chore(cargo): add Cargo.lock. Closes #138

Closes #186.

.github/workflows/docker.yml

@@ -0,0 +1,30 @@
+name: Docker image build
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: phantun
+          platforms: linux/amd64

.github/workflows/release.yml

@@ -25,13 +25,9 @@ jobs:
           - arm-unknown-linux-musleabihf
           - aarch64-unknown-linux-gnu
           - aarch64-unknown-linux-musl
-          - mips-unknown-linux-gnu
-          - mips-unknown-linux-musl
-          - mipsel-unknown-linux-gnu
-          - mipsel-unknown-linux-musl
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -50,7 +46,7 @@ jobs:
           zip phantun_${{ matrix.target }}.zip phantun_client phantun_server
 
       - name: Upload Github Assets
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: target/${{ matrix.target }}/release/*.zip
           prerelease: ${{ contains(github.ref, '-') }}

.github/workflows/rust.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions-rs/toolchain@v1
       with:
         toolchain: stable

.gitignore

@@ -1,2 +1 @@
 /target
-Cargo.lock

Cargo.toml

@@ -1,5 +1,7 @@
 [workspace]
 
+resolver = "2"
+
 members = [
     "fake-tcp",
     "phantun",

LICENSE-APACHE

@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
    same "printed page" as the copyright notice for easier
    identification within third-party archives.
 
-Copyright 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright 2021-2024 Datong Sun (dndx@idndx.com)
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

LICENSE-MIT

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
 
 Permission is hereby granted, free of charge, to any
 person obtaining a copy of this software and associated

README.md

@@ -2,7 +2,7 @@
 
 A lightweight and fast UDP to TCP obfuscator.
 
-![GitHub Workflow Status](https://img.shields.io/github/workflow/status/dndx/phantun/Rust?style=flat-square)
+![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/dndx/phantun/rust.yml)
 ![docs.rs](https://img.shields.io/docsrs/fake-tcp)
 
 Table of Contents
@@ -35,7 +35,7 @@ Table of Contents
 
 # Latest release
 
-[v0.4.1](https://github.com/dndx/phantun/releases/tag/v0.4.1)
+[v0.7.0](https://github.com/dndx/phantun/releases/tag/v0.7.0)
 
 # Overview
 
@@ -73,8 +73,8 @@ It is also assumed that **Phantun Client** listens for incoming UDP packets at
 (the `--remote` option for client).
 
 Phantun creates TUN interface for both the Client and Server. For **Client**, Phantun assigns itself the IP address
-`192.168.200.2` and `fec8::2` by default.
-For **Server**, it assigns `192.168.201.2` and `fec9::2` by default. Therefore, your Kernel must have
+`192.168.200.2` and `fcc8::2` by default.
+For **Server**, it assigns `192.168.201.2` and `fcc9::2` by default. Therefore, your Kernel must have
 IPv4/IPv6 forwarding enabled and setup appropriate iptables/nftables rules for NAT between your physical
 NIC address and Phantun's Tun interface address.
 
@@ -83,11 +83,11 @@ run the executable with `-h` options to see how to change them.
 
 Another way to help understand this network topology (please see the diagram above for an illustration of this topology):
 
-Phantun Client is like a machine with private IP address (`192.168.200.2`/`fec8::2`) behind a router.
+Phantun Client is like a machine with private IP address (`192.168.200.2`/`fcc8::2`) behind a router.
 In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic
 leaves the NIC.
 
-Phantun Server is like a server with private IP address (`192.168.201.2`/`fec9::2`) behind a router.
+Phantun Server is like a server with private IP address (`192.168.201.2`/`fcc9::2`) behind a router.
 In order to access it from the Internet, you need to `DNAT` it's listening port on the router
 and change the destination IP address to where the server is listening for incoming connections.
 
@@ -166,7 +166,7 @@ table inet nat {
     chain prerouting {
         type nat hook prerouting priority dstnat; policy accept;
         iif eth0 tcp dport 4567 dnat ip to 192.168.201.2
-        iif eth0 tcp dport 4567 dnat ip6 to fec9::2
+        iif eth0 tcp dport 4567 dnat ip6 to fcc9::2
     }
 }
 ```
@@ -177,7 +177,7 @@ table inet nat {
 
 ```
 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2
-ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fec9::2
+ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fcc9::2
 ```
 
 [Back to TOC](#table-of-contents)
@@ -262,7 +262,7 @@ is the following (using IPv4 below as an example):
 Note that Phantun does not add any additional header other than IP and TCP headers in order to pass through
 stateful packet inspection!
 
-Phantun's additional overhead: `12 bytes`. I other words, when using Phantun, the usable payload for
+Phantun's additional overhead: `12 bytes`. In other words, when using Phantun, the usable payload for
 UDP packet is reduced by 12 bytes. This is the minimum overhead possible when doing such kind
 of obfuscation.
 
@@ -329,6 +329,8 @@ Test command: `iperf3 -c <IP> -p <PORT> -R -u -l 1400 -b 1000m -t 30 -P 5`
 | Phantun (5 streams)                                                             | 5.00 Gbits/sec | 2.38 Gbits/sec | 95% (all cores utilized)                            |
 | udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (5 streams) | 5.00 Gbits/sec | 770 Mbits/sec  | 50% (2 cores at 100%)                               |
 
+Writeup on some of the techniques used in Phantun to achieve this performance result: [Writing Highly Efficient UDP Server in Rust](https://idndx.com/writing-highly-efficient-udp-server-in-rust/).
+
 [Back to TOC](#table-of-contents)
 
 # Future plans
@@ -366,7 +368,7 @@ Here is a quick overview of comparison between those two to help you choose:
 
 # License
 
-Copyright 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright 2021-2024 Datong Sun (dndx@idndx.com)
 
 Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
 [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license

docker/.dockerignore

@@ -0,0 +1,2 @@
+README.md
+docker-compose.yml

docker/Dockerfile

@@ -0,0 +1,33 @@
+#
+# Dockerfile for phantun
+#
+
+#
+# Build stage
+#
+FROM rust:latest AS builder
+
+COPY . /phantun
+
+RUN cd phantun \
+  && cargo build --release \
+  && strip target/release/server target/release/client \
+  && install target/release/server /usr/local/bin/phantun-server \
+  && install target/release/client /usr/local/bin/phantun-client \
+  && cd - \
+  && rm -r phantun
+
+#
+# Runtime stage
+#
+FROM debian:latest
+
+COPY --from=builder /usr/local/bin/phantun-server /usr/local/bin/
+COPY --from=builder /usr/local/bin/phantun-client /usr/local/bin/
+COPY docker/phantun.sh /usr/local/bin/
+
+ENV USE_IPTABLES_NFT_BACKEND=0
+ENV RUST_LOG=INFO
+
+ENTRYPOINT ["phantun.sh"]
+CMD ["phantun-server", "--help"]

docker/README.md

@@ -0,0 +1,11 @@
+# phantun (docker)
+
+## Build
+
+```sh
+docker build -t phantun -f docker/Dockerfile .
+```
+
+## Usage
+
+It is recommended to use docker-compose, see [docker-compose.yml](docker-compose.yml) for details.

docker/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3.9'
+
+services:
+  phantun-server:
+    image: phantun
+    container_name: phantun-server
+    restart: unless-stopped
+    network_mode: host
+    privileged: true
+    environment:
+      USE_IPTABLES_NFT_BACKEND: 0
+      RUST_LOG: INFO
+    command: >
+      phantun-server --local 1985 --remote 127.0.0.1:1984 --ipv4-only
+
+  phantun-client:
+    image: phantun
+    container_name: phantun-client
+    restart: unless-stopped
+    network_mode: host
+    privileged: true
+    environment:
+      USE_IPTABLES_NFT_BACKEND: 0
+      RUST_LOG: INFO
+    command: >
+      phantun-client --local 127.0.0.1:1984 --remote 11.22.33.44:1985 --ipv4-only

docker/phantun.sh

@@ -0,0 +1,209 @@
+#!/bin/sh
+
+# alias ​​settings must be global, and must be defined before the function being called with the alias
+if [ "$USE_IPTABLES_NFT_BACKEND" = 1 ]; then
+  alias iptables=iptables-nft
+  alias iptables-save=iptables-nft-save
+  alias ip6tables=ip6tables-nft
+  alias ip6tables-save=ip6tables-nft-save
+fi
+
+info() {
+  local green='\e[0;32m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${green}[${time}] [INFO]: ${clear}%s\n" "$*"
+}
+
+warn() {
+  local yellow='\e[1;33m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${yellow}[${time}] [WARN]: ${clear}%s\n" "$*" >&2
+}
+
+error() {
+  local red='\e[0;31m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${red}[${time}] [ERROR]: ${clear}%s\n" "$*" >&2
+}
+
+_get_default_iface() {
+  ip -4 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
+}
+
+_get_default6_iface() {
+  ip -6 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
+}
+
+_get_addr_by_iface() {
+  ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
+}
+
+_get_addr6_by_iface() {
+  ip -6 addr show dev "$1" | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
+}
+
+_check_rule_by_comment() {
+  iptables-save | grep -q "$1"
+}
+
+_check_rule6_by_comment() {
+  ip6tables-save | grep -q "$1"
+}
+
+_is_server_mode() {
+  [ "$1" = "phantun-server" ]
+}
+
+_is_ipv4_only() {
+  case "$@" in
+    *-4*|*--ipv4-only*)
+      return 0
+      ;;
+    *\ -4*|*\ --ipv4-only*)
+      return 0
+      ;;
+  esac
+  return 1
+}
+
+_get_tun_from_args() {
+  local tun=$(echo "$@" | awk -F '--tun' '{print $2}' | awk '{print $1}')
+  echo ${tun:=tun0}
+}
+
+_get_peer_from_args() {
+  local peer=$(echo "$@" | awk -F '--tun-peer' '{print $2}' | awk '{print $1}')
+  _is_server_mode "$1" && echo ${peer:=192.168.201.2} || echo ${peer:=192.168.200.2}
+}
+
+_get_peer6_from_args() {
+  local peer=$(echo "$@" | awk -F '--tun-peer6' '{print $2}' | awk '{print $1}')
+  _is_server_mode "$1" && echo ${peer:=fcc9::2} || echo ${peer:=fcc8::2}
+}
+
+_get_port_from_args() {
+  local value=$(echo "$@" | awk -F '-l|--local' '{print $2}' | awk '{print $1}')
+  _is_server_mode "$1" && echo $value || echo $value | awk -F ':' '{print $2}'
+}
+
+_iptables() {
+  iptables -w 10 "$@"
+}
+
+_ip6tables() {
+  ip6tables -w 10 "$@"
+}
+
+apply_sysctl() {
+  info "apply sysctl: $(sysctl -w net.ipv4.ip_forward=1)"
+  ! _is_ipv4_only "$@" || return
+  info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)"
+}
+
+apply_iptables() {
+  local interface=$(_get_default_iface)
+  local address=$(_get_addr_by_iface "${interface}")
+  local tun=$(_get_tun_from_args "$@")
+  local peer=$(_get_peer_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  if _check_rule_by_comment "${comment}"; then
+    warn "iptables rules already exist, maybe needs to check."
+  else
+    _iptables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed."
+    _iptables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed."
+    if _is_server_mode "$1"; then
+      info "iptables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
+      _iptables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
+        -m comment --comment "${comment}" || error "iptables DNAT rule add failed."
+    else
+      info "iptables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
+      _iptables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
+        -m comment --comment "${comment}" || error "iptables SNAT rule add failed."
+    fi
+  fi
+}
+
+apply_ip6tables() {
+  ! _is_ipv4_only "$@" || return
+
+  local interface=$(_get_default6_iface)
+  local address=$(_get_addr6_by_iface "${interface}")
+  local tun=$(_get_tun_from_args "$@")
+  local peer=$(_get_peer6_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  if _check_rule6_by_comment "${comment}"; then
+    warn "ip6tables rules already exist, maybe needs to check."
+  else
+    _ip6tables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed."
+    _ip6tables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed."
+    if _is_server_mode "$1"; then
+      info "ip6tables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
+      _ip6tables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
+        -m comment --comment "${comment}" || error "ip6tables DNAT rule add failed."
+    else
+      info "ip6tables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
+      _ip6tables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
+        -m comment --comment "${comment}" || error "ip6tables SNAT rule add failed."
+    fi
+  fi
+}
+
+stop_process() {
+  kill $(pidof phantun-server phantun-client)
+  info "terminate phantun process."
+}
+
+revoke_iptables() {
+  local tun=$(_get_tun_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  iptables-save -t filter | grep "${comment}" | while read rule; do
+    _iptables -t filter ${rule/-A/-D} || error "iptables filter rule remove failed."
+  done
+  iptables-save -t nat | grep "${comment}" | while read rule; do
+    _iptables -t nat ${rule/-A/-D} || error "iptables nat rule remove failed."
+  done
+  info "iptables rule: [${comment}] removed."
+}
+
+revoke_ip6tables() {
+  ! _is_ipv4_only "$@" || return
+
+  local tun=$(_get_tun_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  ip6tables-save -t filter | grep "${comment}" | while read rule; do
+    _ip6tables -t filter ${rule/-A/-D} || error "ip6tables filter rule remove failed."
+  done
+  ip6tables-save -t nat | grep "${comment}" | while read rule; do
+    _ip6tables -t nat ${rule/-A/-D} || error "ip6tables nat rule remove failed."
+  done
+  info "ip6tables rule: [${comment}] removed."
+}
+
+graceful_stop() {
+  warn "caught SIGTERM or SIGINT signal, graceful stopping..."
+  stop_process
+  revoke_iptables "$@"
+  revoke_ip6tables "$@"
+}
+
+start_phantun() {
+  trap 'graceful_stop "$@"' SIGTERM SIGINT
+  apply_sysctl "$@"
+  apply_iptables "$@"
+  apply_ip6tables "$@"
+  "$@" &
+  wait
+}
+
+start_phantun "$@"

fake-tcp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fake-tcp"
-version = "0.4.0"
+version = "0.6.0"
 edition = "2021"
 authors = ["Datong Sun <dndx@idndx.com>"]
 license = "MIT OR Apache-2.0"
@@ -16,10 +16,10 @@ benchmark = []
 
 [dependencies]
 bytes = "1"
-pnet = "0.29"
-tokio = { version = "1.14", features = ["full"] }
-rand = { version = "0.8", features = ["small_rng"] }
-log = "0.4"
-internet-checksum = "0.2"
-tokio-tun = "0.5"
-flume = "0.10"
+pnet = "0"
+tokio = { version = "1", features = ["full"] }
+rand = { version = "0", features = ["small_rng"] }
+log = "0"
+internet-checksum = "0"
+tokio-tun = "0"
+flume = "0"

fake-tcp/LICENSE-APACHE

@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
    same "printed page" as the copyright notice for easier
    identification within third-party archives.
 
-Copyright 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright 2021-2024 Datong Sun (dndx@idndx.com)
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

fake-tcp/LICENSE-MIT

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
 
 Permission is hereby granted, free of charge, to any
 person obtaining a copy of this software and associated

fake-tcp/src/lib.rs

@@ -50,8 +50,10 @@ use rand::prelude::*;
 use std::collections::{HashMap, HashSet};
 use std::fmt;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
-use std::sync::atomic::{AtomicU32, Ordering};
-use std::sync::{Arc, RwLock};
+use std::sync::{
+    atomic::{AtomicU32, Ordering},
+    Arc, RwLock,
+};
 use tokio::sync::broadcast;
 use tokio::sync::mpsc;
 use tokio::time;
@@ -146,7 +148,7 @@ impl Socket {
         )
     }
 
-    fn build_tcp_packet(&self, flags: u16, payload: Option<&[u8]>) -> Bytes {
+    fn build_tcp_packet(&self, flags: u8, payload: Option<&[u8]>) -> Bytes {
         let ack = self.ack.load(Ordering::Relaxed);
         self.last_ack.store(ack, Ordering::Relaxed);
 
@@ -400,32 +402,50 @@ impl Stack {
     /// Connects to the remote end. `None` returned means
     /// the connection attempt failed.
     pub async fn connect(&mut self, addr: SocketAddr) -> Option<Socket> {
-        let mut rng = SmallRng::from_entropy();
-        let local_port: u16 = rng.gen_range(1024..65535);
-        let local_addr = SocketAddr::new(
-            if addr.is_ipv4() {
-                IpAddr::V4(self.local_ip)
-            } else {
-                IpAddr::V6(self.local_ip6.expect("IPv6 local address undefined"))
-            },
-            local_port,
-        );
-        let tuple = AddrTuple::new(local_addr, addr);
-        let (mut sock, incoming) = Socket::new(
-            self.shared.clone(),
-            self.shared.tun.choose(&mut rng).unwrap().clone(),
-            local_addr,
-            addr,
-            None,
-            State::Idle,
-        );
+        let mut rng = SmallRng::from_os_rng();
+        for local_port in rng.random_range(32768..=60999)..=60999 {
+            let local_addr = SocketAddr::new(
+                if addr.is_ipv4() {
+                    IpAddr::V4(self.local_ip)
+                } else {
+                    IpAddr::V6(self.local_ip6.expect("IPv6 local address undefined"))
+                },
+                local_port,
+            );
+            let tuple = AddrTuple::new(local_addr, addr);
+            let mut sock;
 
-        {
-            let mut tuples = self.shared.tuples.write().unwrap();
-            assert!(tuples.insert(tuple, incoming.clone()).is_none());
+            {
+                let mut tuples = self.shared.tuples.write().unwrap();
+                if tuples.contains_key(&tuple) {
+                    trace!(
+                        "Fake TCP connection to {}, local port number {} already in use, trying another one",
+                        addr, local_port
+                    );
+                    continue;
+                }
+
+                let incoming;
+                (sock, incoming) = Socket::new(
+                    self.shared.clone(),
+                    self.shared.tun.choose(&mut rng).unwrap().clone(),
+                    local_addr,
+                    addr,
+                    None,
+                    State::Idle,
+                );
+
+                assert!(tuples.insert(tuple, incoming).is_none());
+            }
+
+            return sock.connect().await.map(|_| sock);
         }
 
-        sock.connect().await.map(|_| sock)
+        error!(
+            "Fake TCP connection to {} failed, emphemeral port number exhausted",
+            addr
+        );
+        None
     }
 
     async fn reader_task(
@@ -436,8 +456,7 @@ impl Stack {
         let mut tuples: HashMap<AddrTuple, flume::Sender<Bytes>> = HashMap::new();
 
         loop {
-            let mut buf = BytesMut::with_capacity(MAX_PACKET_LEN);
-            buf.resize(MAX_PACKET_LEN, 0);
+            let mut buf = BytesMut::zeroed(MAX_PACKET_LEN);
 
             tokio::select! {
                 size = tun.recv(&mut buf) => {

fake-tcp/src/packet.rs

@@ -15,7 +15,7 @@ pub enum IPPacket<'p> {
     V6(ipv6::Ipv6Packet<'p>),
 }
 
-impl<'a> IPPacket<'a> {
+impl IPPacket<'_> {
     pub fn get_source(&self) -> IpAddr {
         match self {
             IPPacket::V4(p) => IpAddr::V4(p.get_source()),
@@ -36,7 +36,7 @@ pub fn build_tcp_packet(
     remote_addr: SocketAddr,
     seq: u32,
     ack: u32,
-    flags: u16,
+    flags: u8,
     payload: Option<&[u8]>,
 ) -> Bytes {
     let ip_header_len = match local_addr {
@@ -47,8 +47,7 @@ pub fn build_tcp_packet(
     let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale
     let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len());
     let total_len = ip_header_len + tcp_total_len;
-    let mut buf = BytesMut::with_capacity(total_len);
-    buf.resize(total_len, 0);
+    let mut buf = BytesMut::zeroed(total_len);
 
     let mut ip_buf = buf.split_to(ip_header_len);
     let mut tcp_buf = buf.split_to(tcp_total_len);

phantun/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "phantun"
-version = "0.4.2"
+version = "0.7.0"
 edition = "2021"
 authors = ["Datong Sun <dndx@idndx.com>"]
 license = "MIT OR Apache-2.0"
@@ -11,14 +11,14 @@ Transforms UDP stream into (fake) TCP streams that can go through
 Layer 3 & Layer 4 (NAPT) firewalls/NATs.
 """
 [dependencies]
-clap = { version = "3.0", features = ["cargo"] }
-socket2 = { version = "0.4", features = ["all"] }
-fake-tcp = { path = "../fake-tcp", version = "0.4" }
-tokio = { version = "1.14", features = ["full"] }
-tokio-util = "0.7"
-log = "0.4"
-pretty_env_logger = "0.4"
-tokio-tun = "0.5"
-num_cpus = "1.13"
-neli = "0.6"
-nix = "0.23"
+clap = { version = "4", features = ["cargo"] }
+socket2 = { version = "0", features = ["all"] }
+fake-tcp = { path = "../fake-tcp", version = "0" }
+tokio = { version = "1", features = ["full"] }
+tokio-util = "0"
+log = "0"
+pretty_env_logger = "0"
+tokio-tun = "0"
+num_cpus = "1"
+neli = "0"
+nix = { version = "0", features = ["net"] }

phantun/LICENSE-APACHE

@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
    same "printed page" as the copyright notice for easier
    identification within third-party archives.
 
-Copyright 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright 2021-2024 Datong Sun (dndx@idndx.com)
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

phantun/LICENSE-MIT

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021-2022 Datong Sun (dndx@idndx.com)
+Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
 
 Permission is hereby granted, free of charge, to any
 person obtaining a copy of this software and associated

phantun/src/bin/client.rs

@@ -1,9 +1,10 @@
-use clap::{crate_version, Arg, Command};
+use clap::{crate_version, Arg, ArgAction, Command};
 use fake_tcp::packet::MAX_PACKET_LEN;
 use fake_tcp::{Socket, Stack};
 use log::{debug, error, info};
 use phantun::utils::{assign_ipv6_address, new_udp_reuseport};
 use std::collections::HashMap;
+use std::fs;
 use std::io;
 use std::net::{Ipv4Addr, SocketAddr};
 use std::sync::Arc;
@@ -28,7 +29,6 @@ async fn main() -> io::Result<()> {
                 .required(true)
                 .value_name("IP:PORT")
                 .help("Sets the IP and port where Phantun Client listens for incoming UDP datagrams, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
-                .takes_value(true),
         )
         .arg(
             Arg::new("remote")
@@ -37,7 +37,6 @@ async fn main() -> io::Result<()> {
                 .required(true)
                 .value_name("IP or HOST NAME:PORT")
                 .help("Sets the address or host name and port where Phantun Client connects to Phantun Server, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun")
@@ -46,7 +45,6 @@ async fn main() -> io::Result<()> {
                 .value_name("tunX")
                 .help("Sets the Tun interface name, if absent, pick the next available name")
                 .default_value("")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_local")
@@ -55,7 +53,6 @@ async fn main() -> io::Result<()> {
                 .value_name("IP")
                 .help("Sets the Tun interface IPv4 local address (O/S's end)")
                 .default_value("192.168.200.1")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_peer")
@@ -66,7 +63,6 @@ async fn main() -> io::Result<()> {
                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
                        in order for Phantun Client to connect to Phantun Server")
                 .default_value("192.168.200.2")
-                .takes_value(true),
         )
         .arg(
             Arg::new("ipv4_only")
@@ -74,8 +70,8 @@ async fn main() -> io::Result<()> {
                 .short('4')
                 .required(false)
                 .help("Only use IPv4 address when connecting to remote")
-                .takes_value(false)
-                .conflicts_with_all(&["tun_local6", "tun_peer6"]),
+                .action(ArgAction::SetTrue)
+                .conflicts_with_all(["tun_local6", "tun_peer6"]),
         )
         .arg(
             Arg::new("tun_local6")
@@ -84,7 +80,6 @@ async fn main() -> io::Result<()> {
                 .value_name("IP")
                 .help("Sets the Tun interface IPv6 local address (O/S's end)")
                 .default_value("fcc8::1")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_peer6")
@@ -95,19 +90,28 @@ async fn main() -> io::Result<()> {
                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
                        in order for Phantun Client to connect to Phantun Server")
                 .default_value("fcc8::2")
-                .takes_value(true),
+        )
+        .arg(
+            Arg::new("handshake_packet")
+                .long("handshake-packet")
+                .required(false)
+                .value_name("PATH")
+                .help("Specify a file, which, after TCP handshake, its content will be sent as the \
+                      first data packet to the server.\n\
+                      Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
+                      The content is always sent out in a single packet and will not be further segmented")
         )
         .get_matches();
 
     let local_addr: SocketAddr = matches
-        .value_of("local")
+        .get_one::<String>("local")
         .unwrap()
         .parse()
         .expect("bad local address");
 
-    let ipv4_only = matches.is_present("ipv4_only");
+    let ipv4_only = matches.get_flag("ipv4_only");
 
-    let remote_addr = tokio::net::lookup_host(matches.value_of("remote").unwrap())
+    let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap())
         .await
         .expect("bad remote address or host")
         .find(|addr| !ipv4_only || addr.is_ipv4())
@@ -115,42 +119,45 @@ async fn main() -> io::Result<()> {
     info!("Remote address is: {}", remote_addr);
 
     let tun_local: Ipv4Addr = matches
-        .value_of("tun_local")
+        .get_one::<String>("tun_local")
         .unwrap()
         .parse()
         .expect("bad local address for Tun interface");
     let tun_peer: Ipv4Addr = matches
-        .value_of("tun_peer")
+        .get_one::<String>("tun_peer")
         .unwrap()
         .parse()
         .expect("bad peer address for Tun interface");
 
-    let (tun_local6, tun_peer6) = if ipv4_only {
+    let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") {
         (None, None)
     } else {
         (
             matches
-                .value_of("tun_local6")
+                .get_one::<String>("tun_local6")
                 .map(|v| v.parse().expect("bad local address for Tun interface")),
             matches
-                .value_of("tun_peer6")
+                .get_one::<String>("tun_peer6")
                 .map(|v| v.parse().expect("bad peer address for Tun interface")),
         )
     };
 
-    let tun_name = matches.value_of("tun").unwrap();
+    let tun_name = matches.get_one::<String>("tun").unwrap();
+    let handshake_packet: Option<Vec<u8>> = matches
+        .get_one::<String>("handshake_packet")
+        .map(fs::read)
+        .transpose()?;
 
     let num_cpus = num_cpus::get();
     info!("{} cores available", num_cpus);
 
     let tun = TunBuilder::new()
         .name(tun_name) // if name is empty, then it is set by kernel.
-        .tap(false) // false (default): TUN, true: TAP.
-        .packet_info(false) // false: IFF_NO_PI, default is true.
         .up() // or set it up manually using `sudo ip link set <tun-name> up`.
         .address(tun_local)
         .destination(tun_peer)
-        .try_build_mq(num_cpus)
+        .queues(num_cpus)
+        .build()
         .unwrap();
 
     if remote_addr.is_ipv6() {
@@ -186,9 +193,17 @@ async fn main() -> io::Result<()> {
             }
 
             let sock = Arc::new(sock.unwrap());
+            if let Some(ref p) = handshake_packet {
+                if sock.send(p).await.is_none() {
+                    error!("Failed to send handshake packet to remote, closing connection.");
+                    continue;
+                }
+
+                debug!("Sent handshake packet to: {}", sock);
+            }
+
             // send first packet
-            let res = sock.send(&buf_r[..size]).await;
-            if res.is_none() {
+            if sock.send(&buf_r[..size]).await.is_none() {
                 continue;
             }
 

phantun/src/bin/server.rs

@@ -1,8 +1,9 @@
-use clap::{crate_version, Arg, Command};
+use clap::{crate_version, Arg, ArgAction, Command};
 use fake_tcp::packet::MAX_PACKET_LEN;
 use fake_tcp::Stack;
 use log::{debug, error, info};
 use phantun::utils::{assign_ipv6_address, new_udp_reuseport};
+use std::fs;
 use std::io;
 use std::net::Ipv4Addr;
 use std::sync::Arc;
@@ -28,7 +29,6 @@ async fn main() -> io::Result<()> {
                 .required(true)
                 .value_name("PORT")
                 .help("Sets the port where Phantun Server listens for incoming Phantun Client TCP connections")
-                .takes_value(true),
         )
         .arg(
             Arg::new("remote")
@@ -37,7 +37,6 @@ async fn main() -> io::Result<()> {
                 .required(true)
                 .value_name("IP or HOST NAME:PORT")
                 .help("Sets the address or host name and port where Phantun Server forwards UDP packets to, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun")
@@ -46,7 +45,6 @@ async fn main() -> io::Result<()> {
                 .value_name("tunX")
                 .help("Sets the Tun interface name, if absent, pick the next available name")
                 .default_value("")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_local")
@@ -55,7 +53,6 @@ async fn main() -> io::Result<()> {
                 .value_name("IP")
                 .help("Sets the Tun interface local address (O/S's end)")
                 .default_value("192.168.201.1")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_peer")
@@ -66,7 +63,6 @@ async fn main() -> io::Result<()> {
                        You will need to setup DNAT rules to this address in order for Phantun Server \
                        to accept TCP traffic from Phantun Client")
                 .default_value("192.168.201.2")
-                .takes_value(true),
         )
         .arg(
             Arg::new("ipv4_only")
@@ -74,8 +70,8 @@ async fn main() -> io::Result<()> {
                 .short('4')
                 .required(false)
                 .help("Do not assign IPv6 addresses to Tun interface")
-                .takes_value(false)
-                .conflicts_with_all(&["tun_local6", "tun_peer6"]),
+                .action(ArgAction::SetTrue)
+                .conflicts_with_all(["tun_local6", "tun_peer6"]),
         )
         .arg(
             Arg::new("tun_local6")
@@ -84,7 +80,6 @@ async fn main() -> io::Result<()> {
                 .value_name("IP")
                 .help("Sets the Tun interface IPv6 local address (O/S's end)")
                 .default_value("fcc9::1")
-                .takes_value(true),
         )
         .arg(
             Arg::new("tun_peer6")
@@ -95,60 +90,73 @@ async fn main() -> io::Result<()> {
                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
                        in order for Phantun Client to connect to Phantun Server")
                 .default_value("fcc9::2")
-                .takes_value(true),
+        )
+        .arg(
+            Arg::new("handshake_packet")
+                .long("handshake-packet")
+                .required(false)
+                .value_name("PATH")
+                .help("Specify a file, which, after TCP handshake, its content will be sent as the \
+                      first data packet to the client.\n\
+                      Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
+                      The content is always sent out in a single packet and will not be further segmented")
         )
         .get_matches();
 
     let local_port: u16 = matches
-        .value_of("local")
+        .get_one::<String>("local")
         .unwrap()
         .parse()
         .expect("bad local port");
 
-    let remote_addr = tokio::net::lookup_host(matches.value_of("remote").unwrap())
+    let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap())
         .await
         .expect("bad remote address or host")
         .next()
         .expect("unable to resolve remote host name");
+
     info!("Remote address is: {}", remote_addr);
 
     let tun_local: Ipv4Addr = matches
-        .value_of("tun_local")
+        .get_one::<String>("tun_local")
         .unwrap()
         .parse()
         .expect("bad local address for Tun interface");
     let tun_peer: Ipv4Addr = matches
-        .value_of("tun_peer")
+        .get_one::<String>("tun_peer")
         .unwrap()
         .parse()
         .expect("bad peer address for Tun interface");
 
-    let (tun_local6, tun_peer6) = if matches.is_present("ipv4_only") {
+    let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") {
         (None, None)
     } else {
         (
             matches
-                .value_of("tun_local6")
+                .get_one::<String>("tun_local6")
                 .map(|v| v.parse().expect("bad local address for Tun interface")),
             matches
-                .value_of("tun_peer6")
+                .get_one::<String>("tun_peer6")
                 .map(|v| v.parse().expect("bad peer address for Tun interface")),
         )
     };
 
-    let tun_name = matches.value_of("tun").unwrap();
+    let tun_name = matches.get_one::<String>("tun").unwrap();
+    let handshake_packet: Option<Vec<u8>> = matches
+        .get_one::<String>("handshake_packet")
+        .map(fs::read)
+        .transpose()?;
 
     let num_cpus = num_cpus::get();
     info!("{} cores available", num_cpus);
 
     let tun = TunBuilder::new()
         .name(tun_name) // if name is empty, then it is set by kernel.
-        .tap(false) // false (default): TUN, true: TAP.
-        .packet_info(false) // false: IFF_NO_PI, default is true.
         .up() // or set it up manually using `sudo ip link set <tun-name> up`.
         .address(tun_local)
         .destination(tun_peer)
-        .try_build_mq(num_cpus)
+        .queues(num_cpus)
+        .build()
         .unwrap();
 
     if let (Some(tun_local6), Some(tun_peer6)) = (tun_local6, tun_peer6) {
@@ -169,6 +177,14 @@ async fn main() -> io::Result<()> {
         loop {
             let sock = Arc::new(stack.accept().await);
             info!("New connection: {}", sock);
+            if let Some(ref p) = handshake_packet {
+                if sock.send(p).await.is_none() {
+                    error!("Failed to send handshake packet to remote, closing connection.");
+                    continue;
+                }
+
+                debug!("Sent handshake packet to: {}", sock);
+            }
 
             let packet_received = Arc::new(Notify::new());
             let quit = CancellationToken::new();