Skip to content

Access control

The toggle panel for what your Torus tunnel does. Two cards, tier-gated.

Where it lives

Sidebar: Node controls. Section ID: firewall-section. Loader: loadFirewallControls() + loadStandardAccessControls() + loadProAccessControlsInControls().

Card 1 — access control settings (basic)

All tiers see this. Three toggles:

Torus Access

Master switch for the tunnel. When disabled, the platform tears down your WG peer on the hub. Your local WG client will fail to handshake; "tunnel inactive" UX kicks in. Re-enabling re-pushes the peer (usually under 5 seconds).

Use when: you want to take the tunnel offline for a few hours/days without losing your config.

Full Mesh Access

When enabled, your peer is in the mesh-users address list on the hub, which means other members can reach your mesh IP (10.254.x.y) for peer-to-peer connections. When disabled, you're hub-only — you can reach hub-published services but other members can't reach you.

VXLAN

When enabled, your peer participates in layer-2 bridging across active nLAN networks you're a member of. When disabled (default), you're routed-only.

Card 2 — plus tier features

Plus and Pro see this. Tier badge top-right.

Torus ZTNA Access

The Teleport ZTNA gateway integration. Toggle goes off → on after you complete shell access registration. When Not yet set up, the toggle is disabled with a Pending pill and a Set Up Shell Access → button takes you through the registration flow.

Outbound Internet Access

Master toggle for routing your public-internet traffic through the Torus hub. Off (default) = your 0.0.0.0/0 is NOT in AllowedIPs, so non-mesh traffic goes via your normal ISP. On = full tunnel; your public IP appears as the hub's egress IP (unless you also have nSolo, in which case it appears as your dedicated IPv4).

Re-download after toggling

Internet Access on/off changes your WireGuard config's AllowedIPs. After flipping the toggle, re-download your config and re-import. The toggle on its own only changes server-side state.

Card 3 — plus+ features (Pro tier only)

Empty placeholder for Pro features that surface elsewhere (nSolo, nColo, nSolo Inbound, Neko Pages, jumphost tunnel). The actual Pro controls live in their respective sidebar sections, not here.

What each toggle persists

All toggles write to vpn_configs.json on the server and push the corresponding RouterOS address-list change to the hub MikroTik. Changes take effect within a few seconds — no client restart needed unless you're toggling AllowedIPs-affecting things (Internet Access, mesh enabled/disabled), in which case re-download.