# Onion-Transit configuration # ============================ # # WARNING: Onion-Transit centralizes Tor traffic through a single node. # The transit node CAN SEE destination .onion addresses. # Anonymity assumptions differ significantly from Tor Browser. # --------------------------------------------------------------------------- # Deployment mode # --------------------------------------------------------------------------- # "gateway" - Network-facing SOCKS5 for multiple LAN/VPN clients (default) # "app-embedded" - Binds 127.0.0.1 only, sidecar for a single application mode = "gateway" # --------------------------------------------------------------------------- # Trust domain (controls warning verbosity and default ACL suggestions) # --------------------------------------------------------------------------- # "lab" - Relaxed defaults, wider subnets, minimal warnings # "team" - Moderate warnings, expects auth enabled # "personal" - Strictest (localhost-only ACL), prominent startup warnings trust_domain = "team" # --------------------------------------------------------------------------- # SOCKS5 proxy # --------------------------------------------------------------------------- [proxy] socks5_listen = "0.0.0.0:1080" # Connection timeouts (seconds) handshake_timeout_secs = 10 idle_timeout_secs = 300 [proxy.auth] enabled = false username = "" password = "" # --------------------------------------------------------------------------- # Transparent proxy (requires `tproxy` feature + iptables REDIRECT rule) # --------------------------------------------------------------------------- [proxy.transparent] enabled = false listen = "0.0.0.0:9040" # Maximum concurrent connections (backpressure beyond this limit) max_connections = 4096 # --------------------------------------------------------------------------- # Tor / Arti engine # --------------------------------------------------------------------------- [tor] # Arti data directory (directory cache, guard state, keys) # Uses Arti's native layout so upstream changes don't break things. data_dir = "/var/lib/onion-transit/arti" bootstrap_timeout_secs = 120 # --------------------------------------------------------------------------- # Connection profiles # --------------------------------------------------------------------------- # OnionStrict - Full 3-hop circuit, stream isolation per destination (default) # OnionFast - Reduced isolation, shared circuits where possible # ClearnetDefault - Standard Tor exit policy [tor.profiles] default_onion = "OnionStrict" default_clearnet = "ClearnetDefault" # --------------------------------------------------------------------------- # Security # --------------------------------------------------------------------------- [security] # "standard" = full 3-hop circuits (recommended, always available) # "reduced" = REQUIRES: cargo feature `reduced-security` + --i-know-what-im-doing flag mode = "standard" # Restrict which client IPs can connect (CIDR notation) allowed_clients = ["10.0.0.0/8", "192.168.0.0/16", "127.0.0.0/8"] # Restrict which .onion addresses can be accessed (empty = allow all) allowed_onions = [] # Allow legacy v2 .onion addresses (16-char, deprecated, TEST ONLY) allow_legacy_onion = false # --------------------------------------------------------------------------- # Logging # --------------------------------------------------------------------------- [logging] # "info", "debug", "warn", "error", "trace" level = "info" # "stdout", "syslog", "file" target = "stdout" # Only used when target = "file" file_path = "/var/log/onion-transit/onion-transit.log"