README.md

# Onion-Transit

A centralized Tor proxy daemon that embeds [Arti](https://gitlab.torproject.org/tpo/core/arti) (Rust Tor implementation) and exposes SOCKS5 + optional transparent proxy interfaces for LAN/VPS clients.

## What it does

Clients on a local network or VPN delegate Tor circuit building to a single Onion-Transit node instead of running Tor locally. This trades some anonymity guarantees for simplified deployment and lower per-client overhead.

**Standard Tor .onion access:**

```
Client (3 hops) → Rendezvous ← Service (3 hops)   = 6 hops total
```

**With Onion-Transit:**

```
Client → LAN → Transit (3 hops) → Rendezvous ← Service (3 hops)
```

The client's path is a single LAN hop to the Transit node. One Arti instance shares bootstrap, directory cache, and guard nodes across all clients.

## Security Warning

> **Onion-Transit centralizes Tor traffic and can see destination .onion names.
> Anonymity assumptions differ significantly from Tor Browser.**

This tool is designed for:

- Lab / office / team environments
- Development and testing
- VPS gateway for a trusted user group

It is **NOT** appropriate for: journalists, activists, or scenarios with adversarial threat models.

## Deployment Modes

| Mode | Binds to | Use case |
|------|----------|----------|
| `gateway` | `0.0.0.0:1080` | Shared SOCKS5 for LAN/VPN clients |
| `app-embedded` | `127.0.0.1` only | Sidecar for a single application |

## Quick Start

```bash
# Build
cargo build --release

# Check config before running
onion-transit config-check --config config.toml

# Start in gateway mode
onion-transit start --config config.toml

# Check runtime status
onion-transit status --json
```

## Configuration

See [config.example.toml](config.example.toml) for all options with documentation.

Key settings:

```toml
mode = "gateway"          # or "app-embedded"
trust_domain = "team"     # "lab", "team", or "personal"

[security]
mode = "standard"         # "reduced" requires feature flag + explicit opt-in
allowed_clients = ["10.0.0.0/8", "192.168.0.0/16"]
```

## Transparent Proxy (Linux only)

Build with the `tproxy` feature and use the separate binary:

```bash
cargo build --release --features tproxy
```

The transparent proxy requires iptables/nftables DNAT/REDIRECT rules. It does **not** support other interception methods. Example:

```bash
iptables -t nat -A OUTPUT -p tcp -d '*.onion' --dport 80 \
  -j REDIRECT --to-ports 9040
```

Run the dedicated binary (may require elevated privileges):

```bash
onion-transit-tproxy --config config.toml
```

## Building

```bash
# Standard build (SOCKS5 only)
cargo build --release

# With transparent proxy support
cargo build --release --features tproxy

# With reduced-security mode (DANGER)
cargo build --release --features reduced-security
```

## Connection Profiles

| Profile | Description |
|---------|-------------|
| `OnionStrict` | Full 3-hop circuit, stream isolation per destination (default) |
| `OnionFast` | Reduced isolation, shared circuits where possible |
| `ClearnetDefault` | Standard Tor exit policy |

## License

MIT
Initial commit 2026-02-15 08:14:32 +01:00			`# Onion-Transit`

			`A centralized Tor proxy daemon that embeds [Arti](https://gitlab.torproject.org/tpo/core/arti) (Rust Tor implementation) and exposes SOCKS5 + optional transparent proxy interfaces for LAN/VPS clients.`

			`## What it does`

			`Clients on a local network or VPN delegate Tor circuit building to a single Onion-Transit node instead of running Tor locally. This trades some anonymity guarantees for simplified deployment and lower per-client overhead.`

			`Standard Tor .onion access:`

			```
			`Client (3 hops) → Rendezvous ← Service (3 hops) = 6 hops total`
			```

			`With Onion-Transit:`

			```
			`Client → LAN → Transit (3 hops) → Rendezvous ← Service (3 hops)`
			```

			`The client's path is a single LAN hop to the Transit node. One Arti instance shares bootstrap, directory cache, and guard nodes across all clients.`

			`## Security Warning`

			`> **Onion-Transit centralizes Tor traffic and can see destination .onion names.`
			`> Anonymity assumptions differ significantly from Tor Browser.**`

			`This tool is designed for:`

			`- Lab / office / team environments`
			`- Development and testing`
			`- VPS gateway for a trusted user group`

			`It is NOT appropriate for: journalists, activists, or scenarios with adversarial threat models.`

			`## Deployment Modes`

			`\| Mode \| Binds to \| Use case \|`
			`\|------\|----------\|----------\|`
			\| `gateway` \| `0.0.0.0:1080` \| Shared SOCKS5 for LAN/VPN clients \|
			\| `app-embedded` \| `127.0.0.1` only \| Sidecar for a single application \|

			`## Quick Start`

			```bash
			`# Build`
			`cargo build --release`

			`# Check config before running`
			`onion-transit config-check --config config.toml`

			`# Start in gateway mode`
			`onion-transit start --config config.toml`

			`# Check runtime status`
			`onion-transit status --json`
			```

			`## Configuration`

			`See [config.example.toml](config.example.toml) for all options with documentation.`

			`Key settings:`

			```toml
			`mode = "gateway" # or "app-embedded"`
			`trust_domain = "team" # "lab", "team", or "personal"`

			`[security]`
			`mode = "standard" # "reduced" requires feature flag + explicit opt-in`
			`allowed_clients = ["10.0.0.0/8", "192.168.0.0/16"]`
			```

			`## Transparent Proxy (Linux only)`

			Build with the `tproxy` feature and use the separate binary:

			```bash
			`cargo build --release --features tproxy`
			```

			`The transparent proxy requires iptables/nftables DNAT/REDIRECT rules. It does not support other interception methods. Example:`

			```bash
			`iptables -t nat -A OUTPUT -p tcp -d '*.onion' --dport 80 \`
			`-j REDIRECT --to-ports 9040`
			```

			`Run the dedicated binary (may require elevated privileges):`

			```bash
			`onion-transit-tproxy --config config.toml`
			```

			`## Building`

			```bash
			`# Standard build (SOCKS5 only)`
			`cargo build --release`

			`# With transparent proxy support`
			`cargo build --release --features tproxy`

			`# With reduced-security mode (DANGER)`
			`cargo build --release --features reduced-security`
			```

			`## Connection Profiles`

			`\| Profile \| Description \|`
			`\|---------\|-------------\|`
			\| `OnionStrict` \| Full 3-hop circuit, stream isolation per destination (default) \|
			\| `OnionFast` \| Reduced isolation, shared circuits where possible \|
			\| `ClearnetDefault` \| Standard Tor exit policy \|

			`## License`

			`MIT`