User Experience

VPN Protocol


~~VPN~~ Protocol	WireGuard (primary)
Config Delivery	Download `.conf` file from dashboard, import into any WireGuard client
~~Endpoint~~	~~MikroTik CHR router in AWS~~
Encryption	Industry-standard: Curve25519 (key ~~exchange),~~exchange, ChaCha20 ~~(symmetric),~~symmetric ~~Poly1305 (authentication)~~encryption

IPsec and PPP options are in development for legacy device support.

IP Addressing by Tier

~~Tier~~	~~Private IP Range~~	~~Public IP~~	~~Internet Access~~
~~Torus Basic~~	`10.254.16.128/25`	~~None~~	~~No — mesh only~~
~~Torus Plus~~	`10.254.16.128/25`	~~Shared NAT~~	~~Yes — outbound only~~
~~Torus Pro~~	`10.254.16.64/28`	~~Dedicated 1:1 NAT~~	~~Yes — inbound & outbound~~

User Dashboard

VPN Management

View active VPN connections and status
Download WireGuard config files
Request new VPN connections
See your assigned IP ~~addresses~~address

Firewall & Access Controls (Pro only)

Control	Description
Full Mesh	Allow/deny traffic to/from other Torus members
Public Inbound	Allow/deny inbound connections from the internet ~~to your public IP~~
Bandwidth Limit	Configurable rate limit ~~(default~~based ~~512~~on ~~Kbps,~~your ~~adjustable)~~tier

DNS Hostnames

~~All~~Create ~~Torus~~custom ~~users~~hostnames ~~have access to create~~like yourname.ring.nekopia.nekotopia.io
Pro ~~Accounts~~accounts can ~~AWS~~request ~~Route53~~public ~~FQDNs~~DNS as yourname.torus.nekotopia.io)records
AHostnames ~~record points~~point to your Torus ~~private or public IP~~address
~~PTR (reverse DNS) records are created automatically for Pro DNS~~

~~Add/remove~~Manage hostnames directly from the dashboard

Profile

Update name and email
Change password

Network Configuration

~~Setting~~	~~Value~~
~~DNS Server~~	`10.254.16.1` ~~(pushed via VPN)~~
~~Default Route~~	`0.0.0.0/0` ~~through VPN (Plus/Pro)~~
~~Split Tunnel~~	~~Possible by modifying~~ `AllowedIPs` ~~in config~~
~~Keepalive~~	~~25 seconds (standard for NAT traversal)~~

What You Can Host (Pro tier)

With a dedicated public IP and inbound access enabled, you can run publicly-accessible services on any port:

Web servers (HTTP/HTTPS)
Game servers
SSH access
Retro services (Telnet, FTP, Gopher, etc.)

Anything else that listens on a ~~TCP~~TCP/UDP port

What You Cannot Host (Pro tier)Restrictions

~~The~~Some ~~hub~~activities ~~provides~~are ~~access~~restricted ~~to and from~~by the ~~internet.~~underlying ~~However,~~cloud ~~living within the AWS platform does offer some functional safety.~~platform:

Outbound ~~Email~~email (SMTP) is blocked by default

Traffic forwarding/routing through the VPN is not ~~allowed (without using the AWS SES service)~~

~~Forwarding of traffic is not allowed (without permissible filters in and out of the VPC).~~permitted