Skip to content

Torus config

Your Torus config is a WireGuard configuration file — a small .conf of about 15 lines that tells the WireGuard client which Nekotopia hub to connect to, what your private mesh IP is, and how to encrypt the traffic.

When this card is in front of you, you've already been approved and provisioned. The work is now:

  1. Download the config
  2. Import it into the WireGuard client on the device you want connected
  3. Activate the tunnel

Downloading

The big Download config button on this page does the right thing — it sends a .conf file with a name like nekotopia-<username>.conf. The file is a plain text WireGuard config, valid as-is.

A few things happen at the same time:

  • The server logs the download (visible in admin, used to detect "user keeps re-downloading, something's broken")
  • A timestamp in your profile updates so the dashboard knows when you last grabbed it
  • If you've just allocated a new IP, the download includes the new routing — re-downloading an old config will still work for general connectivity but won't know about new add-ons

Importing

macOS / iOS

WireGuard app from the App Store. Tap +Create from file or archive, pick the .conf. The tunnel name defaults to the config's filename — rename it if you want.

Linux (CLI)

sudo cp nekotopia-<username>.conf /etc/wireguard/wg0.conf
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0    # to come up on boot

Windows

WireGuard for Windows. Add Tunnel → Import tunnel(s) from file.

Routers (OpenWrt / MikroTik / pfSense)

Each has a different import path; the WireGuard config itself is portable. The Address, PrivateKey, Endpoint, PublicKey, and AllowedIPs lines map to whichever fields your router asks for.

When to re-download

You must re-download whenever:

  • You changed your tier (Basic ↔ Plus ↔ Pro)
  • You allocated, released, or moved your nSolo IP
  • You allocated, released, or resized your nColo prefix
  • An admin migrated you between hub instances
  • You explicitly regenerated your keys

The dashboard pushes a banner notification when any of these happen. Importing the new config replaces the old one — make sure to deactivate the existing tunnel in your WG client first or you'll get a "duplicate peer" error.

What's in the config

Reading the .conf you downloaded:

[Interface]
PrivateKey = <your-private-key>
Address    = 10.254.100.<your-host>/32      # mesh IP
DNS        = 10.255.9.241                    # ring-dns
MTU        = 1280

[Peer]
PublicKey  = <hub-public-key>
Endpoint   = <hub-public-ip>:51820
AllowedIPs = 10.254.0.0/16, 10.255.0.0/16  # mesh + infra
PersistentKeepalive = 25
  • Address — your /32 on the mesh. Other members on the same hub can reach you here.
  • DNS — points at the ring-dns container so *.ring.nekotopia.io resolves.
  • MTU 1280 — set low to dodge path-MTU issues over the WG-in-WG-in-Internet stack. Don't bump.
  • AllowedIPs — the routes the platform announces over your tunnel. Adding more (e.g. 0.0.0.0/0 for full tunnel) is fine; removing what's there will break service access.
  • PersistentKeepalive — keeps the tunnel alive through NAT and firewalls.

Troubleshooting

Handshake works, no traffic

Almost always MTU. Try MTU = 1200 (or even 1000). If that fixes it, your path has a smaller MTU than expected — common on mobile carriers and some campus WiFi.

Tunnel won't activate

Check you haven't got an old tunnel of the same name running. Bring it down first.

Reachable from one device, not another

Each device needs its own config. Sharing a .conf between two devices means two devices using the same WG identity — the hub will see them as one peer with a flapping endpoint.

If something stays broken, send a message to staff via the Messages section; we can see your peer state from the admin side and confirm whether the issue is your end or the platform.