package tls import ( "crypto/tls" "errors" "fmt" "github.com/net-byte/vtun/common/xproto" "log" "net" "time" "github.com/golang/snappy" "github.com/net-byte/vtun/common/cache" "github.com/net-byte/vtun/common/cipher" "github.com/net-byte/vtun/common/config" "github.com/net-byte/vtun/common/counter" "github.com/net-byte/vtun/common/netutil" "github.com/net-byte/water" ) // StartClient starts the tls client func StartClient(iFace *water.Interface, config config.Config) { log.Println("vtun tls client started") go tunToTLS(config, iFace) tlsConfig := &tls.Config{ InsecureSkipVerify: config.TLSInsecureSkipVerify, MinVersion: tls.VersionTLS13, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, }, } if config.TLSSni != "" { tlsConfig.ServerName = config.TLSSni } for { conn, err := tls.Dial("tcp", config.ServerAddr, tlsConfig) if err != nil { time.Sleep(3 * time.Second) netutil.PrintErr(err, config.Verbose) continue } cache.GetCache().Set("tlsConn", conn, 24*time.Hour) tlsToTun(config, conn, iFace) cache.GetCache().Delete("tlsConn") } } // tunToTLS sends packets from tun to tls func tunToTLS(config config.Config, iFace *water.Interface) { authKey := xproto.ParseAuthKeyFromString(config.Key) buffer := make([]byte, config.BufferSize) for { n, err := iFace.Read(buffer) if err != nil { netutil.PrintErr(err, config.Verbose) continue } b := buffer[:n] if v, ok := cache.GetCache().Get("tlsConn"); ok { if config.Obfs { b = cipher.XOR(b) } if config.Compress { b = snappy.Encode(nil, b) } tlsConn := v.(net.Conn) ph := &xproto.ClientSendPacketHeader{ ProtocolVersion: xproto.ProtocolVersion, Key: authKey, Length: len(b), } _, err := tlsConn.Write(ph.Bytes()) if err != nil { netutil.PrintErr(err, config.Verbose) continue } n, err := tlsConn.Write(b[:]) if err != nil { netutil.PrintErr(err, config.Verbose) continue } counter.IncrWrittenBytes(n) } } } // tlsToTun sends packets from tls to tun func tlsToTun(config config.Config, tlsConn net.Conn, iFace *water.Interface) { defer func(tlsConn net.Conn) { err := tlsConn.Close() if err != nil { netutil.PrintErr(err, config.Verbose) } }(tlsConn) header := make([]byte, xproto.ServerSendPacketHeaderLength) packet := make([]byte, config.BufferSize) for { n, err := tlsConn.Read(header) if err != nil { netutil.PrintErr(err, config.Verbose) break } if n != xproto.ServerSendPacketHeaderLength { netutil.PrintErr(errors.New(fmt.Sprintf("received length <%d> not equals <%d>!", n, xproto.ServerSendPacketHeaderLength)), config.Verbose) break } ph := xproto.ParseServerSendPacketHeader(header[:n]) if ph == nil { netutil.PrintErr(errors.New("ph == nil"), config.Verbose) break } n, err = tlsConn.Read(packet[:ph.Length]) if err != nil { netutil.PrintErr(err, config.Verbose) break } if n != ph.Length { netutil.PrintErr(errors.New(fmt.Sprintf("received length <%d> not equals <%d>!", n, ph.Length)), config.Verbose) break } b := packet[:n] if config.Compress { b, err = snappy.Decode(nil, b) if err != nil { netutil.PrintErr(err, config.Verbose) break } } if config.Obfs { b = cipher.XOR(b) } n, err = iFace.Write(b) if err != nil { netutil.PrintErr(err, config.Verbose) break } counter.IncrReadBytes(n) } }