diff --git a/debian/cargo-checksum.json b/debian/cargo-checksum.json new file mode 100644 index 0000000..0236928 --- /dev/null +++ b/debian/cargo-checksum.json @@ -0,0 +1,5 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..72710bc --- /dev/null +++ b/debian/changelog @@ -0,0 +1,25 @@ +phantun (0.7.0) UNRELEASED; urgency=medium + + [ Datong Sun ] + * fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162) + * chore(deps): bump dependencies to latest + * chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0` + + [ dependabot[bot] ] + * chore(deps): bump docker/build-push-action from 5 to 6 + * chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust + * docs(readme): latest release is now `v0.7.0` + + [ Randy Li ] + * phantun: change default tun address to link local + * phantun: add client and server xor support + * rpm: add selinux and rpm spec + * deb: add debian files + + -- Randy Li Wed, 11 Dec 2024 15:30:45 +0000 + +phantun (0.6.1-1) UNRELEASED; urgency=medium + + * Initial release. (Closes: #nnnn) + + -- Randy Li Wed, 06 Nov 2024 18:58:00 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +10 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..6a46bb6 --- /dev/null +++ b/debian/control @@ -0,0 +1,19 @@ +Source: phantun +Section: net +Priority: optional +Maintainer: Randy Li +Build-Depends: debhelper (>= 9), cargo, rustc +Standards-Version: 4.5.0 +Homepage: + +Package: phantun-client +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Phantun client + Phantun client binary. + +Package: phantun-server +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Phantun server + Phantun server binary. \ No newline at end of file diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..688a978 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,24 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: phantun +Source: https://github.com/hizukiayaka/phantun + +Files: * +Copyright: 2023, Randy Li +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. \ No newline at end of file diff --git a/debian/phantun-client-wrapper b/debian/phantun-client-wrapper new file mode 100644 index 0000000..8d3035e --- /dev/null +++ b/debian/phantun-client-wrapper @@ -0,0 +1,6 @@ +#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-client "$@" & +echo $! > /var/run/phantun/${PID_FILE} diff --git a/debian/phantun-client.install b/debian/phantun-client.install new file mode 100644 index 0000000..86d30ff --- /dev/null +++ b/debian/phantun-client.install @@ -0,0 +1,2 @@ +usr/libexec/phantun/phantun-client +usr/bin/phantun-client diff --git a/debian/phantun-server-wrapper b/debian/phantun-server-wrapper new file mode 100644 index 0000000..1377642 --- /dev/null +++ b/debian/phantun-server-wrapper @@ -0,0 +1,6 @@ +#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-server "$@" & +echo $! > /var/run/phantun/${PID_FILE} diff --git a/debian/phantun-server.install b/debian/phantun-server.install new file mode 100644 index 0000000..ec4f272 --- /dev/null +++ b/debian/phantun-server.install @@ -0,0 +1,2 @@ +usr/libexec/phantun/phantun-server +usr/bin/phantun-server diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..ff23b38 --- /dev/null +++ b/debian/rules @@ -0,0 +1,35 @@ +#!/usr/bin/make -f + +%: + dh $@ --buildsystem=cargo + +override_dh_auto_install: + # Define DESTDIR + DESTDIR=$(CURDIR)/debian/phantun + + # Install client binary + install -D -m 0755 target/release/client debian/tmp/usr/libexec/phantun/phantun-client + + # Install server binary + install -D -m 0755 target/release/server debian/tmp/usr/libexec/phantun/phantun-server + + # Create wrapper scripts + install -D -m 0755 debian/phantun-client-wrapper debian/tmp/usr/bin/phantun-client + + install -D -m 0755 debian/phantun-server-wrapper debian/tmp/usr/bin/phantun-server + + chmod +x debian/tmp/usr/bin/phantun-client + chmod +x debian/tmp/usr/bin/phantun-server + +override_dh_auto_configure: + cp ./debian/cargo-checksum.json ./.cargo-checksum.json + +override_dh_auto_build: + cargo build --release + +override_dh_install: + dh_install + +override_dh_auto_test: + # Disable the auto test step + true diff --git a/rpm/phantun.spec b/rpm/phantun.spec new file mode 100644 index 0000000..428de0a --- /dev/null +++ b/rpm/phantun.spec @@ -0,0 +1,128 @@ +Name: phantun +Version: 0.7.0 +Release: 2%{?dist} +Summary: A lightweight and fast UDP to TCP obfuscator + +License: Apache-2.0 +URL: https://github.com/dndx/phantun/tree/main +Source0: %{name}-%{version}.tar.gz + +BuildRequires: rust +BuildRequires: cargo +BuildRequires: selinux-policy-devel + +%description +Your project with client and server components. + +%package client +Summary: Client component of phantun +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +%description client +Phantun Client is like a machine with private IP address +(192.168.200.2/fcc8::2) behind a router. In order for it to reach +the Internet, you will need to SNAT the private IP address +before it's traffic leaves the NIC. + +%package server +Summary: Server component of phantun +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +%description server +Phantun Server is like a server with private IP address +(192.168.201.2/fcc9::2) behind a router. In order to access it from +the Internet, you need to DNAT it's listening port on the router +and change the destination IP address to where the server +is listening for incoming connections. + +%package selinux +Summary: SELinux module for phantun +%{?selinux_requires} +%global modulename phantun +%global selinuxtype targeted + +%description selinux +This package provides the SELinux policy module to ensure phantun +runs properly under an environment with SELinux enabled. + +%global debug_package %{nil} + +%prep +%setup -q + +%build +cargo build --release +make -C selinux + +%install +# Install binaries +install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client +install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server + +mkdir -p %{buildroot}/usr/bin +# Create wrapper scripts +echo '#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-client "$@" & +echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client + +echo '#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-server "$@" & +echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server + +# Make wrapper scripts executable +chmod +x %{buildroot}/usr/bin/phantun-client +chmod +x %{buildroot}/usr/bin/phantun-server + +# SELinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files client +/usr/libexec/phantun/phantun-client +/usr/bin/phantun-client + +%files server +/usr/libexec/phantun/phantun-server +/usr/bin/phantun-server + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%changelog +* Wed Dec 11 2024 Randy Li - 0.7.0-2 +- chore(deps): update tokio-tun requirement from 0.9 to 0.11 +- chore(deps): update nix requirement from 0.27 to 0.28 +- chore(deps): bump softprops/action-gh-release from 1 to 2 +- chore(docs): update license year to 2024 +- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163) +- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…" +- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162) +- chore(deps): bump dependencies to latest +- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0` +- chore(deps): bump docker/build-push-action from 5 to 6 +- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust +- docs(readme): latest release is now `v0.7.0` + +* Sat Oct 14 2023 Randy Li - 0.6.1-1 +- Initial package + diff --git a/selinux/Makefile b/selinux/Makefile new file mode 100644 index 0000000..ec0933b --- /dev/null +++ b/selinux/Makefile @@ -0,0 +1,26 @@ +TARGET?=phantun +MODULES?=${TARGET:=.pp.bz2} +SHAREDIR?=/usr/share + +all: ${TARGET:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\> $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHAREDIR}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp *.tar.gz + +man: install-policy + sepolicy manpage --path . --domain ${TARGET}_t + +install-policy: all + semodule -i ${TARGET}.pp.bz2 + +install: man + install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 + install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/selinux/phantun.fc b/selinux/phantun.fc new file mode 100644 index 0000000..3be4103 --- /dev/null +++ b/selinux/phantun.fc @@ -0,0 +1,5 @@ +/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0) +/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0) +/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0) +/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0) +/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0) \ No newline at end of file diff --git a/selinux/phantun.te b/selinux/phantun.te new file mode 100644 index 0000000..d889e8c --- /dev/null +++ b/selinux/phantun.te @@ -0,0 +1,60 @@ +policy_module(phantun, 1.0) + +gen_require(` + type wireguard_t; + type wireguard_exec_t; + class capability net_admin; + class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + class tcp_socket { name_bind listen accept connect }; + class udp_socket { name_bind }; + class file { getattr open read write create unlink execute }; + class process { transition }; +') + + +# Define custom types +type phantun_server_exec_t; +type phantun_client_exec_t; +type phantun_server_port_t; +type phantun_client_port_t; +type phantun_var_run_t; + +# Allow the wrapper scripts to execute the phantun client and server binaries +allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute }; +allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute }; + +# Allow the wrapper scripts to write to the PID file +allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink }; +allow wireguard_t self:process transition; + +#################################### +# Server +# + +# Allow wireguard_t to execute the server binary +allow wireguard_t phantun_server_exec_t:file { getattr open read execute }; + +# Allow the server to create and manage tun devices +allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + +# Allow the server to bind to the custom TCP port and listen for incoming connections +allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept }; + +# Allow the server to use net_admin capability +allow phantun_server_exec_t self:capability net_admin; + +#################################### +# Client +# + +# Allow wireguard_t to execute the client binary +allow wireguard_t phantun_client_exec_t:file { getattr open read execute }; + +# Allow the client to create and manage tun devices +allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + +# Allow the client to bind to the custom UDP port +#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind }; + +# Allow the client to use net_admin capability +allow phantun_client_exec_t self:capability net_admin; \ No newline at end of file