xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
278bcced956e3bda0d4bfa08e63c6b8f37e717d2
AuraVPN/crates/aura-cli/Cargo.toml
T
xah30 c6f0d7af9b feat(cli): auto-NAT + privilege drop + Windows named-pipe admin 
Three v2-hardening features in aura-cli, one pass:

- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
  startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
  macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
  works on every platform (logs "would run: ..."). Reverts everything in
  Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
  back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
  ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
  Windows no-op with warning. New [server] / [client] run_as = "..."
  (optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
  named-pipe modules sharing one JSON-line serve/request flow over
  AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
  r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".

Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:09:38 +03:00

50 lines
1.6 KiB
TOML
Raw Blame History

[package]
name = "aura-cli"
version.workspace = true
edition.workspace = true
license.workspace = true
description = "Aura CLI: client/server binary, PKI management, split-tunnel admin"
[lib]
name = "aura_cli"
path = "src/lib.rs"
[[bin]]
name = "aura"
path = "src/main.rs"
[dependencies]
aura-crypto.workspace = true
aura-pki.workspace = true
aura-proto.workspace = true
aura-transport.workspace = true
aura-tunnel.workspace = true
clap.workspace = true
tokio.workspace = true
toml.workspace = true
serde.workspace = true
# Admin IPC line protocol (JSON requests/responses over the Unix socket).
serde_json = "1"
# Parse CIDR rules from the split-tunnel config and the `route` admin commands.
ipnetwork.workspace = true
tracing.workspace = true
tracing-subscriber.workspace = true
anyhow.workspace = true
uuid.workspace = true
# Unix-only: nix is used by the privilege-drop helper (`privdrop::drop_to_user`) to look up
# the target user via getpwnam and drop the real/effective/saved uid+gid after binding
# privileged sockets / creating the TUN. Linux uses setresuid/setresgid; macOS uses
# setgid/setuid (no setresuid in the BSD ABI). The "user" feature gates the User::from_name
# helper. No nix on Windows (privilege drop is a no-op there; see privdrop.rs).
[target.'cfg(unix)'.dependencies]
nix = { version = "0.29", default-features = false, features = ["user"] }
[dev-dependencies]
tokio.workspace = true
# Loopback + PKI-roundtrip tests build certificate chains for the verifier.
rustls-pki-types.workspace = true
x509-parser.workspace = true
# Per-client routing tests implement PacketIo / PacketConnection traits on in-memory mocks.
async-trait.workspace = true
Reference in New Issue View Git Blame Copy Permalink