xah30
9b98004424
Closes the v3.1 unlinkability gap and resists volume/timing correlation:
1) Per-hop client cert (identity-unlinkable hops). [[client.circuit.hops]]
now accepts {addr, cert_path, key_path, [server_name]} per hop — each
hop sees a different CN, so a relay and an exit cannot correlate the
same client by certificate. Old flat `hops = ["ip:port"]` form still
parses (serde untagged enum) and falls back to [pki] cert/key.
`aura provision-client --circuit-hops N` mints N fresh UUIDv4 certs.
2) Cell padding. CellPaddingConn wrapper pads every outgoing packet to a
fixed size (default 1280 bytes; `cell_size = N` configurable) before
it hits the inner AEAD. Format: u16_be(real_len) || pkt || zero_pad.
On-wire sizes become constant -> defeats volume/timing fingerprints.
Opt-in via [client.circuit] cell_padding = true and the mirror
[server] cell_padding_for_circuit_clients = true.
3) 3-hop support. dial_circuit now accepts N >= 2 hops; iterative
ExtendBridge nests N-1 forwarders and N handshakes. Client owns the
full chain via CircuitConnection (forwarders abort on drop).
New integration test multihop_v3_2_three_hops_end_to_end runs three
in-process actors (A relay -> B relay -> C exit) on loopback and
verifies peer_id == C's CN.
4) CIDR whitelist. [server.relay] allow_extend_to entries accept
"10.0.0.0/24" (subnet, any port), "10.0.0.0/24:443" (subnet + port),
"[2001:db8::/32]:443" (IPv6 with port), as well as exact IP:port.
Empty list keeps the v3.1 open-relay (warn).
19 new tests; workspace 276 passed (+19), clippy -D warnings clean, fmt clean.
257 baseline tests untouched; all v2 / v3.1 / LE configs work as before.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
179 lines
9.7 KiB
TOML
179 lines
9.7 KiB
TOML
# Aura VPN server configuration (project §9).
|
|
# Copy to server.toml and adjust. Paths may begin with `~` (expands to your home directory).
|
|
|
|
[server]
|
|
# Human-readable name (also the server's inner-handshake identity).
|
|
name = "aura-edge-1"
|
|
# UDP socket to listen on. ":443" mimics HTTPS; binding it needs privileges.
|
|
listen = "0.0.0.0:443"
|
|
# Accept workers (advisory in v1).
|
|
workers = 4
|
|
# Optional: drop privileges to this non-root user AFTER the TUN, low-port sockets and any
|
|
# [server.nat] commands have been applied. Recommended on production hosts so the long-running
|
|
# accept loop does not stay as root. Linux uses setresuid/setresgid (full triple-drop); macOS
|
|
# uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or
|
|
# already running as non-root) no privilege change happens.
|
|
# run_as = "nobody"
|
|
# Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events
|
|
# still fire (so counters and rates are unaffected); only the offending fields are dropped before
|
|
# formatting. Default: false. Set to true on production hosts to keep the log file from accumulating
|
|
# the per-client identifiers Russian telcos may be compelled to forward on request.
|
|
no_logs = false
|
|
|
|
[pki]
|
|
# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
|
|
# Generate with: aura pki init --ca-name "Aura CA" --out ~/.aura
|
|
# aura pki issue-server --domain vpn.example.com --out ~/.aura --ca ~/.aura
|
|
ca_cert = "~/.aura/ca.crt"
|
|
cert = "~/.aura/server.crt"
|
|
key = "~/.aura/server.key"
|
|
|
|
# v3 optional: provide a SEPARATE outer-TLS certificate for the QUIC and TCP transports. When set,
|
|
# a passive observer on :443 sees a CA-trusted handshake (e.g. Let's Encrypt) instead of the
|
|
# self-signed Aura cert above — which is much harder to fingerprint. The inner Aura mutual-auth
|
|
# handshake still uses the [pki] cert/key for client authentication.
|
|
#
|
|
# Both fields MUST be provided together. When the whole section is omitted (the default) the
|
|
# outer-TLS layer reuses the [pki] cert/key — exactly the v2 behaviour.
|
|
#
|
|
# Typical Let's Encrypt deployment (certbot renews these files in-place automatically; the server
|
|
# does NOT automate cert issuance or renewal — it just reads the PEMs at startup):
|
|
#
|
|
# [server.outer_cert]
|
|
# cert_path = "/etc/letsencrypt/live/vpn.example.com/fullchain.pem"
|
|
# key_path = "/etc/letsencrypt/live/vpn.example.com/privkey.pem"
|
|
|
|
[tunnel]
|
|
# Address pool / TUN network. v2 reads the active pool config from [server.pool] below; this value
|
|
# is kept as the v1-compatible fallback (used when [server.pool] is omitted entirely) and as the
|
|
# network the server-side TUN brings up. The server's own TUN IP is the network's first usable host
|
|
# (e.g. 10.7.0.1 for 10.7.0.0/24).
|
|
pool_cidr = "10.7.0.0/24"
|
|
# TUN MTU (leave headroom under the path MTU for QUIC + Aura framing).
|
|
mtu = 1420
|
|
# DNS server advertised to clients (informational in v1).
|
|
dns = "10.7.0.1"
|
|
|
|
# v2 per-client IP pool. Each authenticated client gets its own address from `cidr`; the server's
|
|
# in-memory `client_ip -> connection` map demultiplexes TUN reads by destination IP. Omit the
|
|
# whole [server.pool] section to get the v1-compatible fallback: [tunnel] pool_cidr is reused as a
|
|
# dynamic-only pool with no static reservations.
|
|
[server.pool]
|
|
# Pool CIDR. Optional; defaults to [tunnel] pool_cidr when omitted. Must contain the server's own
|
|
# TUN address (the network's first host) and every entry in [server.pool.static].
|
|
cidr = "10.7.0.0/24"
|
|
# Allocation strategy:
|
|
# "static_only" — only ids listed in [server.pool.static] are admitted; unknowns refused.
|
|
# "dynamic_only" — static map is ignored; everyone gets the next free address.
|
|
# "static_or_dynamic" — static reservation wins; unknown ids get a dynamic address (default).
|
|
strategy = "static_or_dynamic"
|
|
|
|
# Optional `client_id -> ip` pinnings. The key is the verified Common Name from the client's
|
|
# certificate (see `aura pki issue-client --id <name>`); the value must lie inside `cidr` above and
|
|
# must not collide with the server's own address or another reservation.
|
|
[server.pool.static]
|
|
# "phone-1" = "10.7.0.20"
|
|
# "laptop-1" = "10.7.0.21"
|
|
|
|
# v2 auto-NAT: when `auto = true`, the server enables IPv4 forwarding at startup and adds a
|
|
# MASQUERADE / pf-NAT rule for the address pool on the given egress interface, and rolls every
|
|
# change back on shutdown (RAII guard inside `aura server`). Supported on Linux (sysctl +
|
|
# iptables) and macOS (sysctl + pfctl). Omit the whole [server.nat] section to keep the v1
|
|
# behaviour where the operator configures forwarding by hand. There is no egress-interface
|
|
# auto-detection in v1 — `egress_iface` is required when `auto = true`.
|
|
#
|
|
# IPv6 forwarding / ip6tables / nftables are NOT configured in v1 (TODO for v3).
|
|
#
|
|
# [server.nat]
|
|
# auto = true
|
|
# egress_iface = "eth0" # required when auto = true
|
|
# dry_run = false # set to true to only log the planned commands without executing them
|
|
|
|
[mimicry]
|
|
# Outer-TLS camouflage hostname the server presents/expects.
|
|
sni = "cdn.example.com"
|
|
# Enable traffic padding to blend packet sizes into HTTPS buckets.
|
|
padding = true
|
|
|
|
[transport]
|
|
# Aura's own post-quantum transport runs over plain UDP (primary), with TCP/443 and QUIC (HTTP/3
|
|
# mimicry) as fallbacks. On the server, `order` selects exactly which transports are bound and
|
|
# accepted simultaneously. Omitting this whole section enables udp/tcp/quic on 443/443/444.
|
|
order = ["udp", "tcp", "quic"]
|
|
# The UDP transport and QUIC both ride UDP, so udp_port and quic_port MUST differ. TCP may reuse the
|
|
# UDP port number (different protocol). Ports bind on the IP from [server] listen above.
|
|
udp_port = 443
|
|
tcp_port = 443
|
|
quic_port = 444
|
|
# UDP: pad datagrams up to HTTPS size buckets to blur the on-wire size distribution.
|
|
obfuscate = true
|
|
# TCP: prepend a minimal HTTP/1.1 preamble (Host = [mimicry] sni) so the open resembles plain HTTP.
|
|
masquerade = true
|
|
|
|
[transport.masks]
|
|
# Daily protocol-mask rotation. When `true`, every day at 05:00 MSK (= 02:00 UTC) the server
|
|
# derives a new (SNI, User-Agent, Server-header, padding-profile) tuple from
|
|
# HKDF-SHA256(CA-fingerprint, MSK-date) and applies it to new connections — the client derives the
|
|
# same tuple independently from the CA fingerprint it already trusts, so no wire coordination is
|
|
# needed. Existing connections keep the mask they accepted with. Default: true.
|
|
# When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
|
|
enabled = true
|
|
|
|
[transport.knock]
|
|
# UDP port-knocking. When `enabled = true`, the UDP transport demands a 16-byte HMAC prefix on
|
|
# every HS datagram, derived from `knock_secret_source` (`"ca_fingerprint"` = SHA-256 of the CA
|
|
# cert DER). To a passive scanner the listening UDP port looks closed. Default: false.
|
|
enabled = false
|
|
knock_secret_source = "ca_fingerprint"
|
|
|
|
[transport.cover]
|
|
# Idle-time cover traffic. When `enabled = true`, an established UDP connection periodically
|
|
# injects encrypted Ping frames during idle windows so the on-wire byte rate stays roughly
|
|
# constant. `mean_interval_ms` controls how often the chaffer wakes up; `jitter` is the
|
|
# uniform-random fraction applied (e.g. 0.5 = ±50%). Default: disabled.
|
|
enabled = false
|
|
mean_interval_ms = 500
|
|
jitter = 0.5
|
|
|
|
# v3.1 multi-hop / onion routing: turn THIS server into an **entry-relay** that can splice an
|
|
# inbound client connection to a downstream **exit-server**. Right after the inner Aura
|
|
# handshake completes, the relay waits up to 2 seconds for the client to send a single
|
|
# ExtendBridge control envelope describing the downstream exit's IP:port. When the address is
|
|
# on `allow_extend_to`, the relay opens a `connect()`ed UDP socket to that exit, replies
|
|
# CircuitReady, and forwards every byte verbatim — the inner client↔exit handshake travels
|
|
# through the relay opaquely, so the relay never sees destination IPs or plaintext bytes.
|
|
#
|
|
# The connection in that role is NOT registered with the IP pool / [`ServerRouter`]; bridged
|
|
# peers do not consume a tunnel address. If no ExtendBridge arrives within 2s the connection
|
|
# falls back to the normal VPN-client path (so one server can serve both roles on one port).
|
|
# v3.1 only supports the UDP transport for relay hops.
|
|
#
|
|
# Omitting the whole [server.relay] section (or `enabled = false`) keeps the v2 behaviour intact.
|
|
# [server.relay]
|
|
# enabled = true
|
|
# Whitelist of allowed downstream destinations. v3.2 accepts three entry formats:
|
|
# * "IP:port" — exact literal SocketAddr (the v3.1 form).
|
|
# * "10.0.0.0/24" — bare CIDR; matches ANY port at any IP in the subnet.
|
|
# * "10.0.0.0/24:443" — CIDR with explicit port; matches that port on any IP in the subnet.
|
|
# * "[2001:db8::/32]:443" — square-bracket IPv6 CIDR with port.
|
|
# * "2001:db8::/32" — bare IPv6 CIDR (any port).
|
|
# Unparseable entries are logged at WARN and skipped. An empty list turns this server into an
|
|
# OPEN relay accepting any downstream — dangerous; the runtime logs a WARN on each accepted bridge.
|
|
# allow_extend_to = [
|
|
# "198.51.100.5:443", # the exit you operate (exact)
|
|
# "203.0.113.0/24", # a whole /24 of trusted exits (any port)
|
|
# "10.0.0.0/16:443", # a /16 of relays on port 443 only
|
|
# ]
|
|
#
|
|
# v3.2 cell padding: opt-in. The relay itself does NOT decode cells — it just forwards bytes.
|
|
# These knobs are documented here for symmetry; the actual decode happens on the EXIT (see
|
|
# [server] cell_padding_for_circuit_clients below).
|
|
# cell_padding = false
|
|
# cell_size = 1280
|
|
|
|
# v3.2 EXIT-side cell padding. When an exit-server serves cell-padded circuit clients (i.e. the
|
|
# clients have `[client.circuit] cell_padding = true`), add the following field to the [server]
|
|
# block at the top of this file so the inner-handshake session's recv decodes the constant-size
|
|
# cells and the send re-pads on the way back. Defaults to `false` for v3.1 compatibility.
|
|
# cell_padding_for_circuit_clients = true
|