go-gost/x
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add auth for tun

Browse Source
This commit is contained in:
ginuerzh
2022-10-20 21:08:26 +08:00
parent 15d0a33716
commit 669e80b780
5 changed files with 80 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
handler/tun/server.go
View File

@ -5,6 +5,7 @@ import (
"context"
"io"
"net"
"net/netip"
"github.com/go-gost/core/common/bufpool"
"github.com/go-gost/core/logger"
@ -25,6 +26,11 @@ func (h *tunHandler) handleServer(ctx context.Context, conn net.Conn, config *tu
}
func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *tun_util.Config, log logger.Logger) error {
tunIP, _, err := net.ParseCIDR(config.Net)
if err != nil {
return err
}
errc := make(chan error, 1)
go func() {
@ -48,7 +54,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
src, dst = header.Src, header.Dst
log.Tracef("%s >> %s %-4s %d/%-4d %-4x %d",
header.Src, header.Dst, ipProtocol(waterutil.IPv4Protocol((*b)[:n])),
src, dst, ipProtocol(waterutil.IPv4Protocol((*b)[:n])),
header.Len, header.TotalLen, header.ID, header.Flags)
} else if waterutil.IsIPv6((*b)[:n]) {
header, err := ipv6.ParseHeader((*b)[:n])
@ -59,7 +65,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
src, dst = header.Src, header.Dst
log.Tracef("%s >> %s %s %d %d",
header.Src, header.Dst,
src, dst,
ipProtocol(waterutil.IPProtocol(header.NextHeader)),
header.PayloadLen, header.TrafficClass)
} else {
@ -98,9 +104,42 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
if err != nil {
return err
}
if n == keepAliveDataLength && bytes.Equal((*b)[:4], keepAliveHeader) {
peerIP := net.IP((*b)[4:keepAliveDataLength])
log.Debugf("keepalive from %v => %v", peerIP, addr)
if n == keepAliveDataLength && bytes.Equal((*b)[:4], magicHeader) {
peerIP := net.IP((*b)[4:20])
key := bytes.TrimRight((*b)[20:36], "\x00")
if peerIP.Equal(tunIP.To16()) {
return nil
}
if auther := h.options.Auther; auther != nil {
ip := peerIP
if v := peerIP.To4(); ip != nil {
ip = v
}
if !auther.Authenticate(ip.String(), string(key)) {
log.Debugf("keepalive from %v => %v, auth FAILED", addr, peerIP)
return nil
}
}
log.Debugf("keepalive from %v => %v", addr, peerIP)
addrPort, err := netip.ParseAddrPort(addr.String())
if err != nil {
log.Warnf("keepalive from %v: %v", addr, err)
return nil
}
var keepAliveData [keepAliveDataLength]byte
copy(keepAliveData[:4], magicHeader) // magic header
a16 := addrPort.Addr().As16()
copy(keepAliveData[4:], a16[:])
if _, err := conn.WriteTo(keepAliveData[:], addr); err != nil {
log.Warnf("keepalive to %v: %v", addr, err)
return nil
}
h.updateRoute(peerIP, addr, log)
return nil
}
@ -115,7 +154,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
src, dst = header.Src, header.Dst
log.Tracef("%s >> %s %-4s %d/%-4d %-4x %d",
header.Src, header.Dst, ipProtocol(waterutil.IPv4Protocol((*b)[:n])),
src, dst, ipProtocol(waterutil.IPv4Protocol((*b)[:n])),
header.Len, header.TotalLen, header.ID, header.Flags)
} else if waterutil.IsIPv6((*b)[:n]) {
header, err := ipv6.ParseHeader((*b)[:n])
@ -126,7 +165,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
src, dst = header.Src, header.Dst
log.Tracef("%s > %s %s %d %d",
header.Src, header.Dst,
src, dst,
ipProtocol(waterutil.IPProtocol(header.NextHeader)),
header.PayloadLen, header.TrafficClass)
} else {
@ -134,7 +173,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
return nil
}
h.updateRoute(src, addr, log)
// h.updateRoute(src, addr, log)
if addr := h.findRouteFor(dst, config.Routes...); addr != nil {
log.Debugf("find route: %s -> %s", dst, addr)
@ -156,7 +195,7 @@ func (h *tunHandler) transportServer(tun net.Conn, conn net.PacketConn, config *
}
}()
err := <-errc
err = <-errc
if err != nil && err == io.EOF {
err = nil
}