github/dndx-phantun
1
0
Fork 0
mirror of https://github.com/dndx/phantun.git synced 2025-09-16 04:04:29 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: github:v0.3.2
Branches Tags
github:main github:dependabot/cargo/log-0.4.28 github:dependabot/cargo/clap-4.5.47
github:v0.8.1 github:v0.8.0 github:v0.7.0 github:v0.6.0 github:v0.5.0 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.2 github:v0.3.1 github:v0.3.0 github:v0.2.5 github:v0.2.4 github:v0.2.3 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.1 github:v0.1.0
..
compare: github:v0.5.0
Branches Tags
github:dependabot/cargo/log-0.4.28 github:dependabot/cargo/clap-4.5.47 github:main
github:v0.8.1 github:v0.8.0 github:v0.7.0 github:v0.6.0 github:v0.5.0 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.2 github:v0.3.1 github:v0.3.0 github:v0.2.5 github:v0.2.4 github:v0.2.3 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.1 github:v0.1.0

17 Commits
v0.3.2 ... v0.5.0

Author SHA1 Message Date
Datong Sun
9ff691d063 chore(release) temporary disable the MIPS musl target until new versions 
of `libc` is released with `libc::sock_txtime`
 2022-05-13 08:38:11 -07:00
Datong Sun
b5e79653f0 chore(phantun) bump to v0.5.0 2022-05-13 08:34:31 -07:00
Datong Sun
f496a7919b feat(phantun) new option --handshake-packet that allows additional 
packet to be sent to the other end after TCP connection establishment
 2022-05-13 23:14:05 +08:00
dependabot[bot]
bf6b9bc2ff chore(deps): update pnet requirement from 0.29 to 0.30 
Updates the requirements on [pnet](https://github.com/libpnet/libpnet) to permit the latest version.
- [Release notes](https://github.com/libpnet/libpnet/releases)
- [Commits](https://github.com/libpnet/libpnet/compare/v0.29.0...v0.29.0)

---
updated-dependencies:
- dependency-name: pnet
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-13 23:06:03 +08:00
dependabot[bot]
47b9037968 chore(deps): update nix requirement from 0.23 to 0.24 
Updates the requirements on [nix](https://github.com/nix-rust/nix) to permit the latest version.
- [Release notes](https://github.com/nix-rust/nix/releases)
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/commits)

---
updated-dependencies:
- dependency-name: nix
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-21 20:07:52 +08:00
Datong Sun
c2341b6662 docs(README) bump the release to v0.4.2 and fixed default site-local address in doc 2022-04-16 09:58:07 -07:00
Datong Sun
a3eff42453 chore(phantun) release v0.4.2 2022-04-16 09:55:40 -07:00
Datong Sun
87a42a1e23 fix(phantun) do not use the deprecated fec0::/10 block for default ULA 
address
 2022-04-17 00:55:16 +08:00
Datong Sun
851750b13d docs(README) bump release version to v0.4.1 and add end-to-end IPv6 documentation 2022-04-16 19:45:31 +08:00
Datong Sun
b89b683bb2 chore(phantun) bump to v0.4.1 2022-04-16 03:54:47 -07:00
Datong Sun
838cfa6738 style(phantun) slight fix on client usage 2022-04-16 03:53:27 -07:00
Datong Sun
827530f62c chore(phantun) release v0.4.0 and bump fake-tcp dependency to v0.4 2022-04-16 03:48:07 -07:00
Datong Sun
245cb9c7f4 chore(fake-tcp) release v0.4.0 2022-04-16 03:47:02 -07:00
Datong Sun
85555f2a34 feat(*) IPv6 support 2022-04-16 18:43:55 +08:00
Datong Sun
74183071f1 style(phantun) remove unnecessary tokio::select call 2022-04-15 23:01:44 +08:00
Datong Sun
2f4eaafccd docs(README) fixed a typo 2022-04-10 23:40:44 +08:00
Datong Sun
1e3b632413 docs(README) add benchmarking results based on v0.3.2 2022-04-10 21:21:09 +08:00
10 changed files with 575 additions and 275 deletions
Expand all files Collapse all files

4
.github/workflows/release.yml vendored
View File

@@ -26,9 +26,9 @@ jobs:
- aarch64-unknown-linux-gnu
- aarch64-unknown-linux-musl
- mips-unknown-linux-gnu
- mips-unknown-linux-musl
#- mips-unknown-linux-musl # currently does not build due to libc::sock_txtime not found, need a newer release of libc
- mipsel-unknown-linux-gnu
- mipsel-unknown-linux-musl
#- mipsel-unknown-linux-musl
steps:
- uses: actions/checkout@v3

90
README.md
View File

@@ -35,7 +35,7 @@ Table of Contents
# Latest release
[v0.3.1](https://github.com/dndx/phantun/releases/tag/v0.3.1)
[v0.4.2](https://github.com/dndx/phantun/releases/tag/v0.4.2)
# Overview
@@ -59,6 +59,7 @@ Phantun is written in 100% safe Rust. It has been optimized extensively to scale
systems and has no issue saturating all available CPU resources on a fast connection.
See the [Performance](#performance) section for benchmarking results.
![Phantun benchmark results](images/phantun-vs-udp2raw-benchmark-result.png)
![Traffic flow diagram](images/traffic-flow.png)
# Usage
@@ -71,30 +72,32 @@ It is also assumed that **Phantun Client** listens for incoming UDP packets at
`127.0.0.1:1234` (the `--local` option for client) and connects to Phantun Server at `10.0.0.1:4567`
(the `--remote` option for client).
Phantun creates TUN interface for both the Client and Server. For Client, Phantun assigns itself the IP address
`192.168.200.2` by default and for Server, it assigns `192.168.201.2` by default. Therefore, your Kernel must have
`net.ipv4.ip_forward` enabled and setup appropriate iptables rules for NAT between your physical
NIC address and Phantun's TUN interface address.
Phantun creates TUN interface for both the Client and Server. For **Client**, Phantun assigns itself the IP address
`192.168.200.2` and `fcc8::2` by default.
For **Server**, it assigns `192.168.201.2` and `fcc9::2` by default. Therefore, your Kernel must have
IPv4/IPv6 forwarding enabled and setup appropriate iptables/nftables rules for NAT between your physical
NIC address and Phantun's Tun interface address.
You may customize the name of Tun interface created by Phantun and the assigned addresses. Please
run the executable with `-h` options to see how to change them.
Another way to help understand this network topology (please see the diagram above for an illustration of this topology):
Phantun Client is like a machine with private IP address (`192.168.200.2`) behind a router.
Phantun Client is like a machine with private IP address (`192.168.200.2`/`fcc8::2`) behind a router.
In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic
leaves the NIC.
Phantun Server is like a server with private IP address (`192.168.201.2`) behind a router.
Phantun Server is like a server with private IP address (`192.168.201.2`/`fcc9::2`) behind a router.
In order to access it from the Internet, you need to `DNAT` it's listening port on the router
and change the destination IP address to where the server is listening for incoming connections.
In those cases, the machine/iptables running Phantun acts as the "router" that allows Phantun
to communicate with outside using it's private IP addresses.
As of Phantun v0.2.2, IPv6 support for UDP endpoints has been added, however Fake TCP IPv6 support
has not been finished yet. To specify an IPv6 address, use the following format: `[::1]:1234` with
the command line options.
As of Phantun v0.4.1, IPv6 is fully supported for both TCP and UDP sides.
To specify an IPv6 address, use the following format: `[::1]:1234` with
the command line options. Resolving AAAA record is also supported. Please run the program
with `-h` to see detailed options on how to control the IPv6 behavior.
[Back to TOC](#table-of-contents)
@@ -102,6 +105,12 @@ the command line options.
Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`.
<details>
<summary>IPv6 specific config</summary>
`net.ipv6.conf.all.forwarding=1` will need to be set as well.
</details>
[Back to TOC](#table-of-contents)
## 2. Add required firewall rules
@@ -127,12 +136,16 @@ table inet nat {
}
```
Note: The above rule uses `inet` as the table family type, so it is compatible with
both IPv4 and IPv6 usage.
[Back to TOC](#table-of-contents)
#### Using iptables
```
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
[Back to TOC](#table-of-contents)
@@ -149,10 +162,11 @@ actual TCP port number used by Phantun server
#### Using nftables
```
table ip nat {
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iif eth0 tcp dport 4567 dnat to 192.168.201.2
iif eth0 tcp dport 4567 dnat ip to 192.168.201.2
iif eth0 tcp dport 4567 dnat ip6 to fcc9::2
}
}
```
@@ -163,6 +177,7 @@ table ip nat {
```
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2
ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fcc9::2
```
[Back to TOC](#table-of-contents)
@@ -201,6 +216,10 @@ Or use host name with `--remote`:
RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote example.com:1234
```
Note: Server by default assigns both IPv4 and IPv6 private address to the Tun interface.
If you do not wish to use IPv6, you can simply skip creating the IPv6 DNAT rule above and
the presence of IPv6 address on the Tun interface should have no side effect to the server.
[Back to TOC](#table-of-contents)
### Client
@@ -218,12 +237,22 @@ Or use host name with `--remote`:
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote example.com:4567
```
<details>
<summary>IPv6 specific config</summary>
```
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote [fdxx::1234]:4567
```
Domain name with AAAA record is also supported.
</details>
[Back to TOC](#table-of-contents)
# MTU overhead
Phantun aims to keep tunneling overhead to the minimum. The overhead compared to a plain UDP packet
is the following:
is the following (using IPv4 below as an example):
**Standard UDP packet:** `20 byte IP header + 8 byte UDP header = 28 bytes`
@@ -247,18 +276,23 @@ For people who use Phantun to tunnel [WireGuard®](https://www.wireguard.com) UD
out the correct MTU to use for your WireGuard interface.
```
WireGuard MTU = Interface MTU - IP header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
WireGuard MTU = Interface MTU - IPv4 header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
```
or
```
WireGuard MTU = Interface MTU - IPv6 header (40 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
```
For example, for a Ethernet interface with 1500 bytes MTU, the WireGuard interface MTU should be set as:
```
1500 - 20 - 20 - 32 = 1428 bytes
```
IPv4: `1500 - 20 - 20 - 32 = 1428 bytes`
IPv6: `1500 - 40 - 20 - 32 = 1408 bytes`
The resulted Phantun TCP data packet will be 1500 bytes which does not exceed the
interface MTU of 1500. Please note it is strongly recommended to use the same interface
MTU for both ends of a WireGuard tunnel, or unexected packet loss may occur and these issues are
MTU for both ends of a WireGuard tunnel, or unexpected packet loss may occur and these issues are
generally very hard to troubleshoot.
[Back to TOC](#table-of-contents)
@@ -282,19 +316,23 @@ For users who wish to use `fake-tcp` library inside their own project, refer to
Performance was tested on 2 AWS `t4g.xlarge` instances with 4 vCPUs and 5 Gb/s NIC over LAN. `nftables` was used to redirect
UDP stream of `iperf3` to go through the Phantun/udp2raw tunnel between two test instances and MTU has been tuned to avoid fragmentation.
Phantun `v0.3.2` and `udp2raw_arm_asm_aes` `20200818.0` was used. These were the latest release of both projects as of Apr 2022.
Test command: `iperf3 -c <IP> -p <PORT> -R -u -l 1400 -b 1000m -t 30 -P 5`
| Mode | Speed | Overall CPU Usage |
|---------------------------------------------------------------|----------------|--------------------------|
| Direct connection | 3.35 Gbits/sec | 25% (1 core at 100%) |
| Phantun | 2.03 Gbits/sec | 95% (all cores utilized) |
| udp2raw (cipher-mode=none auth-mode=none disable-anti-replay) | 876 Mbits/sec | 50% (2 cores at 100%) |
| Mode | Send Speed | Receive Speed | Overall CPU Usage |
|---------------------------------------------------------------------------------|----------------|----------------|-----------------------------------------------------|
| Direct (1 stream) | 3.00 Gbits/sec | 2.37 Gbits/sec | 25% (1 core at 100%) |
| Phantun (1 stream) | 1.30 Gbits/sec | 1.20 Gbits/sec | 60% (1 core at 100%, 3 cores at 50%) |
| udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (1 stream) | 1.30 Gbits/sec | 715 Mbits/sec | 40% (1 core at 100%, 1 core at 50%, 2 cores idling) |
| Direct connection (5 streams) | 5.00 Gbits/sec | 3.64 Gbits/sec | 25% (1 core at 100%) |
| Phantun (5 streams) | 5.00 Gbits/sec | 2.38 Gbits/sec | 95% (all cores utilized) |
| udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (5 streams) | 5.00 Gbits/sec | 770 Mbits/sec | 50% (2 cores at 100%) |
[Back to TOC](#table-of-contents)
# Future plans
* IPv6 support for fake-tcp
* Load balancing a single UDP stream into multiple TCP streams
* Integration tests
* Auto insertion/removal of required firewall rules
@@ -318,11 +356,11 @@ Here is a quick overview of comparison between those two to help you choose:
| UDP over UDP obfuscation | ❌ | ✅ |
| Multi-threaded | ✅ | ❌ |
| Throughput | Better | Good |
| L4 IP mode | TUN interface | Raw sockets + BPF |
| Layer 3 mode | TUN interface | Raw sockets + BPF |
| Tunneling MTU overhead | 12 bytes | 44 bytes |
| Seprate TCP connections for each UDP connection | Client/Server | Server only |
| Anti-replay, encryption | ❌ | ✅ |
| IPv6 | UDP only | ✅ |
| IPv6 | | ✅ |
[Back to TOC](#table-of-contents)

4
fake-tcp/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "fake-tcp"
version = "0.3.1"
version = "0.4.0"
edition = "2021"
authors = ["Datong Sun <dndx@idndx.com>"]
license = "MIT OR Apache-2.0"
@@ -16,7 +16,7 @@ benchmark = []
[dependencies]
bytes = "1"
pnet = "0.29"
pnet = "0.30"
tokio = { version = "1.14", features = ["full"] }
rand = { version = "0.8", features = ["small_rng"] }
log = "0.4"

194
fake-tcp/src/lib.rs
View File

@@ -49,7 +49,7 @@ use pnet::packet::{tcp, Packet};
use rand::prelude::*;
use std::collections::{HashMap, HashSet};
use std::fmt;
use std::net::{Ipv4Addr, SocketAddrV4};
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use std::sync::atomic::{AtomicU32, Ordering};
use std::sync::{Arc, RwLock};
use tokio::sync::broadcast;
@@ -65,12 +65,12 @@ const MAX_UNACKED_LEN: u32 = 128 * 1024 * 1024; // 128MB
#[derive(Hash, Eq, PartialEq, Clone, Debug)]
struct AddrTuple {
local_addr: SocketAddrV4,
remote_addr: SocketAddrV4,
local_addr: SocketAddr,
remote_addr: SocketAddr,
}
impl AddrTuple {
fn new(local_addr: SocketAddrV4, remote_addr: SocketAddrV4) -> AddrTuple {
fn new(local_addr: SocketAddr, remote_addr: SocketAddr) -> AddrTuple {
AddrTuple {
local_addr,
remote_addr,
@@ -89,6 +89,7 @@ struct Shared {
pub struct Stack {
shared: Arc<Shared>,
local_ip: Ipv4Addr,
local_ip6: Option<Ipv6Addr>,
ready: mpsc::Receiver<Socket>,
}
@@ -103,8 +104,8 @@ pub struct Socket {
shared: Arc<Shared>,
tun: Arc<Tun>,
incoming: flume::Receiver<Bytes>,
local_addr: SocketAddrV4,
remote_addr: SocketAddrV4,
local_addr: SocketAddr,
remote_addr: SocketAddr,
seq: AtomicU32,
ack: AtomicU32,
last_ack: AtomicU32,
@@ -122,8 +123,8 @@ impl Socket {
fn new(
shared: Arc<Shared>,
tun: Arc<Tun>,
local_addr: SocketAddrV4,
remote_addr: SocketAddrV4,
local_addr: SocketAddr,
remote_addr: SocketAddr,
ack: Option<u32>,
state: State,
) -> (Socket, flume::Sender<Bytes>) {
@@ -188,7 +189,7 @@ impl Socket {
match self.state {
State::Established => {
self.incoming.recv_async().await.ok().and_then(|raw_buf| {
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&raw_buf);
let (_v4_packet, tcp_packet) = parse_ip_packet(&raw_buf).unwrap();
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
info!("Connection {} reset by peer", self);
@@ -233,7 +234,7 @@ impl Socket {
let res = time::timeout(TIMEOUT, self.incoming.recv_async()).await;
if let Ok(buf) = res {
let buf = buf.unwrap();
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf);
let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap();
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
return;
@@ -277,7 +278,7 @@ impl Socket {
match time::timeout(TIMEOUT, self.incoming.recv_async()).await {
Ok(buf) => {
let buf = buf.unwrap();
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf);
let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap();
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
return None;
@@ -358,7 +359,7 @@ impl Stack {
/// When more than one [`Tun`](tokio_tun::Tun) object is passed in, same amount
/// of reader will be spawned later. This allows user to utilize the performance
/// benefit of Multiqueue Tun support on machines with SMP.
pub fn new(tun: Vec<Tun>) -> Stack {
pub fn new(tun: Vec<Tun>, local_ip: Ipv4Addr, local_ip6: Option<Ipv6Addr>) -> Stack {
let tun: Vec<Arc<Tun>> = tun.into_iter().map(Arc::new).collect();
let (ready_tx, ready_rx) = mpsc::channel(MPSC_BUFFER_LEN);
let (tuples_purge_tx, _tuples_purge_rx) = broadcast::channel(16);
@@ -369,7 +370,6 @@ impl Stack {
ready: ready_tx,
tuples_purge: tuples_purge_tx.clone(),
});
let local_ip = tun[0].destination().unwrap();
for t in tun {
tokio::spawn(Stack::reader_task(
@@ -382,6 +382,7 @@ impl Stack {
Stack {
shared,
local_ip,
local_ip6,
ready: ready_rx,
}
}
@@ -398,10 +399,17 @@ impl Stack {
/// Connects to the remote end. `None` returned means
/// the connection attempt failed.
pub async fn connect(&mut self, addr: SocketAddrV4) -> Option<Socket> {
pub async fn connect(&mut self, addr: SocketAddr) -> Option<Socket> {
let mut rng = SmallRng::from_entropy();
let local_port: u16 = rng.gen_range(1024..65535);
let local_addr = SocketAddrV4::new(self.local_ip, local_port);
let local_addr = SocketAddr::new(
if addr.is_ipv4() {
IpAddr::V4(self.local_ip)
} else {
IpAddr::V6(self.local_ip6.expect("IPv6 local address undefined"))
},
local_port,
);
let tuple = AddrTuple::new(local_addr, addr);
let (mut sock, incoming) = Socket::new(
self.shared.clone(),
@@ -437,90 +445,90 @@ impl Stack {
buf.truncate(size);
let buf = buf.freeze();
if buf[0] >> 4 != 4 {
// not an IPv4 packet
continue;
}
match parse_ip_packet(&buf) {
Some((ip_packet, tcp_packet)) => {
let local_addr =
SocketAddr::new(ip_packet.get_destination(), tcp_packet.get_destination());
let remote_addr = SocketAddr::new(ip_packet.get_source(), tcp_packet.get_source());
let (ip_packet, tcp_packet) = parse_ipv4_packet(&buf);
let local_addr =
SocketAddrV4::new(ip_packet.get_destination(), tcp_packet.get_destination());
let remote_addr = SocketAddrV4::new(ip_packet.get_source(), tcp_packet.get_source());
let tuple = AddrTuple::new(local_addr, remote_addr);
if let Some(c) = tuples.get(&tuple) {
if c.send_async(buf).await.is_err() {
trace!("Cache hit, but receiver already closed, dropping packet");
}
let tuple = AddrTuple::new(local_addr, remote_addr);
if let Some(c) = tuples.get(&tuple) {
if c.send_async(buf).await.is_err() {
trace!("Cache hit, but receiver already closed, dropping packet");
continue;
// If not Ok, receiver has been closed and just fall through to the slow
// path below
} else {
trace!("Cache miss, checking the shared tuples table for connection");
let sender = {
let tuples = shared.tuples.read().unwrap();
tuples.get(&tuple).cloned()
};
if let Some(c) = sender {
trace!("Storing connection information into local tuples");
tuples.insert(tuple, c.clone());
c.send_async(buf).await.unwrap();
continue;
}
}
if tcp_packet.get_flags() == tcp::TcpFlags::SYN
&& shared
.listening
.read()
.unwrap()
.contains(&tcp_packet.get_destination())
{
// SYN seen on listening socket
if tcp_packet.get_sequence() == 0 {
let (sock, incoming) = Socket::new(
shared.clone(),
tun.clone(),
local_addr,
remote_addr,
Some(tcp_packet.get_sequence() + 1),
State::Idle,
);
assert!(shared
.tuples
.write()
.unwrap()
.insert(tuple, incoming)
.is_none());
tokio::spawn(sock.accept());
} else {
trace!("Bad TCP SYN packet from {}, sending RST", remote_addr);
let buf = build_tcp_packet(
local_addr,
remote_addr,
0,
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32 + 1, // +1 because of SYN flag set
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
None,
);
shared.tun[0].try_send(&buf).unwrap();
}
} else if (tcp_packet.get_flags() & tcp::TcpFlags::RST) == 0 {
info!("Unknown TCP packet from {}, sending RST", remote_addr);
let buf = build_tcp_packet(
local_addr,
remote_addr,
tcp_packet.get_acknowledgement(),
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32,
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
None,
);
shared.tun[0].try_send(&buf).unwrap();
}
}
continue;
// If not Ok, receiver has been closed and just fall through to the slow
// path below
} else {
trace!("Cache miss, checking the shared tuples table for connection");
let sender = {
let tuples = shared.tuples.read().unwrap();
tuples.get(&tuple).cloned()
};
if let Some(c) = sender {
trace!("Storing connection information into local tuples");
tuples.insert(tuple, c.clone());
c.send_async(buf).await.unwrap();
None => {
continue;
}
}
if tcp_packet.get_flags() == tcp::TcpFlags::SYN
&& shared
.listening
.read()
.unwrap()
.contains(&tcp_packet.get_destination())
{
// SYN seen on listening socket
if tcp_packet.get_sequence() == 0 {
let (sock, incoming) = Socket::new(
shared.clone(),
tun.clone(),
local_addr,
remote_addr,
Some(tcp_packet.get_sequence() + 1),
State::Idle,
);
assert!(shared
.tuples
.write()
.unwrap()
.insert(tuple, incoming)
.is_none());
tokio::spawn(sock.accept());
} else {
trace!("Bad TCP SYN packet from {}, sending RST", remote_addr);
let buf = build_tcp_packet(
local_addr,
remote_addr,
0,
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32 + 1, // +1 because of SYN flag set
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
None,
);
shared.tun[0].try_send(&buf).unwrap();
}
} else if (tcp_packet.get_flags() & tcp::TcpFlags::RST) == 0 {
info!("Unknown TCP packet from {}, sending RST", remote_addr);
let buf = build_tcp_packet(
local_addr,
remote_addr,
tcp_packet.get_acknowledgement(),
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32,
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
None,
);
shared.tun[0].try_send(&buf).unwrap();
}
},
tuple = tuples_purge.recv() => {
let tuple = tuple.unwrap();

129
fake-tcp/src/packet.rs
View File

@@ -1,45 +1,85 @@
use bytes::{Bytes, BytesMut};
use internet_checksum::Checksum;
use pnet::packet::Packet;
use pnet::packet::{ip, ipv4, tcp};
use pnet::packet::{ip, ipv4, ipv6, tcp};
use std::convert::TryInto;
use std::net::SocketAddrV4;
use std::net::{IpAddr, SocketAddr};
const IPV4_HEADER_LEN: usize = 20;
const IPV6_HEADER_LEN: usize = 40;
const TCP_HEADER_LEN: usize = 20;
pub const MAX_PACKET_LEN: usize = 1500;
pub enum IPPacket<'p> {
V4(ipv4::Ipv4Packet<'p>),
V6(ipv6::Ipv6Packet<'p>),
}
impl<'a> IPPacket<'a> {
pub fn get_source(&self) -> IpAddr {
match self {
IPPacket::V4(p) => IpAddr::V4(p.get_source()),
IPPacket::V6(p) => IpAddr::V6(p.get_source()),
}
}
pub fn get_destination(&self) -> IpAddr {
match self {
IPPacket::V4(p) => IpAddr::V4(p.get_destination()),
IPPacket::V6(p) => IpAddr::V6(p.get_destination()),
}
}
}
pub fn build_tcp_packet(
local_addr: SocketAddrV4,
remote_addr: SocketAddrV4,
local_addr: SocketAddr,
remote_addr: SocketAddr,
seq: u32,
ack: u32,
flags: u16,
payload: Option<&[u8]>,
) -> Bytes {
let ip_header_len = match local_addr {
SocketAddr::V4(_) => IPV4_HEADER_LEN,
SocketAddr::V6(_) => IPV6_HEADER_LEN,
};
let wscale = (flags & tcp::TcpFlags::SYN) != 0;
let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale
let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len());
let total_len = IPV4_HEADER_LEN + tcp_total_len;
let total_len = ip_header_len + tcp_total_len;
let mut buf = BytesMut::with_capacity(total_len);
buf.resize(total_len, 0);
let mut v4_buf = buf.split_to(IPV4_HEADER_LEN);
let mut ip_buf = buf.split_to(ip_header_len);
let mut tcp_buf = buf.split_to(tcp_total_len);
assert_eq!(0, buf.len());
let mut v4 = ipv4::MutableIpv4Packet::new(&mut v4_buf).unwrap();
v4.set_version(4);
v4.set_header_length(IPV4_HEADER_LEN as u8 / 4);
v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp);
v4.set_ttl(64);
v4.set_source(*local_addr.ip());
v4.set_destination(*remote_addr.ip());
v4.set_total_length(total_len.try_into().unwrap());
v4.set_flags(ipv4::Ipv4Flags::DontFragment);
let mut cksm = Checksum::new();
cksm.add_bytes(v4.packet());
v4.set_checksum(u16::from_be_bytes(cksm.checksum()));
match (local_addr, remote_addr) {
(SocketAddr::V4(local), SocketAddr::V4(remote)) => {
let mut v4 = ipv4::MutableIpv4Packet::new(&mut ip_buf).unwrap();
v4.set_version(4);
v4.set_header_length(IPV4_HEADER_LEN as u8 / 4);
v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp);
v4.set_ttl(64);
v4.set_source(*local.ip());
v4.set_destination(*remote.ip());
v4.set_total_length(total_len.try_into().unwrap());
v4.set_flags(ipv4::Ipv4Flags::DontFragment);
let mut cksm = Checksum::new();
cksm.add_bytes(v4.packet());
v4.set_checksum(u16::from_be_bytes(cksm.checksum()));
}
(SocketAddr::V6(local), SocketAddr::V6(remote)) => {
let mut v6 = ipv6::MutableIpv6Packet::new(&mut ip_buf).unwrap();
v6.set_version(6);
v6.set_payload_length(tcp_total_len.try_into().unwrap());
v6.set_next_header(ip::IpNextHeaderProtocols::Tcp);
v6.set_hop_limit(64);
v6.set_source(*local.ip());
v6.set_destination(*remote.ip());
}
_ => unreachable!(),
};
let mut tcp = tcp::MutableTcpPacket::new(&mut tcp_buf).unwrap();
tcp.set_window(0xffff);
@@ -59,24 +99,55 @@ pub fn build_tcp_packet(
}
let mut cksm = Checksum::new();
cksm.add_bytes(&local_addr.ip().octets());
cksm.add_bytes(&remote_addr.ip().octets());
let ip::IpNextHeaderProtocol(tcp_protocol) = ip::IpNextHeaderProtocols::Tcp;
let mut pseudo = [0u8, tcp_protocol, 0, 0];
pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes());
cksm.add_bytes(&pseudo);
match (local_addr, remote_addr) {
(SocketAddr::V4(local), SocketAddr::V4(remote)) => {
cksm.add_bytes(&local.ip().octets());
cksm.add_bytes(&remote.ip().octets());
let mut pseudo = [0u8, tcp_protocol, 0, 0];
pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes());
cksm.add_bytes(&pseudo);
}
(SocketAddr::V6(local), SocketAddr::V6(remote)) => {
cksm.add_bytes(&local.ip().octets());
cksm.add_bytes(&remote.ip().octets());
let mut pseudo = [0u8, 0, 0, 0, 0, 0, 0, tcp_protocol];
pseudo[0..4].copy_from_slice(&(tcp_total_len as u32).to_be_bytes());
cksm.add_bytes(&pseudo);
}
_ => unreachable!(),
};
cksm.add_bytes(tcp.packet());
tcp.set_checksum(u16::from_be_bytes(cksm.checksum()));
v4_buf.unsplit(tcp_buf);
v4_buf.freeze()
ip_buf.unsplit(tcp_buf);
ip_buf.freeze()
}
pub fn parse_ipv4_packet(buf: &Bytes) -> (ipv4::Ipv4Packet, tcp::TcpPacket) {
let v4 = ipv4::Ipv4Packet::new(buf).unwrap();
let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap();
pub fn parse_ip_packet(buf: &Bytes) -> Option<(IPPacket, tcp::TcpPacket)> {
if buf[0] >> 4 == 4 {
let v4 = ipv4::Ipv4Packet::new(buf).unwrap();
if v4.get_next_level_protocol() != ip::IpNextHeaderProtocols::Tcp {
return None;
}
(v4, tcp)
let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap();
Some((IPPacket::V4(v4), tcp))
} else if buf[0] >> 4 == 6 {
let v6 = ipv6::Ipv6Packet::new(buf).unwrap();
if v6.get_next_header() != ip::IpNextHeaderProtocols::Tcp {
return None;
}
let tcp = tcp::TcpPacket::new(&buf[IPV6_HEADER_LEN..]).unwrap();
Some((IPPacket::V6(v6), tcp))
} else {
None
}
}
#[cfg(all(test, feature = "benchmark"))]

BIN
images/phantun-vs-udp2raw-benchmark-result.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

6
phantun/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "phantun"
version = "0.3.2"
version = "0.5.0"
edition = "2021"
authors = ["Datong Sun <dndx@idndx.com>"]
license = "MIT OR Apache-2.0"
@@ -13,10 +13,12 @@ Layer 3 & Layer 4 (NAPT) firewalls/NATs.
[dependencies]
clap = { version = "3.0", features = ["cargo"] }
socket2 = { version = "0.4", features = ["all"] }
fake-tcp = { path = "../fake-tcp", version = "0.3" }
fake-tcp = { path = "../fake-tcp", version = "0.4" }
tokio = { version = "1.14", features = ["full"] }
tokio-util = "0.7"
log = "0.4"
pretty_env_logger = "0.4"
tokio-tun = "0.5"
num_cpus = "1.13"
neli = "0.6"
nix = "0.24"

295
phantun/src/bin/client.rs
View File

@@ -2,8 +2,10 @@ use clap::{crate_version, Arg, Command};
use fake_tcp::packet::MAX_PACKET_LEN;
use fake_tcp::{Socket, Stack};
use log::{debug, error, info};
use phantun::utils::new_udp_reuseport;
use phantun::utils::{assign_ipv6_address, new_udp_reuseport};
use std::collections::HashMap;
use std::fs;
use std::io;
use std::net::{Ipv4Addr, SocketAddr};
use std::sync::Arc;
use tokio::sync::{Notify, RwLock};
@@ -14,7 +16,7 @@ use tokio_util::sync::CancellationToken;
use phantun::UDP_TTL;
#[tokio::main]
async fn main() {
async fn main() -> io::Result<()> {
pretty_env_logger::init();
let matches = Command::new("Phantun Client")
@@ -35,7 +37,7 @@ async fn main() {
.long("remote")
.required(true)
.value_name("IP or HOST NAME:PORT")
.help("Sets the address or host name and port where Phantun Client connects to Phantun Server")
.help("Sets the address or host name and port where Phantun Client connects to Phantun Server, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
.takes_value(true),
)
.arg(
@@ -52,7 +54,7 @@ async fn main() {
.long("tun-local")
.required(false)
.value_name("IP")
.help("Sets the Tun interface local address (O/S's end)")
.help("Sets the Tun interface IPv4 local address (O/S's end)")
.default_value("192.168.200.1")
.takes_value(true),
)
@@ -61,12 +63,52 @@ async fn main() {
.long("tun-peer")
.required(false)
.value_name("IP")
.help("Sets the Tun interface destination (peer) address (Phantun Client's end). \
.help("Sets the Tun interface IPv4 destination (peer) address (Phantun Client's end). \
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
in order for Phantun Client to connect to Phantun Server")
.default_value("192.168.200.2")
.takes_value(true),
)
.arg(
Arg::new("ipv4_only")
.long("ipv4-only")
.short('4')
.required(false)
.help("Only use IPv4 address when connecting to remote")
.takes_value(false)
.conflicts_with_all(&["tun_local6", "tun_peer6"]),
)
.arg(
Arg::new("tun_local6")
.long("tun-local6")
.required(false)
.value_name("IP")
.help("Sets the Tun interface IPv6 local address (O/S's end)")
.default_value("fcc8::1")
.takes_value(true),
)
.arg(
Arg::new("tun_peer6")
.long("tun-peer6")
.required(false)
.value_name("IP")
.help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
in order for Phantun Client to connect to Phantun Server")
.default_value("fcc8::2")
.takes_value(true),
)
.arg(
Arg::new("handshake_packet")
.long("handshake-packet")
.required(false)
.value_name("PATH")
.help("Specify a file, which, after TCP handshake, its content will be sent as the \
first data packet to the server.\n\
Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
The content is always sent out in a single packet and will not be further segmented")
.takes_value(true),
)
.get_matches();
let local_addr: SocketAddr = matches
@@ -75,16 +117,13 @@ async fn main() {
.parse()
.expect("bad local address");
let ipv4_only = matches.is_present("ipv4_only");
let remote_addr = tokio::net::lookup_host(matches.value_of("remote").unwrap())
.await
.expect("bad remote address or host")
.find(|addr| addr.is_ipv4())
.expect("unable to resolve remote host name or no valid A record was returned");
let remote_addr = if let SocketAddr::V4(addr) = remote_addr {
addr
} else {
unreachable!();
};
.find(|addr| !ipv4_only || addr.is_ipv4())
.expect("unable to resolve remote host name");
info!("Remote address is: {}", remote_addr);
let tun_local: Ipv4Addr = matches
@@ -98,11 +137,30 @@ async fn main() {
.parse()
.expect("bad peer address for Tun interface");
let (tun_local6, tun_peer6) = if ipv4_only {
(None, None)
} else {
(
matches
.value_of("tun_local6")
.map(|v| v.parse().expect("bad local address for Tun interface")),
matches
.value_of("tun_peer6")
.map(|v| v.parse().expect("bad peer address for Tun interface")),
)
};
let tun_name = matches.value_of("tun").unwrap();
let handshake_packet: Option<Vec<u8>> = matches
.value_of("handshake_packet")
.map(fs::read)
.transpose()?;
let num_cpus = num_cpus::get();
info!("{} cores available", num_cpus);
let tun = TunBuilder::new()
.name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel.
.name(tun_name) // if name is empty, then it is set by kernel.
.tap(false) // false (default): TUN, true: TAP.
.packet_info(false) // false: IFF_NO_PI, default is true.
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
@@ -111,130 +169,143 @@ async fn main() {
.try_build_mq(num_cpus)
.unwrap();
if remote_addr.is_ipv6() {
assign_ipv6_address(tun[0].name(), tun_local6.unwrap(), tun_peer6.unwrap());
}
info!("Created TUN device {}", tun[0].name());
let udp_sock = Arc::new(new_udp_reuseport(local_addr));
let connections = Arc::new(RwLock::new(HashMap::<SocketAddr, Arc<Socket>>::new()));
let mut stack = Stack::new(tun);
let mut stack = Stack::new(tun, tun_peer, tun_peer6);
let main_loop = tokio::spawn(async move {
let mut buf_r = [0u8; MAX_PACKET_LEN];
loop {
tokio::select! {
Ok((size, addr)) = udp_sock.recv_from(&mut buf_r) => {
// seen UDP packet to listening socket, this means:
// 1. It is a new UDP connection, or
// 2. It is some extra packets not filtered by more specific
// connected UDP socket yet
if let Some(sock) = connections.read().await.get(&addr) {
sock.send(&buf_r[..size]).await;
continue;
}
let (size, addr) = udp_sock.recv_from(&mut buf_r).await?;
// seen UDP packet to listening socket, this means:
// 1. It is a new UDP connection, or
// 2. It is some extra packets not filtered by more specific
// connected UDP socket yet
if let Some(sock) = connections.read().await.get(&addr) {
sock.send(&buf_r[..size]).await;
continue;
}
info!("New UDP client from {}", addr);
let sock = stack.connect(remote_addr).await;
if sock.is_none() {
error!("Unable to connect to remote {}", remote_addr);
continue;
}
info!("New UDP client from {}", addr);
let sock = stack.connect(remote_addr).await;
if sock.is_none() {
error!("Unable to connect to remote {}", remote_addr);
continue;
}
let sock = Arc::new(sock.unwrap());
// send first packet
let res = sock.send(&buf_r[..size]).await;
if res.is_none() {
continue;
}
let sock = Arc::new(sock.unwrap());
if let Some(ref p) = handshake_packet {
if sock.send(p).await.is_none() {
error!("Failed to send handshake packet to remote, closing connection.");
continue;
}
assert!(connections.write().await.insert(addr, sock.clone()).is_none());
debug!("inserted fake TCP socket into connection table");
debug!("Sent handshake packet to: {}", sock);
}
// spawn "fastpath" UDP socket and task, this will offload main task
// from forwarding UDP packets
// send first packet
if sock.send(&buf_r[..size]).await.is_none() {
continue;
}
let packet_received = Arc::new(Notify::new());
let quit = CancellationToken::new();
assert!(connections
.write()
.await
.insert(addr, sock.clone())
.is_none());
debug!("inserted fake TCP socket into connection table");
for i in 0..num_cpus {
let sock = sock.clone();
let quit = quit.clone();
let packet_received = packet_received.clone();
// spawn "fastpath" UDP socket and task, this will offload main task
// from forwarding UDP packets
tokio::spawn(async move {
let mut buf_udp = [0u8; MAX_PACKET_LEN];
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
let udp_sock = new_udp_reuseport(local_addr);
udp_sock.connect(addr).await.unwrap();
let packet_received = Arc::new(Notify::new());
let quit = CancellationToken::new();
loop {
tokio::select! {
Ok(size) = udp_sock.recv(&mut buf_udp) => {
if sock.send(&buf_udp[..size]).await.is_none() {
debug!("removed fake TCP socket from connections table");
quit.cancel();
return;
}
for i in 0..num_cpus {
let sock = sock.clone();
let quit = quit.clone();
let packet_received = packet_received.clone();
packet_received.notify_one();
},
res = sock.recv(&mut buf_tcp) => {
match res {
Some(size) => {
if size > 0 {
if let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
error!("Unable to send UDP packet to {}: {}, closing connection", e, addr);
quit.cancel();
return;
}
}
},
None => {
debug!("removed fake TCP socket from connections table");
quit.cancel();
return;
},
}
tokio::spawn(async move {
let mut buf_udp = [0u8; MAX_PACKET_LEN];
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
let udp_sock = new_udp_reuseport(local_addr);
udp_sock.connect(addr).await.unwrap();
packet_received.notify_one();
},
_ = quit.cancelled() => {
debug!("worker {} terminated", i);
return;
},
};
}
});
}
let connections = connections.clone();
tokio::spawn(async move {
loop {
let read_timeout = time::sleep(UDP_TTL);
let packet_received_fut = packet_received.notified();
tokio::select! {
_ = read_timeout => {
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
connections.write().await.remove(&addr);
loop {
tokio::select! {
Ok(size) = udp_sock.recv(&mut buf_udp) => {
if sock.send(&buf_udp[..size]).await.is_none() {
debug!("removed fake TCP socket from connections table");
quit.cancel();
return;
},
_ = quit.cancelled() => {
connections.write().await.remove(&addr);
debug!("removed fake TCP socket from connections table");
return;
},
_ = packet_received_fut => {},
}
}
});
},
}
packet_received.notify_one();
},
res = sock.recv(&mut buf_tcp) => {
match res {
Some(size) => {
if size > 0 {
if let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
error!("Unable to send UDP packet to {}: {}, closing connection", e, addr);
quit.cancel();
return;
}
}
},
None => {
debug!("removed fake TCP socket from connections table");
quit.cancel();
return;
},
}
packet_received.notify_one();
},
_ = quit.cancelled() => {
debug!("worker {} terminated", i);
return;
},
};
}
});
}
let connections = connections.clone();
tokio::spawn(async move {
loop {
let read_timeout = time::sleep(UDP_TTL);
let packet_received_fut = packet_received.notified();
tokio::select! {
_ = read_timeout => {
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
connections.write().await.remove(&addr);
debug!("removed fake TCP socket from connections table");
quit.cancel();
return;
},
_ = quit.cancelled() => {
connections.write().await.remove(&addr);
debug!("removed fake TCP socket from connections table");
return;
},
_ = packet_received_fut => {},
}
}
});
}
});
tokio::join!(main_loop).0.unwrap();
tokio::join!(main_loop).0.unwrap()
}

88
phantun/src/bin/server.rs
View File

@@ -2,7 +2,9 @@ use clap::{crate_version, Arg, Command};
use fake_tcp::packet::MAX_PACKET_LEN;
use fake_tcp::Stack;
use log::{debug, error, info};
use phantun::utils::new_udp_reuseport;
use phantun::utils::{assign_ipv6_address, new_udp_reuseport};
use std::fs;
use std::io;
use std::net::Ipv4Addr;
use std::sync::Arc;
use tokio::net::UdpSocket;
@@ -14,7 +16,7 @@ use tokio_util::sync::CancellationToken;
use phantun::UDP_TTL;
#[tokio::main]
async fn main() {
async fn main() -> io::Result<()> {
pretty_env_logger::init();
let matches = Command::new("Phantun Server")
@@ -67,6 +69,46 @@ async fn main() {
.default_value("192.168.201.2")
.takes_value(true),
)
.arg(
Arg::new("ipv4_only")
.long("ipv4-only")
.short('4')
.required(false)
.help("Do not assign IPv6 addresses to Tun interface")
.takes_value(false)
.conflicts_with_all(&["tun_local6", "tun_peer6"]),
)
.arg(
Arg::new("tun_local6")
.long("tun-local6")
.required(false)
.value_name("IP")
.help("Sets the Tun interface IPv6 local address (O/S's end)")
.default_value("fcc9::1")
.takes_value(true),
)
.arg(
Arg::new("tun_peer6")
.long("tun-peer6")
.required(false)
.value_name("IP")
.help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
in order for Phantun Client to connect to Phantun Server")
.default_value("fcc9::2")
.takes_value(true),
)
.arg(
Arg::new("handshake_packet")
.long("handshake-packet")
.required(false)
.value_name("PATH")
.help("Specify a file, which, after TCP handshake, its content will be sent as the \
first data packet to the client.\n\
Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
The content is always sent out in a single packet and will not be further segmented")
.takes_value(true),
)
.get_matches();
let local_port: u16 = matches
@@ -93,11 +135,30 @@ async fn main() {
.parse()
.expect("bad peer address for Tun interface");
let (tun_local6, tun_peer6) = if matches.is_present("ipv4_only") {
(None, None)
} else {
(
matches
.value_of("tun_local6")
.map(|v| v.parse().expect("bad local address for Tun interface")),
matches
.value_of("tun_peer6")
.map(|v| v.parse().expect("bad peer address for Tun interface")),
)
};
let tun_name = matches.value_of("tun").unwrap();
let handshake_packet: Option<Vec<u8>> = matches
.value_of("handshake_packet")
.map(fs::read)
.transpose()?;
let num_cpus = num_cpus::get();
info!("{} cores available", num_cpus);
let tun = TunBuilder::new()
.name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel.
.name(tun_name) // if name is empty, then it is set by kernel.
.tap(false) // false (default): TUN, true: TAP.
.packet_info(false) // false: IFF_NO_PI, default is true.
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
@@ -106,10 +167,14 @@ async fn main() {
.try_build_mq(num_cpus)
.unwrap();
if let (Some(tun_local6), Some(tun_peer6)) = (tun_local6, tun_peer6) {
assign_ipv6_address(tun[0].name(), tun_local6, tun_peer6);
}
info!("Created TUN device {}", tun[0].name());
//thread::sleep(time::Duration::from_secs(5));
let mut stack = Stack::new(tun);
let mut stack = Stack::new(tun, tun_local, tun_local6);
stack.listen(local_port);
info!("Listening on {}", local_port);
@@ -120,6 +185,14 @@ async fn main() {
loop {
let sock = Arc::new(stack.accept().await);
info!("New connection: {}", sock);
if let Some(ref p) = handshake_packet {
if sock.send(p).await.is_none() {
error!("Failed to send handshake packet to remote, closing connection.");
continue;
}
debug!("Sent handshake packet to: {}", sock);
}
let packet_received = Arc::new(Notify::new());
let quit = CancellationToken::new();
@@ -128,9 +201,8 @@ async fn main() {
} else {
"[::]:0"
})
.await
.unwrap();
let local_addr = udp_sock.local_addr().unwrap();
.await?;
let local_addr = udp_sock.local_addr()?;
drop(udp_sock);
for i in 0..num_cpus {
@@ -199,5 +271,5 @@ async fn main() {
}
});
tokio::join!(main_loop).0.unwrap();
tokio::join!(main_loop).0.unwrap()
}

40
phantun/src/utils.rs
View File

@@ -1,4 +1,15 @@
use std::net::SocketAddr;
use neli::{
consts::{
nl::{NlmF, NlmFFlags},
rtnl::{Ifa, IfaFFlags, RtAddrFamily, Rtm},
socket::NlFamily,
},
nl::{NlPayload, Nlmsghdr},
rtnl::{Ifaddrmsg, Rtattr},
socket::NlSocketHandle,
types::RtBuffer,
};
use std::net::{Ipv6Addr, SocketAddr};
use tokio::net::UdpSocket;
pub fn new_udp_reuseport(local_addr: SocketAddr) -> UdpSocket {
@@ -20,3 +31,30 @@ pub fn new_udp_reuseport(local_addr: SocketAddr) -> UdpSocket {
let udp_sock: std::net::UdpSocket = udp_sock.into();
udp_sock.try_into().unwrap()
}
pub fn assign_ipv6_address(device_name: &str, local: Ipv6Addr, peer: Ipv6Addr) {
let index = nix::net::if_::if_nametoindex(device_name).unwrap();
let mut rtnl = NlSocketHandle::connect(NlFamily::Route, None, &[]).unwrap();
let mut rtattrs = RtBuffer::new();
rtattrs.push(Rtattr::new(None, Ifa::Local, &local.octets()[..]).unwrap());
rtattrs.push(Rtattr::new(None, Ifa::Address, &peer.octets()[..]).unwrap());
let ifaddrmsg = Ifaddrmsg {
ifa_family: RtAddrFamily::Inet6,
ifa_prefixlen: 128,
ifa_flags: IfaFFlags::empty(),
ifa_scope: 0,
ifa_index: index as i32,
rtattrs,
};
let nl_header = Nlmsghdr::new(
None,
Rtm::Newaddr,
NlmFFlags::new(&[NlmF::Request]),
None,
None,
NlPayload::Payload(ifaddrmsg),
);
rtnl.send(nl_header).unwrap();
}