Skip to main content

Torus Controls

For a retro computing VPN mesh, the biggest risks come from untrusted nodes, weak endpoints, and broad network exposure. We're not talking about the VPN protocol being hacked; we're interested in your homelab and retro equipment being hit.

Mesh and topology risks

  • Every node is a potential entry point; a compromised member can be used to pivot laterally across the mesh. Never share your login credentials to someone else. The Nekotopia Torus provides tools in the control panel to enforce segmentation and access controls.

  • A lot of vulnerabilities and compromises are likely to be available across the platform. IT's just one of those things you get when operating systems and applications are no longer maintained. We provide controls to lockdown access based on your account Tier. We are working to improve security options, including hub-side IPS, NextGen Firewalls, DPI etc.

Retro system–specific risks

  • Legacy OSes and stacks often lack modern hardening (ASLR, DEP, patched TLS, modern SSH), making them easy to exploit once reachable over the Torus. There isn't much you can do about this except permit what you want on the remote side. The private subnet is reachable by all users, but you can permit based on source IP or destination port on your side. Using a firewall to protect your homelab/equipment is highly recommended.

  • Old protocols and services (SMBv1, Telnet, FTP, unauthenticated web UIs) may run with weak or no encryption and default credentials, making credential theft and remote code execution far more likely. Tighten up your systems! Back in the day trust was almost implied, and a lot of bad practice was commonplace.

Endpoint and malware risks

  • The Torus happily carries malicious traffic; we don't deny any IP-based traffic from accessing the systems. If a modern PC is connected to the mesh, you can assume it can affect any attached clients. Make sure your endpoints are running the latest antivirus and anti-malware software, and follow best practices as if they were on the same LAN.

  • Outdated or unpatched attached clients/agents on member systems can expose known vulnerabilities that attackers can exploit to break into the mesh.

Identity, access, and data risks

  • Over‑permissive access (“once you’re on, you see everything”) turns one stolen credential into full visibility of many retro machines and shared services.

  • Weak authentication (shared keys, reused passwords, no MFA) makes credential theft, spoofed nodes, and man‑in‑the‑middle attacks on the control plane or gateway nodes more feasible.

What we specifically assess and support

  • Network design: per‑node ACLs, segmentation between “untrusted hobby” zones and anything sensitive, and whether retro hosts need inbound access or only outbound tunnels via the gateways or bastion hosts.

  • Operational controls: Nekotopia admins and moderators enforce join policies for users. This includes handling abuse and guiding members on what and how to expose over the mesh.

Back to top