porta-rs 0.1.1

Zero-trust CGNAT bypass via WireGuard tunnel
# Porta Architecture

## Overview

Porta creates a WireGuard tunnel between a machine behind CGNAT (client) and a machine with a public IP (server), allowing the client to expose services as if it had a public IP.

## Components

```
┌─────────────────────────────────────────────────────────────────┐
│                        PORTA BINARY                              │
├─────────────────────────────────────────────────────────────────┤
│  CLI (clap)           - User interface                          │
│  Config (TOML/serde)  - Configuration management                │
│  WireGuard Layer      - Tunnel management                       │
│  Control Plane        - Authentication & commands               │
│  Forwarder            - TCP/UDP proxy                           │
│  UFW Manager          - Firewall rules                         │
│  Systemd              - Service management                      │
│  Metrics              - Traffic statistics                      │
└─────────────────────────────────────────────────────────────────┘
```

## Traffic Flow

```
Internet ──► VPS:80 ──► Porta Server ──► WireGuard ──► Porta Client ──► localhost:8080
                              │                              │
                         UFW rules                     Local service
```

## Security Model

- **Zero Trust**: Commands flow only from client to server
- **WireGuard Encryption**: All traffic encrypted via WireGuard
- **HMAC Authentication**: Each command signed with HMAC-SHA256
- **Nonce Tracking**: Replay attack prevention

## Protocol Support

Porta operates at the transport layer (TCP/UDP), so it supports:
- HTTP/HTTPS
- WebSocket/WSS
- SSH
- FTP
- DNS (UDP)
- Gaming (UDP)
- Any TCP/UDP protocol