2 stable releases
| 1.0.1 | Jan 2, 2026 |
|---|
#1484 in Network programming
475KB
7K
SLoC
vanguards-rs
Enhanced security for Tor hidden services
Protect against guard discovery attacks with persistent vanguard relay selection
๐ Quick Start โข โจ Features โข ๐ก Examples โข โ๏ธ Configuration
Overview
vanguards-rs is a Rust implementation of vanguards, the Python addon for protecting Tor hidden services against guard discovery attacks. It provides the same security protections with Rust's safety guarantees and async-first design.
Even with Tor's v3 onion service protocol, hidden services face sophisticated attacks that require additional defenses. vanguards-rs implements these defenses as a controller addon, protecting your onion services ahead of their integration into Tor core.
use vanguards_rs::{Config, Vanguards};
#[tokio::main]
async fn main() -> vanguards_rs::Result<()> {
// Load configuration and run protection
let config = Config::default();
let mut vanguards = Vanguards::from_config(config).await?;
vanguards.run().await
}
โจ Features
๐ก๏ธ Vanguard SelectionPersistent guard relay selection at multiple layers to prevent guard discovery attacks.
|
๐ Bandwidth MonitoringDetect bandwidth-based side-channel attacks through circuit analysis.
|
๐ฏ Rendezvous Point AnalysisStatistical detection of rendezvous point overuse attacks.
|
๐ Log MonitoringMonitor Tor logs for security-relevant events.
|
โฑ๏ธ Circuit Build Timeout VerificationVerify circuit construction timing to detect manipulation.
|
๐ Path VerificationVerify circuit paths conform to vanguard configuration.
|
๐ Quick Start
Add vanguards-rs to your Cargo.toml:
[dependencies]
vanguards-rs = "1"
tokio = { version = "1", features = ["full"] }
Or install the CLI:
cargo install vanguards-rs
Enable Tor's Control Port
Add to your torrc:
ControlPort 9051
CookieAuthentication 1
DataDirectory /var/lib/tor
Or for Unix socket:
ControlSocket /run/tor/control
CookieAuthentication 1
DataDirectory /var/lib/tor
Run vanguards-rs
# Connect to default control port (127.0.0.1:9051)
vanguards-rs
# Connect via Unix socket
vanguards-rs --control-socket /run/tor/control
# Generate default configuration file
vanguards-rs --generate_config vanguards.conf
# Use custom configuration
vanguards-rs --config vanguards.conf
๐ก Examples
Basic CLI Usage
# Run with default settings
vanguards-rs
# Connect to specific control port
vanguards-rs --control-ip 127.0.0.1 --control-port 9051
# Use Unix socket with custom state file
vanguards-rs --control-socket /run/tor/control --state /var/lib/tor/vanguards.state
# One-shot mode: set vanguards and exit
vanguards-rs --one-shot-vanguards
# Enable debug logging
vanguards-rs --loglevel DEBUG
# Log to file
vanguards-rs --logfile /var/log/vanguards.log
Component Control
# Disable specific components
vanguards-rs --disable-bandguards --disable-logguard
# Enable optional components
vanguards-rs --enable-cbtverify --enable-pathverify
Library Usage
use vanguards_rs::{Config, Vanguards, LogLevel};
use std::path::PathBuf;
#[tokio::main]
async fn main() -> vanguards_rs::Result<()> {
// Create custom configuration
let mut config = Config::default();
config.control_port = Some(9051);
config.loglevel = LogLevel::Debug;
config.state_file = PathBuf::from("/var/lib/tor/vanguards.state");
// Enable optional components
config.enable_cbtverify = true;
config.enable_pathverify = true;
// Validate configuration
config.validate()?;
// Run vanguards protection
let mut vanguards = Vanguards::from_config(config).await?;
vanguards.run().await
}
Loading Configuration from File
use vanguards_rs::Config;
use std::path::Path;
let config = Config::from_file(Path::new("vanguards.conf"))?;
โ๏ธ Configuration
Configuration can be loaded from multiple sources (in order of precedence):
- CLI Arguments โ Highest priority
- Environment Variables โ
VANGUARDS_STATE,VANGUARDS_CONFIG - Config File โ TOML format
- Defaults โ Sensible defaults for all options
Example Configuration File
# Connection settings
control_ip = "127.0.0.1"
control_port = 9051
# control_socket = "/run/tor/control" # Alternative: Unix socket
# control_pass = "my_password" # If using password auth
# File paths
state_file = "vanguards.state"
# Logging
loglevel = "notice" # debug, info, notice, warn, error
# logfile = "/var/log/vanguards.log"
# Component toggles
enable_vanguards = true
enable_bandguards = true
enable_rendguard = true
enable_logguard = true
enable_cbtverify = false
enable_pathverify = false
# Operational settings
close_circuits = true
one_shot_vanguards = false
[vanguards]
num_layer1_guards = 2
num_layer2_guards = 4
num_layer3_guards = 8
min_layer2_lifetime_hours = 24
max_layer2_lifetime_hours = 1080 # 45 days
min_layer3_lifetime_hours = 1
max_layer3_lifetime_hours = 48
[bandguards]
circ_max_megabytes = 0 # 0 = disabled
circ_max_age_hours = 24
circ_max_hsdesc_kilobytes = 30
circ_max_disconnected_secs = 30
conn_max_disconnected_secs = 15
[rendguard]
use_global_start_count = 1000
use_scale_at_count = 20000
use_relay_start_count = 100
use_max_use_to_bw_ratio = 5.0
close_circuits_on_overuse = true
[logguard]
protocol_warns = true
dump_limit = 25
dump_level = "notice"
๐ฆ Module Reference
| Module | Description |
|---|---|
api |
High-level Vanguards struct for programmatic use |
config |
Configuration management (TOML, CLI, environment) |
control |
Main event loop and Tor connection management |
vanguards |
Vanguard state and guard selection |
bandguards |
Bandwidth monitoring and attack detection |
rendguard |
Rendezvous point usage tracking |
logguard |
Tor log monitoring and buffering |
cbtverify |
Circuit build timeout verification |
pathverify |
Circuit path verification |
node_selection |
Bandwidth-weighted relay selection |
๐ Security
vanguards-rs is designed with security as a priority:
- Memory Safety โ Passwords cleared after use (zeroize)
- File Permissions โ State files written with 0600 permissions
- Input Validation โ All external inputs validated
- Atomic Writes โ State file corruption prevention
- Guard Persistence โ Prevents restart-based guard discovery
โก Performance
- Async-first โ Built on Tokio for high-performance async I/O
- Efficient State โ Python pickle format for compatibility
- Low Overhead โ Minimal CPU usage during normal operation
๐ Python Compatibility
State files are compatible with Python vanguards for seamless migration:
# Migrate from Python vanguards
cp ~/.vanguards/vanguards.state ./vanguards.state
vanguards-rs --state vanguards.state
๐ ๏ธ Requirements
- Rust 1.70+
- Tokio runtime
- Tor instance with control port enabled
๐งช Testing
# Run unit tests
cargo test
๐ Comparison with Python vanguards
| Feature | Python vanguards | vanguards-rs |
|---|---|---|
| Vanguard Selection | โ | โ |
| Bandwidth Monitoring | โ | โ |
| Rendezvous Analysis | โ | โ |
| Log Monitoring | โ | โ |
| CBT Verification | โ | โ |
| Path Verification | โ | โ |
| State Compatibility | โ | โ |
| Type Safety | โ | โ |
| Memory Safety | โ | โ |
| Async/Await | โ | โ |
๐ License
Copyright 2026 vanguards-rs contributors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
๐ค Contributing
Contributions are welcome! Please feel free to submit issues and pull requests.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
๐ Links
Documentation โข crates.io โข GitHub โข Python vanguards
Built with ๐ฆ by the vanguards-rs contributors
Dependencies
~26โ43MB
~617K SLoC