xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75e350e8700be4f036a0b0a0286885177866f5a2
AuraVPN/config/server.toml.example
T
xah30 0a73d5298b feat(cli): server IP pool + per-client routing (multi-client VPN concentrator) 
Server now assigns each connected client an IP from a configurable pool and
maintains a client_ip -> AuraConnection map so packets read from the shared
TUN are dispatched to the right client (and each client's recv loop writes
back to the TUN). Removes v1's "single shared TUN, no NAT/pool" limitation;
turns the server into a proper multi-client VPN concentrator (paired with the
already-landed UDP multi-client demux).

- aura_cli::pool: IpPool + PoolStrategy {StaticOnly, DynamicOnly,
  StaticOrDynamic}; reserves network/broadcast/server-own IP; 15 tests.
- aura_cli::server_router: ServerRouter + ServerRoutes (Arc<RwLock<HashMap>>);
  central TUN read loop dispatching by dst_ip; spawn_inbound_forwarder per
  conn auto-unregisters and releases the IP on disconnect; 4 tests via
  MockTun + MockConn.
- aura_cli::config: [server.pool] {cidr, strategy, static} added with
  serde(default); legacy configs (only [tunnel] pool_cidr) fall back to a
  DynamicOnly pool (backward compatible, tested).
- aura_cli::server: accept loop now: pool.assign(peer_id) -> register ->
  spawn_inbound_forwarder; rejected static_only mismatches dropped+logged.
- config/server.toml.example: documented [server.pool] section.

Workspace: 141 tests passed (+24), clippy -D warnings clean, fmt clean. No
new workspace deps (async-trait added to cli dev-deps for mock traits in tests).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 01:41:29 +03:00

81 lines
3.9 KiB
TOML
Raw Blame History

# Aura VPN server configuration (project §9).
# Copy to server.toml and adjust. Paths may begin with `~` (expands to your home directory).
[server]
# Human-readable name (also the server's inner-handshake identity).
name = "aura-edge-1"
# UDP socket to listen on. ":443" mimics HTTPS; binding it needs privileges.
listen = "0.0.0.0:443"
# Accept workers (advisory in v1).
workers = 4
[pki]
# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
# Generate with: aura pki init --ca-name "Aura CA" --out ~/.aura
# aura pki issue-server --domain vpn.example.com --out ~/.aura --ca ~/.aura
ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/server.crt"
key = "~/.aura/server.key"
[tunnel]
# Address pool / TUN network. v2 reads the active pool config from [server.pool] below; this value
# is kept as the v1-compatible fallback (used when [server.pool] is omitted entirely) and as the
# network the server-side TUN brings up. The server's own TUN IP is the network's first usable host
# (e.g. 10.7.0.1 for 10.7.0.0/24).
pool_cidr = "10.7.0.0/24"
# TUN MTU (leave headroom under the path MTU for QUIC + Aura framing).
mtu = 1420
# DNS server advertised to clients (informational in v1).
dns = "10.7.0.1"
# v2 per-client IP pool. Each authenticated client gets its own address from `cidr`; the server's
# in-memory `client_ip -> connection` map demultiplexes TUN reads by destination IP. Omit the
# whole [server.pool] section to get the v1-compatible fallback: [tunnel] pool_cidr is reused as a
# dynamic-only pool with no static reservations.
[server.pool]
# Pool CIDR. Optional; defaults to [tunnel] pool_cidr when omitted. Must contain the server's own
# TUN address (the network's first host) and every entry in [server.pool.static].
cidr = "10.7.0.0/24"
# Allocation strategy:
# "static_only" — only ids listed in [server.pool.static] are admitted; unknowns refused.
# "dynamic_only" — static map is ignored; everyone gets the next free address.
# "static_or_dynamic" — static reservation wins; unknown ids get a dynamic address (default).
strategy = "static_or_dynamic"
# Optional `client_id -> ip` pinnings. The key is the verified Common Name from the client's
# certificate (see `aura pki issue-client --id <name>`); the value must lie inside `cidr` above and
# must not collide with the server's own address or another reservation.
[server.pool.static]
# "phone-1" = "10.7.0.20"
# "laptop-1" = "10.7.0.21"
[mimicry]
# Outer-TLS camouflage hostname the server presents/expects.
sni = "cdn.example.com"
# Enable traffic padding to blend packet sizes into HTTPS buckets.
padding = true
[transport]
# Aura's own post-quantum transport runs over plain UDP (primary), with TCP/443 and QUIC (HTTP/3
# mimicry) as fallbacks. On the server, `order` selects exactly which transports are bound and
# accepted simultaneously. Omitting this whole section enables udp/tcp/quic on 443/443/444.
order = ["udp", "tcp", "quic"]
# The UDP transport and QUIC both ride UDP, so udp_port and quic_port MUST differ. TCP may reuse the
# UDP port number (different protocol). Ports bind on the IP from [server] listen above.
udp_port = 443
tcp_port = 443
quic_port = 444
# UDP: pad datagrams up to HTTPS size buckets to blur the on-wire size distribution.
obfuscate = true
# TCP: prepend a minimal HTTP/1.1 preamble (Host = [mimicry] sni) so the open resembles plain HTTP.
masquerade = true
[transport.masks]
# Daily protocol-mask rotation. When `true`, every day at 05:00 MSK (= 02:00 UTC) the server
# derives a new (SNI, User-Agent, Server-header, padding-profile) tuple from
# HKDF-SHA256(CA-fingerprint, MSK-date) and applies it to new connections — the client derives the
# same tuple independently from the CA fingerprint it already trusts, so no wire coordination is
# needed. Existing connections keep the mask they accepted with. Default: true.
# When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
enabled = true
Reference in New Issue View Git Blame Copy Permalink