config.example.toml

# Onion-Transit configuration
# ============================
#
# WARNING: Onion-Transit centralizes Tor traffic through a single node.
# The transit node CAN SEE destination .onion addresses.
# Anonymity assumptions differ significantly from Tor Browser.

# ---------------------------------------------------------------------------
# Deployment mode
# ---------------------------------------------------------------------------
# "gateway"      - Network-facing SOCKS5 for multiple LAN/VPN clients (default)
# "app-embedded" - Binds 127.0.0.1 only, sidecar for a single application
mode = "gateway"

# ---------------------------------------------------------------------------
# Trust domain  (controls warning verbosity and default ACL suggestions)
# ---------------------------------------------------------------------------
# "lab"      - Relaxed defaults, wider subnets, minimal warnings
# "team"     - Moderate warnings, expects auth enabled
# "personal" - Strictest (localhost-only ACL), prominent startup warnings
trust_domain = "team"

# ---------------------------------------------------------------------------
# SOCKS5 proxy
# ---------------------------------------------------------------------------
[proxy]
socks5_listen = "0.0.0.0:1080"

# Connection timeouts (seconds)
handshake_timeout_secs = 10
idle_timeout_secs = 300

[proxy.auth]
enabled = false
username = ""
password = ""

# ---------------------------------------------------------------------------
# Transparent proxy  (requires `tproxy` feature + iptables REDIRECT rule)
# ---------------------------------------------------------------------------
[proxy.transparent]
enabled = false
listen = "0.0.0.0:9040"
# Maximum concurrent connections (backpressure beyond this limit)
max_connections = 4096

# ---------------------------------------------------------------------------
# Tor / Arti engine
# ---------------------------------------------------------------------------
[tor]
# Arti data directory (directory cache, guard state, keys)
# Uses Arti's native layout so upstream changes don't break things.
data_dir = "/var/lib/onion-transit/arti"
bootstrap_timeout_secs = 120

# ---------------------------------------------------------------------------
# Connection profiles
# ---------------------------------------------------------------------------
# OnionStrict   - Full 3-hop circuit, stream isolation per destination (default)
# OnionFast     - Reduced isolation, shared circuits where possible
# ClearnetDefault - Standard Tor exit policy
[tor.profiles]
default_onion = "OnionStrict"
default_clearnet = "ClearnetDefault"

# ---------------------------------------------------------------------------
# Security
# ---------------------------------------------------------------------------
[security]
# "standard" = full 3-hop circuits (recommended, always available)
# "reduced"  = REQUIRES: cargo feature `reduced-security` + --i-know-what-im-doing flag
mode = "standard"

# Restrict which client IPs can connect (CIDR notation)
allowed_clients = ["10.0.0.0/8", "192.168.0.0/16", "127.0.0.0/8"]

# Restrict which .onion addresses can be accessed (empty = allow all)
allowed_onions = []

# Allow legacy v2 .onion addresses (16-char, deprecated, TEST ONLY)
allow_legacy_onion = false

# ---------------------------------------------------------------------------
# Logging
# ---------------------------------------------------------------------------
[logging]
# "info", "debug", "warn", "error", "trace"
level = "info"
# "stdout", "syslog", "file"
target = "stdout"
# Only used when target = "file"
file_path = "/var/log/onion-transit/onion-transit.log"
Initial commit 2026-02-15 08:14:32 +01:00			`# Onion-Transit configuration`
			`# ============================`
			`#`
			`# WARNING: Onion-Transit centralizes Tor traffic through a single node.`
			`# The transit node CAN SEE destination .onion addresses.`
			`# Anonymity assumptions differ significantly from Tor Browser.`

			`# ---------------------------------------------------------------------------`
			`# Deployment mode`
			`# ---------------------------------------------------------------------------`
			`# "gateway" - Network-facing SOCKS5 for multiple LAN/VPN clients (default)`
			`# "app-embedded" - Binds 127.0.0.1 only, sidecar for a single application`
			`mode = "gateway"`

			`# ---------------------------------------------------------------------------`
			`# Trust domain (controls warning verbosity and default ACL suggestions)`
			`# ---------------------------------------------------------------------------`
			`# "lab" - Relaxed defaults, wider subnets, minimal warnings`
			`# "team" - Moderate warnings, expects auth enabled`
			`# "personal" - Strictest (localhost-only ACL), prominent startup warnings`
			`trust_domain = "team"`

			`# ---------------------------------------------------------------------------`
			`# SOCKS5 proxy`
			`# ---------------------------------------------------------------------------`
			`[proxy]`
			`socks5_listen = "0.0.0.0:1080"`

			`# Connection timeouts (seconds)`
			`handshake_timeout_secs = 10`
			`idle_timeout_secs = 300`

			`[proxy.auth]`
			`enabled = false`
			`username = ""`
			`password = ""`

			`# ---------------------------------------------------------------------------`
			# Transparent proxy (requires `tproxy` feature + iptables REDIRECT rule)
			`# ---------------------------------------------------------------------------`
			`[proxy.transparent]`
			`enabled = false`
			`listen = "0.0.0.0:9040"`
			`# Maximum concurrent connections (backpressure beyond this limit)`
			`max_connections = 4096`

			`# ---------------------------------------------------------------------------`
			`# Tor / Arti engine`
			`# ---------------------------------------------------------------------------`
			`[tor]`
			`# Arti data directory (directory cache, guard state, keys)`
			`# Uses Arti's native layout so upstream changes don't break things.`
			`data_dir = "/var/lib/onion-transit/arti"`
			`bootstrap_timeout_secs = 120`

			`# ---------------------------------------------------------------------------`
			`# Connection profiles`
			`# ---------------------------------------------------------------------------`
			`# OnionStrict - Full 3-hop circuit, stream isolation per destination (default)`
			`# OnionFast - Reduced isolation, shared circuits where possible`
			`# ClearnetDefault - Standard Tor exit policy`
			`[tor.profiles]`
			`default_onion = "OnionStrict"`
			`default_clearnet = "ClearnetDefault"`

			`# ---------------------------------------------------------------------------`
			`# Security`
			`# ---------------------------------------------------------------------------`
			`[security]`
			`# "standard" = full 3-hop circuits (recommended, always available)`
			# "reduced" = REQUIRES: cargo feature `reduced-security` + --i-know-what-im-doing flag
			`mode = "standard"`

			`# Restrict which client IPs can connect (CIDR notation)`
			`allowed_clients = ["10.0.0.0/8", "192.168.0.0/16", "127.0.0.0/8"]`

			`# Restrict which .onion addresses can be accessed (empty = allow all)`
			`allowed_onions = []`

			`# Allow legacy v2 .onion addresses (16-char, deprecated, TEST ONLY)`
			`allow_legacy_onion = false`

			`# ---------------------------------------------------------------------------`
			`# Logging`
			`# ---------------------------------------------------------------------------`
			`[logging]`
			`# "info", "debug", "warn", "error", "trace"`
			`level = "info"`
			`# "stdout", "syslog", "file"`
			`target = "stdout"`
			`# Only used when target = "file"`
			`file_path = "/var/log/onion-transit/onion-transit.log"`