Torus Controls

For a retro computing VPN mesh, the biggest risks come from untrusted nodes, weak endpoints, and broad network exposure. We're not talking about the VPN protocol being hacked; we're interested in your homelab and retro equipment being ~~hit.~~compromised.

Mesh and topology risks

Every node on the platform is a potential ~~entry point;~~target; a compromised member ~~can~~system could be used to ~~pivot~~jump laterally across the mesh. Never share your login credentials towith someone else. The Nekotopia Torus provides tools in the user control panel to enforce segmentation and access controls.

A lot of vulnerabilities and compromises are likely to be available across the platform. IT's just one of those things you get when operating systems and applications are no longer maintained. We provide controls to lockdown access based on your account Tier. We are working to improve security options, including hub-side IPS, NextGen Firewalls, DPI etc.

Retro system–specific risks

Legacy ~~OSes~~operating ~~and stacks~~systems often lack modern ~~hardening (ASLR, DEP, patched TLS, modern SSH),~~hardening, making them easy to exploit once reachable over ~~the~~a ~~Torus.~~network. There isn't much you can do about this except permit ~~what~~only the access you ~~want on the remote side.~~need. The ~~private subnet~~torus is ~~reachable~~designed to be open by default and accessible to all ~~users, but you can permit based on source IP or destination port on your side.~~users. Using a firewall on your WireGuard tunnel to protect your homelab/equipment is highly recommended.
Old protocols and services (~~SMBv1,~~SMB, Telnet, FTP, unauthenticated web ~~UIs)~~UIs, etc.) may run with weak or no encryption and even default ~~credentials,~~well-known ~~making credential theft and remote code execution far more likely.~~credentials. Tighten up your systems! Back in the day trust was almost implied, and a lot of bad practice was commonplace.

Endpoint and malware risks

The ~~Torus~~torus ~~happily~~is ~~carries~~built ~~malicious traffic; we don't deny any IP-based traffic from accessing~~for the ~~systems.~~sharing Ifof anetworked systems, and there is no prejudice against modern PCsystems. isWhere ~~connected~~possible, ~~to the mesh, you can assume it can affect any attached clients. Make sure~~ensure your endpoints are running the latest updates, have antivirus and anti-malware ~~software,~~software installed, and follow best practices as if they were on the same LAN.

~~Outdated or unpatched attached clients/agents on member systems can expose known vulnerabilities that attackers can exploit to break into the mesh.~~

~~Identity, access, and data risks~~

~~Over‑permissive access (“once you’re on, you see everything”) turns one stolen credential into full visibility of many retro machines and shared services.~~

~~Weak authentication (shared keys, reused passwords, no MFA) makes credential theft, spoofed nodes, and man‑in‑the‑middle attacks on the control plane or gateway nodes more feasible.~~

~~What we specifically assess and support~~

Network design: per‑node ACLs, segmentation between “untrusted hobby” zones and anything sensitive, and whether retro hosts need inbound access or only outbound tunnels via the gateways or bastion hosts.

~~Operational controls: Nekotopia admins and moderators enforce join policies for users. This includes handling abuse and guiding members on what and how to expose over the mesh.~~