-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathportfw.go
343 lines (300 loc) · 10.8 KB
/
portfw.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
package cmd
import (
"context"
"fmt"
"io"
"log"
"net"
"net/http"
"net/netip"
"time"
"github.com/Diniboy1123/usque/api"
"github.com/Diniboy1123/usque/config"
"github.com/Diniboy1123/usque/internal"
"github.com/spf13/cobra"
"golang.zx2c4.com/wireguard/tun/netstack"
)
var portFwCmd = &cobra.Command{
Use: "portfw",
Short: "Forward ports through a MASQUE tunnel",
Long: "This tool is useful if you have Cloudflare Zero Trust Gateway enabled and want to forward ports to/from the tunnel." +
" It creates a virtual TUN device and forward ports through it either from or to the client. It works a bit like SSH port forwarding. TCP only at the moment." +
"Doesn't require elevated privileges.",
Run: func(cmd *cobra.Command, args []string) {
if !config.ConfigLoaded {
cmd.Println("Config not loaded. Please register first.")
return
}
sni, err := cmd.Flags().GetString("sni-address")
if err != nil {
cmd.Printf("Failed to get SNI address: %v\n", err)
return
}
privKey, err := config.AppConfig.GetEcPrivateKey()
if err != nil {
cmd.Printf("Failed to get private key: %v\n", err)
return
}
peerPubKey, err := config.AppConfig.GetEcEndpointPublicKey()
if err != nil {
cmd.Printf("Failed to get public key: %v\n", err)
return
}
cert, err := internal.GenerateCert(privKey, &privKey.PublicKey)
if err != nil {
cmd.Printf("Failed to generate cert: %v\n", err)
return
}
tlsConfig, err := api.PrepareTlsConfig(privKey, peerPubKey, cert, sni)
if err != nil {
cmd.Printf("Failed to prepare TLS config: %v\n", err)
return
}
keepalivePeriod, err := cmd.Flags().GetDuration("keepalive-period")
if err != nil {
cmd.Printf("Failed to get keepalive period: %v\n", err)
return
}
initialPacketSize, err := cmd.Flags().GetUint16("initial-packet-size")
if err != nil {
cmd.Printf("Failed to get initial packet size: %v\n", err)
return
}
connectPort, err := cmd.Flags().GetInt("connect-port")
if err != nil {
cmd.Printf("Failed to get connect port: %v\n", err)
return
}
var endpoint *net.UDPAddr
if ipv6, err := cmd.Flags().GetBool("ipv6"); err == nil && !ipv6 {
endpoint = &net.UDPAddr{
IP: net.ParseIP(config.AppConfig.EndpointV4),
Port: connectPort,
}
} else {
endpoint = &net.UDPAddr{
IP: net.ParseIP(config.AppConfig.EndpointV6),
Port: connectPort,
}
}
tunnelIPv4, err := cmd.Flags().GetBool("no-tunnel-ipv4")
if err != nil {
cmd.Printf("Failed to get no tunnel IPv4: %v\n", err)
return
}
tunnelIPv6, err := cmd.Flags().GetBool("no-tunnel-ipv6")
if err != nil {
cmd.Printf("Failed to get no tunnel IPv6: %v\n", err)
return
}
var localAddresses []netip.Addr
if !tunnelIPv4 {
v4, err := netip.ParseAddr(config.AppConfig.IPv4)
if err != nil {
cmd.Printf("Failed to parse IPv4 address: %v\n", err)
return
}
localAddresses = append(localAddresses, v4)
}
if !tunnelIPv6 {
v6, err := netip.ParseAddr(config.AppConfig.IPv6)
if err != nil {
cmd.Printf("Failed to parse IPv6 address: %v\n", err)
return
}
localAddresses = append(localAddresses, v6)
}
dnsServers, err := cmd.Flags().GetStringArray("dns")
if err != nil {
cmd.Printf("Failed to get DNS servers: %v\n", err)
return
}
var dnsAddrs []netip.Addr
for _, dns := range dnsServers {
addr, err := netip.ParseAddr(dns)
if err != nil {
cmd.Printf("Failed to parse DNS server: %v\n", err)
return
}
dnsAddrs = append(dnsAddrs, addr)
}
mtu, err := cmd.Flags().GetInt("mtu")
if err != nil {
cmd.Printf("Failed to get MTU: %v\n", err)
return
}
if mtu != 1280 {
log.Println("Warning: MTU is not the default 1280. This is not supported. Packet loss and other issues may occur.")
}
localPorts, err := cmd.Flags().GetStringArray("local-ports")
if err != nil {
cmd.Printf("Failed to get local ports: %v\n", err)
return
}
remotePorts, err := cmd.Flags().GetStringArray("remote-ports")
if err != nil {
cmd.Printf("Failed to get remote ports: %v\n", err)
return
}
var localPortMappings []internal.PortMapping
var remotePortMappings []internal.PortMapping
for _, port := range localPorts {
portMapping, err := internal.ParsePortMapping(port)
if err != nil {
cmd.Printf("Failed to parse local port mapping: %v\n", err)
return
}
localPortMappings = append(localPortMappings, portMapping)
}
for _, port := range remotePorts {
portMapping, err := internal.ParsePortMapping(port)
if err != nil {
cmd.Printf("Failed to parse remote port mapping: %v\n", err)
return
}
remotePortMappings = append(remotePortMappings, portMapping)
}
reconnectDelay, err := cmd.Flags().GetDuration("reconnect-delay")
if err != nil {
cmd.Printf("Failed to get reconnect delay: %v\n", err)
return
}
tunDev, tunNet, err := netstack.CreateNetTUN(localAddresses, dnsAddrs, mtu)
if err != nil {
cmd.Printf("Failed to create virtual TUN device: %v\n", err)
return
}
defer tunDev.Close()
go api.MaintainTunnel(context.Background(), tlsConfig, keepalivePeriod, initialPacketSize, endpoint, api.NewNetstackAdapter(tunDev), mtu, reconnectDelay)
log.Printf("Virtual tunnel created, forwarding ports")
// Start Local Port Forwarding (-L)
for _, pm := range localPortMappings {
go func(pm internal.PortMapping) {
err := forwardPort(tunNet, pm, false) // false = local forwarding
if err != nil {
cmd.Printf("Error in local forwarding %d: %v\n", pm.LocalPort, err)
}
}(pm)
}
// Start Remote Port Forwarding (-R)
for _, pm := range remotePortMappings {
go func(pm internal.PortMapping) {
err := forwardPort(tunNet, pm, true) // true = remote forwarding
if err != nil {
cmd.Printf("Error in remote forwarding %d: %v\n", pm.LocalPort, err)
}
}(pm)
}
// One packet must be sent in order to listen for incoming packets
// a ping may suffice as well, but we will use a simple GET request
client := &http.Client{
Transport: &http.Transport{
DialContext: tunNet.DialContext,
},
}
resp, err := client.Get("https://cloudflareok.com/test")
if err != nil {
cmd.Printf("Failed to make request to cloudflare.com: %v\n", err)
return
}
defer resp.Body.Close()
if resp.StatusCode != 204 {
cmd.Printf("Failed to make request to cloudflare.com: %s\n", resp.Status)
return
}
log.Println("Successfully connected to Cloudflare")
select {}
},
}
// forwardPort sets up a local or remote port forwarding using either the MASQUE tunnel or the local network.
//
// Parameters:
// - netstackNet: *netstack.Net - The network stack used for handling remote forwarding.
// - pm: internal.PortMapping - The port mapping configuration containing bind address, local port, remote IP, and remote port.
// - isRemote: bool - Indicates whether the forwarding is remote (true) or local (false).
//
// Returns:
// - error: An error if port forwarding fails; otherwise, nil.
func forwardPort(netstackNet *netstack.Net, pm internal.PortMapping, isRemote bool) error {
localAddrPort, err := netip.ParseAddrPort(fmt.Sprintf("%s:%d", pm.BindAddress, pm.LocalPort))
if err != nil {
return fmt.Errorf("invalid local address: %w", err)
}
if isRemote {
// Remote forwarding: Listen inside the MASQUE tunnel
listener, err := netstackNet.ListenTCPAddrPort(localAddrPort)
if err != nil {
return fmt.Errorf("failed to listen on %s: %w", localAddrPort, err)
}
defer listener.Close()
log.Printf("Remote forwarding: Listening on MASQUE network %s, forwarding to local %s:%d", localAddrPort, pm.RemoteIP, pm.RemotePort)
for {
conn, err := listener.Accept()
if err != nil {
log.Printf("Accept error on %s: %v", localAddrPort, err)
continue
}
go handleConnection(conn, pm, isRemote, netstackNet)
}
} else {
// Local forwarding: Listen on local machine
listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", pm.BindAddress, pm.LocalPort))
if err != nil {
return fmt.Errorf("failed to listen on %s:%d: %w", pm.BindAddress, pm.LocalPort, err)
}
defer listener.Close()
log.Printf("Local forwarding: Listening on %s:%d, forwarding to remote %s:%d", pm.BindAddress, pm.LocalPort, pm.RemoteIP, pm.RemotePort)
for {
conn, err := listener.Accept()
if err != nil {
log.Printf("Accept error on %s:%d: %v", pm.BindAddress, pm.LocalPort, err)
continue
}
go handleConnection(conn, pm, isRemote, netstackNet)
}
}
}
// handleConnection manages an individual forwarded connection between the local and remote endpoints.
//
// Parameters:
// - localConn: net.Conn - The connection from the source (client).
// - pm: internal.PortMapping - The port mapping configuration.
// - isRemote: bool - Indicates whether the connection is remote-forwarded.
// - tunNet: *netstack.Net - The network stack used for making remote connections.
func handleConnection(localConn net.Conn, pm internal.PortMapping, isRemote bool, tunNet *netstack.Net) {
defer localConn.Close()
remoteAddrPort, err := netip.ParseAddrPort(fmt.Sprintf("%s:%d", pm.RemoteIP, pm.RemotePort))
if err != nil {
log.Printf("Invalid remote address: %v", err)
return
}
var remoteConn net.Conn
if isRemote {
// Remote forwarding: Connect to the external remote host
remoteConn, err = net.Dial("tcp", remoteAddrPort.String())
} else {
// Local forwarding: Connect inside the tunnel network
remoteConn, err = tunNet.DialContext(context.Background(), "tcp", remoteAddrPort.String())
}
if err != nil {
log.Printf("Failed to connect to remote %s: %v", remoteAddrPort, err)
return
}
defer remoteConn.Close()
go func() { io.Copy(remoteConn, localConn) }()
io.Copy(localConn, remoteConn)
}
func init() {
portFwCmd.Flags().StringArrayP("local-ports", "L", []string{}, "List of port mappings to forward (SSH like e.g. localhost:8080:100.96.0.2:8080)")
portFwCmd.Flags().StringArrayP("remote-ports", "R", []string{}, "List of port mappings to forward (SSH like e.g. 100.96.0.3:8080:localhost:8080)")
portFwCmd.Flags().IntP("connect-port", "P", 443, "Used port for MASQUE connection")
portFwCmd.Flags().StringArrayP("dns", "d", []string{"9.9.9.9", "149.112.112.112", "2620:fe::fe", "2620:fe::9"}, "DNS servers to use inside the MASQUE tunnel")
portFwCmd.Flags().BoolP("ipv6", "6", false, "Use IPv6 for MASQUE connection")
portFwCmd.Flags().BoolP("no-tunnel-ipv4", "F", false, "Disable IPv4 inside the MASQUE tunnel")
portFwCmd.Flags().BoolP("no-tunnel-ipv6", "S", false, "Disable IPv6 inside the MASQUE tunnel")
portFwCmd.Flags().StringP("sni-address", "s", internal.ConnectSNI, "SNI address to use for MASQUE connection")
portFwCmd.Flags().DurationP("keepalive-period", "k", 30*time.Second, "Keepalive period for MASQUE connection")
portFwCmd.Flags().IntP("mtu", "m", 1280, "MTU for MASQUE connection")
portFwCmd.Flags().Uint16P("initial-packet-size", "i", 1242, "Initial packet size for MASQUE connection")
rootCmd.AddCommand(portFwCmd)
}