User Experience
Protocol
| VPN Protocol | WireGuard (primary) |
| Config Delivery | Download .conf file from dashboard, import into any WireGuard client |
| Endpoint | MikroTik CHR router in AWS |
| Encryption | Curve25519 (key exchange), ChaCha20 (symmetric), Poly1305 (authentication) |
IPsec and PPP options are in development
IP Addressing by Tier
| Tier | Private IP Range | Public IP | Internet Access |
|---|---|---|---|
| Torus Basic | 10.8.0.x or 10.8.1.x |
None | No — mesh only |
| Torus Standard | 10.8.x.x |
Shared NAT | Yes — outbound only |
| Torus Pro | 10.254.16.x |
Dedicated 193.143.16.x |
Yes — inbound & outbound |
Pro IP Mapping
Your private IP 10.254.16.X maps 1:1 to public IP 193.143.16.X via NAT on the MikroTik. If your torus address is 10.254.16.42, your public IP is 193.143.16.42.
User Dashboard
VPN Management
- View active VPN connections and status
- Download WireGuard config files
- Request new VPN connections
- See assigned IP addresses
Firewall & Access Controls (Pro only)
| Control | Description |
|---|---|
| Full Mesh | Allow/deny traffic to/from other Torus members |
| Public Inbound | Allow/deny inbound connections from the internet to your public IP |
| Bandwidth Limit | Configurable rate limit (default 512 Kbps, adjustable) |
DNS Hostnames (Pro only)
- Create up to 5 custom hostnames (e.g.,
yourname.torus.nekotopia.io) - A record points to your public IP
- PTR (reverse DNS) record created automatically
- Add/remove hostnames from dashboard
Profile
- Update name and email
- Change password
Network Configuration
| Setting | Value |
|---|---|
| DNS Server | 10.254.16.1 (pushed via VPN) |
| Default Route | 0.0.0.0/0 through VPN (Standard/Pro) |
| Split Tunnel | Possible by modifying AllowedIPs in config |
| Keepalive | 25 seconds (standard for NAT traversal) |
What You Can Host (Pro tier)
With a dedicated public IP and inbound access enabled, you can run publicly-accessible services on any port:
- Web servers (HTTP/HTTPS)
- Game servers
- SSH access
- Anything else that listens on a TCP port
What You Cannot Host (Pro tier)
The hub provides access to and fom the internet. However, living within the AWS platform does provide some functional safety.
- Outbound Email is not allowed (without using the AWS SES service)
- Forwarding of traffic is not allowed (without permissible filters in and out of the the VPC).