xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6f0d7af9b7ac55e3bf20fb2923b50e4ebd51dd1
AuraVPN/config/server.toml.example
T
xah30 c6f0d7af9b feat(cli): auto-NAT + privilege drop + Windows named-pipe admin 
Three v2-hardening features in aura-cli, one pass:

- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
  startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
  macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
  works on every platform (logs "would run: ..."). Reverts everything in
  Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
  back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
  ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
  Windows no-op with warning. New [server] / [client] run_as = "..."
  (optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
  named-pipe modules sharing one JSON-line serve/request flow over
  AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
  r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".

Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:09:38 +03:00

101 lines
5.1 KiB
TOML
Raw Blame History

# Aura VPN server configuration (project §9).
# Copy to server.toml and adjust. Paths may begin with `~` (expands to your home directory).
[server]
# Human-readable name (also the server's inner-handshake identity).
name = "aura-edge-1"
# UDP socket to listen on. ":443" mimics HTTPS; binding it needs privileges.
listen = "0.0.0.0:443"
# Accept workers (advisory in v1).
workers = 4
# Optional: drop privileges to this non-root user AFTER the TUN, low-port sockets and any
# [server.nat] commands have been applied. Recommended on production hosts so the long-running
# accept loop does not stay as root. Linux uses setresuid/setresgid (full triple-drop); macOS
# uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or
# already running as non-root) no privilege change happens.
# run_as = "nobody"
[pki]
# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
# Generate with: aura pki init --ca-name "Aura CA" --out ~/.aura
# aura pki issue-server --domain vpn.example.com --out ~/.aura --ca ~/.aura
ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/server.crt"
key = "~/.aura/server.key"
[tunnel]
# Address pool / TUN network. v2 reads the active pool config from [server.pool] below; this value
# is kept as the v1-compatible fallback (used when [server.pool] is omitted entirely) and as the
# network the server-side TUN brings up. The server's own TUN IP is the network's first usable host
# (e.g. 10.7.0.1 for 10.7.0.0/24).
pool_cidr = "10.7.0.0/24"
# TUN MTU (leave headroom under the path MTU for QUIC + Aura framing).
mtu = 1420
# DNS server advertised to clients (informational in v1).
dns = "10.7.0.1"
# v2 per-client IP pool. Each authenticated client gets its own address from `cidr`; the server's
# in-memory `client_ip -> connection` map demultiplexes TUN reads by destination IP. Omit the
# whole [server.pool] section to get the v1-compatible fallback: [tunnel] pool_cidr is reused as a
# dynamic-only pool with no static reservations.
[server.pool]
# Pool CIDR. Optional; defaults to [tunnel] pool_cidr when omitted. Must contain the server's own
# TUN address (the network's first host) and every entry in [server.pool.static].
cidr = "10.7.0.0/24"
# Allocation strategy:
# "static_only" — only ids listed in [server.pool.static] are admitted; unknowns refused.
# "dynamic_only" — static map is ignored; everyone gets the next free address.
# "static_or_dynamic" — static reservation wins; unknown ids get a dynamic address (default).
strategy = "static_or_dynamic"
# Optional `client_id -> ip` pinnings. The key is the verified Common Name from the client's
# certificate (see `aura pki issue-client --id <name>`); the value must lie inside `cidr` above and
# must not collide with the server's own address or another reservation.
[server.pool.static]
# "phone-1" = "10.7.0.20"
# "laptop-1" = "10.7.0.21"
# v2 auto-NAT: when `auto = true`, the server enables IPv4 forwarding at startup and adds a
# MASQUERADE / pf-NAT rule for the address pool on the given egress interface, and rolls every
# change back on shutdown (RAII guard inside `aura server`). Supported on Linux (sysctl +
# iptables) and macOS (sysctl + pfctl). Omit the whole [server.nat] section to keep the v1
# behaviour where the operator configures forwarding by hand. There is no egress-interface
# auto-detection in v1 — `egress_iface` is required when `auto = true`.
#
# IPv6 forwarding / ip6tables / nftables are NOT configured in v1 (TODO for v3).
#
# [server.nat]
# auto = true
# egress_iface = "eth0" # required when auto = true
# dry_run = false # set to true to only log the planned commands without executing them
[mimicry]
# Outer-TLS camouflage hostname the server presents/expects.
sni = "cdn.example.com"
# Enable traffic padding to blend packet sizes into HTTPS buckets.
padding = true
[transport]
# Aura's own post-quantum transport runs over plain UDP (primary), with TCP/443 and QUIC (HTTP/3
# mimicry) as fallbacks. On the server, `order` selects exactly which transports are bound and
# accepted simultaneously. Omitting this whole section enables udp/tcp/quic on 443/443/444.
order = ["udp", "tcp", "quic"]
# The UDP transport and QUIC both ride UDP, so udp_port and quic_port MUST differ. TCP may reuse the
# UDP port number (different protocol). Ports bind on the IP from [server] listen above.
udp_port = 443
tcp_port = 443
quic_port = 444
# UDP: pad datagrams up to HTTPS size buckets to blur the on-wire size distribution.
obfuscate = true
# TCP: prepend a minimal HTTP/1.1 preamble (Host = [mimicry] sni) so the open resembles plain HTTP.
masquerade = true
[transport.masks]
# Daily protocol-mask rotation. When `true`, every day at 05:00 MSK (= 02:00 UTC) the server
# derives a new (SNI, User-Agent, Server-header, padding-profile) tuple from
# HKDF-SHA256(CA-fingerprint, MSK-date) and applies it to new connections — the client derives the
# same tuple independently from the CA fingerprint it already trusts, so no wire coordination is
# needed. Existing connections keep the mask they accepted with. Default: true.
# When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
enabled = true
Reference in New Issue View Git Blame Copy Permalink