User Experience
Protocol
|
|
| VPN Protocol |
WireGuard (primary) |
| Config Delivery |
Download .conf file from dashboard, import into any WireGuard client |
| Endpoint |
MikroTik CHR router in AWS |
| Encryption |
Curve25519 (key exchange), ChaCha20 (symmetric), Poly1305 (authentication) |
IPsec and PPP options are in development
IP Addressing by Tier
| Tier |
Private IP Range |
Public IP |
Internet Access |
| Torus Basic |
10.254.16.128/25 |
None |
No — mesh only |
| Torus Standard |
10.254.16.128/25 |
Shared NAT |
Yes — outbound only |
| Torus Pro |
10.254.16.64/28 |
Dedicated 1:1 NAT |
Yes — inbound & outbound |
User Dashboard
VPN Management
- View active VPN connections and status
- Download WireGuard config files
- Request new VPN connections
- See assigned IP addresses
Firewall & Access Controls (Pro only)
| Control |
Description |
| Full Mesh |
Allow/deny traffic to/from other Torus members |
| Public Inbound |
Allow/deny inbound connections from the internet to your public IP |
| Bandwidth Limit |
Configurable rate limit (default 512 Kbps, adjustable) |
DNS Hostnames (Pro only)
- Create up to 5 custom hostnames (e.g.,
yourname.torus.nekotopia.io)
- A record points to your public IP
- PTR (reverse DNS) record created automatically
- Add/remove hostnames from dashboard
Profile
- Update name and email
- Change password
Network Configuration
| Setting |
Value |
| DNS Server |
10.254.16.1 (pushed via VPN) |
| Default Route |
0.0.0.0/0 through VPN (Standard/Pro) |
| Split Tunnel |
Possible by modifying AllowedIPs in config |
| Keepalive |
25 seconds (standard for NAT traversal) |
What You Can Host (Pro tier)
With a dedicated public IP and inbound access enabled, you can run publicly-accessible services on any port:
- Web servers (HTTP/HTTPS)
- Game servers
- SSH access
- Anything else that listens on a TCP port
What You Cannot Host (Pro tier)
The hub provides access to and fom the internet. However, living within the AWS platform does provide some functional safety.
- Outbound Email is not allowed (without using the AWS SES service)
- Forwarding of traffic is not allowed (without permissible filters in and out of the the VPC).
