The Tornado VPN Platform

Supervised Control Plane with Separated Data Paths

A master supervisor starts and monitors service processes defined in runtime config. External access enters through two FastAPI surfaces. Internal contracts are standardized over UDS sockets under /run/tornado.

Dual-Lane WireGuard with Tor-Aware Routing

Standard VPN traffic runs on wg0 for maximum throughput. Policy-selected traffic is routed through wg1 which exits via Tor, giving you two distinct trust tiers on the same platform.

• wg0 — high-performance standard lane, peer-programmed via IPAM service
• wg1 — Tor-exit policy lane with circuit management and relay state controls
• Maintenance path handling for operator access during tunnel incidents
• UDS microservice mesh with reduced lateral exposure surface

Multi-Layer Authentication & Key Integrity Controls

Login payloads are protected via X25519 ECDH + HKDF + AES-GCM before credential validation. Token issuance uses asymmetric JWT keypairs with overlap-aware verification during rotations, backed by Redis JTI revocation checks.

• Client-side encryption before credentials leave the device
• RS256 access and refresh tokens with claim and type validation
• Reuse detection for revoked refresh tokens via JTI tracking
• Bootstrap key validator — public-first then private cutover rotation
• Signal-driven in-process service key reload, zero downtime
• Argon2 password verification with configurable cost parameters

Heartbeat-Driven Session Orchestration

Sessions are created with Redis keys (vpn:session:*) and heartbeat sentinels (vpn:session:*:hb). Expired heartbeat keys move sessions to offline, resumed heartbeats recover them, and hard_ttl finalizes cleanup.

Deterministic Recovery Paths for Every Incident Class

Operations are structured around dependency-first checks, targeted service remediation, and post-incident validation — backed by direct admin API control.

• Recovery order: PostgreSQL + Redis → tornado.service → NGINX
• Session instability: heartbeat TTL, keyspace events, cleanup telemetry
• Rotation incidents: validate overlap key presence and reload signal targets
• Tunnel incidents: verify wg0/wg1, IP pools, and peer-programming logs
• Tor relay: /status, /up, /down, /circuits controls via admin API

Client & Admin Interfaces for Full Lifecycle Control

The client API handles encrypted login, token refresh, tunnel initiation, and heartbeat. The admin API exposes service management, user lifecycle, log analytics, Tor relay controls, and key-rotator actions.

Desktop Client for Linux and Windows

The client apps in client/linux and client/windows provide encrypted login, token refresh, session heartbeat, WireGuard tunnel lifecycle, and Tor-over-VPN mode. Packaging flows are documented in docs/build_linux.md and docs/build_windows.md.

• API flow: /auth/login → /vpn/initiate → /session/heartbeat
• Session continuity with automatic reauth and heartbeat scheduling
• Linux packaging: Debian package output (tornadovpn-client_*.deb)
• Windows packaging: PyInstaller + Inno Setup installer output

Client login and server endpoint entry.

Main dashboard with connection controls.

Tor-over-VPN toggle and route visualization.

Live session statistics and connection status.

Get the Latest Tornado VPN Client

Download the official desktop clients for Linux and Windows. Both packages include encrypted authentication, automatic session management, and full Tor-over-VPN support.