93 lines
3.6 KiB
TOML
93 lines
3.6 KiB
TOML
# Onion-Transit configuration
|
|
# ============================
|
|
#
|
|
# WARNING: Onion-Transit centralizes Tor traffic through a single node.
|
|
# The transit node CAN SEE destination .onion addresses.
|
|
# Anonymity assumptions differ significantly from Tor Browser.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Deployment mode
|
|
# ---------------------------------------------------------------------------
|
|
# "gateway" - Network-facing SOCKS5 for multiple LAN/VPN clients (default)
|
|
# "app-embedded" - Binds 127.0.0.1 only, sidecar for a single application
|
|
mode = "gateway"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Trust domain (controls warning verbosity and default ACL suggestions)
|
|
# ---------------------------------------------------------------------------
|
|
# "lab" - Relaxed defaults, wider subnets, minimal warnings
|
|
# "team" - Moderate warnings, expects auth enabled
|
|
# "personal" - Strictest (localhost-only ACL), prominent startup warnings
|
|
trust_domain = "team"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# SOCKS5 proxy
|
|
# ---------------------------------------------------------------------------
|
|
[proxy]
|
|
socks5_listen = "0.0.0.0:1080"
|
|
|
|
# Connection timeouts (seconds)
|
|
handshake_timeout_secs = 10
|
|
idle_timeout_secs = 300
|
|
|
|
[proxy.auth]
|
|
enabled = false
|
|
username = ""
|
|
password = ""
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Transparent proxy (requires `tproxy` feature + iptables REDIRECT rule)
|
|
# ---------------------------------------------------------------------------
|
|
[proxy.transparent]
|
|
enabled = false
|
|
listen = "0.0.0.0:9040"
|
|
# Maximum concurrent connections (backpressure beyond this limit)
|
|
max_connections = 4096
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Tor / Arti engine
|
|
# ---------------------------------------------------------------------------
|
|
[tor]
|
|
# Arti data directory (directory cache, guard state, keys)
|
|
# Uses Arti's native layout so upstream changes don't break things.
|
|
data_dir = "/var/lib/onion-transit/arti"
|
|
bootstrap_timeout_secs = 120
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Connection profiles
|
|
# ---------------------------------------------------------------------------
|
|
# OnionStrict - Full 3-hop circuit, stream isolation per destination (default)
|
|
# OnionFast - Reduced isolation, shared circuits where possible
|
|
# ClearnetDefault - Standard Tor exit policy
|
|
[tor.profiles]
|
|
default_onion = "OnionStrict"
|
|
default_clearnet = "ClearnetDefault"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Security
|
|
# ---------------------------------------------------------------------------
|
|
[security]
|
|
# "standard" = full 3-hop circuits (recommended, always available)
|
|
# "reduced" = REQUIRES: cargo feature `reduced-security` + --i-know-what-im-doing flag
|
|
mode = "standard"
|
|
|
|
# Restrict which client IPs can connect (CIDR notation)
|
|
allowed_clients = ["10.0.0.0/8", "192.168.0.0/16", "127.0.0.0/8"]
|
|
|
|
# Restrict which .onion addresses can be accessed (empty = allow all)
|
|
allowed_onions = []
|
|
|
|
# Allow legacy v2 .onion addresses (16-char, deprecated, TEST ONLY)
|
|
allow_legacy_onion = false
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Logging
|
|
# ---------------------------------------------------------------------------
|
|
[logging]
|
|
# "info", "debug", "warn", "error", "trace"
|
|
level = "info"
|
|
# "stdout", "syslog", "file"
|
|
target = "stdout"
|
|
# Only used when target = "file"
|
|
file_path = "/var/log/onion-transit/onion-transit.log"
|