example.com/privkey.pem" [tunnel] # Address pool / TUN network. v2 reads the active pool config from [server.pool] below; this value # is kept as the v1-compatible fallback (used when [server.pool] is omitted entirely) and as the # network the server-side TUN brings up. The server's own TUN IP is the network's first usable host # (e.g. 10.7.0.1 for 10.7.0.0/24). pool_cidr = "10.7.0.0/24" # TUN MTU (leave headroom under the path MTU for QUIC + Aura framing). mtu = 1420 # DNS server advertised to clients (informational in v1). dns = "10.7.0.1" # v2 per-client IP pool. Each authenticated client gets its own address from `cidr`; the server's # in-memory `client_ip -> connection` map demultiplexes TUN reads by destination IP. Omit the # whole [server.pool] section to get the v1-compatible fallback: [tunnel] pool_cidr is reused as a # dynamic-only pool with no static reservations. [server.pool] # Pool CIDR. Optional; defaults to [tunnel] pool_cidr when omitted. Must contain the server's own # TUN address (the network's first host) and every entry in [server.pool.static]. cidr = "10.7.0.0/24" # Allocation strategy: # "static_only" — only ids listed in [server.pool.static] are admitted; unknowns refused. # "dynamic_only" — static map is ignored; everyone gets the next free address. # "static_or_dynamic" — static reservation wins; unknown ids get a dynamic address (default). strategy = "static_or_dynamic" # Optional `client_id -> ip` pinnings. The key is the verified Common Name from the client's # certificate (see `aura pki issue-client --id `); the value must lie inside `cidr` above and # must not collide with the server's own address or another reservation. [server.pool.static] # "phone-1" = "10.7.0.20" # "laptop-1" = "10.7.0.21" # v2 auto-NAT: when `auto = true`, the server enables IPv4 forwarding at startup and adds a # MASQUERADE / pf-NAT rule for the address pool on the given egress interface, and rolls every # change back on shutdown (RAII guard inside `aura server`). Supported on Linux (sysctl + # iptables) and macOS (sysctl + pfctl). Omit the whole [server.nat] section to keep the v1 # behaviour where the operator configures forwarding by hand. There is no egress-interface # auto-detection in v1 — `egress_iface` is required when `auto = true`. # # IPv6 forwarding / ip6tables / nftables are NOT configured in v1 (TODO for v3). # # [server.nat] # auto = true # egress_iface = "eth0" # required when auto = true # dry_run = false # set to true to only log the planned commands without executing them [mimicry] # Outer-TLS camouflage hostname the server presents/expects. sni = "cdn.example.com" # Enable traffic padding to blend packet sizes into HTTPS buckets. padding = true [transport] # Aura's own post-quantum transport runs over plain UDP (primary), with TCP/443 and QUIC (HTTP/3 # mimicry) as fallbacks. On the server, `order` selects exactly which transports are bound and # accepted simultaneously. Omitting this whole section enables udp/tcp/quic on 443/443/444. order = ["udp", "tcp", "quic"] # The UDP transport and QUIC both ride UDP, so udp_port and quic_port MUST differ. TCP may reuse the # UDP port number (different protocol). Ports bind on the IP from [server] listen above. udp_port = 443 tcp_port = 443 quic_port = 444 # UDP: pad datagrams up to HTTPS size buckets to blur the on-wire size distribution. obfuscate = true # TCP: prepend a minimal HTTP/1.1 preamble (Host = [mimicry] sni) so the open resembles plain HTTP. masquerade = true [transport.masks] # Daily protocol-mask rotation. When `true`, every day at 05:00 MSK (= 02:00 UTC) the server # derives a new (SNI, User-Agent, Server-header, padding-profile) tuple from # HKDF-SHA256(CA-fingerprint, MSK-date) and applies it to new connections — the client derives the # same tuple independently from the CA fingerprint it already trusts, so no wire coordination is # needed. Existing connections keep the mask they accepted with. Default: true. # When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is. enabled = true [transport.knock] # UDP port-knocking. When `enabled = true`, the UDP transport demands a 16-byte HMAC prefix on # every HS datagram, derived from `knock_secret_source` (`"ca_fingerprint"` = SHA-256 of the CA # cert DER). To a passive scanner the listening UDP port looks closed. Default: false. enabled = false knock_secret_source = "ca_fingerprint" [transport.cover] # Idle-time cover traffic. When `enabled = true`, an established UDP connection periodically # injects encrypted Ping frames during idle windows so the on-wire byte rate stays roughly # constant. `mean_interval_ms` controls how often the chaffer wakes up; `jitter` is the # uniform-random fraction applied (e.g. 0.5 = ±50%). Default: disabled. enabled = false mean_interval_ms = 500 jitter = 0.5 # v3.1 multi-hop / onion routing: turn THIS server into an **entry-relay** that can splice an # inbound client connection to a downstream **exit-server**. Right after the inner Aura # handshake completes, the relay waits up to 2 seconds for the client to send a single # ExtendBridge control envelope describing the downstream exit's IP:port. When the address is # on `allow_extend_to`, the relay opens a `connect()`ed UDP socket to that exit, replies # CircuitReady, and forwards every byte verbatim — the inner client↔exit handshake travels # through the relay opaquely, so the relay never sees destination IPs or plaintext bytes. # # The connection in that role is NOT registered with the IP pool / [`ServerRouter`]; bridged # peers do not consume a tunnel address. If no ExtendBridge arrives within 2s the connection # falls back to the normal VPN-client path (so one server can serve both roles on one port). # v3.1 only supports the UDP transport for relay hops. # # Omitting the whole [server.relay] section (or `enabled = false`) keeps the v2 behaviour intact. # [server.relay] # enabled = true # Whitelist of allowed downstream destinations. v3.2 accepts three entry formats: # * "IP:port" — exact literal SocketAddr (the v3.1 form). # * "10.0.0.0/24" — bare CIDR; matches ANY port at any IP in the subnet. # * "10.0.0.0/24:443" — CIDR with explicit port; matches that port on any IP in the subnet. # * "[2001:db8::/32]:443" — square-bracket IPv6 CIDR with port. # * "2001:db8::/32" — bare IPv6 CIDR (any port). # Unparseable entries are logged at WARN and skipped. An empty list turns this server into an # OPEN relay accepting any downstream — dangerous; the runtime logs a WARN on each accepted bridge. # allow_extend_to = [ # "198.51.100.5:443", # the exit you operate (exact) # "203.0.113.0/24", # a whole /24 of trusted exits (any port) # "10.0.0.0/16:443", # a /16 of relays on port 443 only # ] # # v3.2 cell padding: opt-in. The relay itself does NOT decode cells — it just forwards bytes. # These knobs are documented here for symmetry; the actual decode happens on the EXIT (see # [server] cell_padding_for_circuit_clients below). # cell_padding = false # cell_size = 1280 # v3.2 EXIT-side cell padding. When an exit-server serves cell-padded circuit clients (i.e. the # clients have `[client.circuit] cell_padding = true`), add the following field to the [server] # block at the top of this file so the inner-handshake session's recv decodes the constant-size # cells and the send re-pads on the way back. Defaults to `false` for v3.1 compatibility. # cell_padding_for_circuit_clients = true