package tls import ( "crypto/tls" "errors" "fmt" "github.com/net-byte/vtun/common/xproto" "log" "net" "time" "github.com/golang/snappy" "github.com/net-byte/vtun/common/cache" "github.com/net-byte/vtun/common/cipher" "github.com/net-byte/vtun/common/config" "github.com/net-byte/vtun/common/counter" "github.com/net-byte/vtun/common/netutil" "github.com/net-byte/water" ) // StartServer starts the tls server func StartServer(iFace *water.Interface, config config.Config) { log.Printf("vtun tls server started on %v", config.LocalAddr) cert, err := tls.LoadX509KeyPair(config.TLSCertificateFilePath, config.TLSCertificateKeyFilePath) if err != nil { log.Panic(err) } tlsConfig := &tls.Config{ Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS13, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, }, } ln, err := tls.Listen("tcp", config.LocalAddr, tlsConfig) if err != nil { log.Panic(err) } // server -> client go toClient(config, iFace) // client -> server for { conn, err := ln.Accept() if err != nil { continue } sniffConn := NewPeekPreDataConn(conn) switch sniffConn.Type { case TypeHttp: if sniffConn.Handle() { continue } case TypeHttp2: if sniffConn.Handle() { continue } } go toServer(config, sniffConn, iFace) } } // toClient sends packets from iFace to tlsConn func toClient(config config.Config, iFace *water.Interface) { buffer := make([]byte, config.BufferSize) for { n, err := iFace.Read(buffer) if err != nil { netutil.PrintErr(err, config.Verbose) continue } b := buffer[:n] if key := netutil.GetDstKey(b); key != "" { if v, ok := cache.GetCache().Get(key); ok { if config.Obfs { b = cipher.XOR(b) } if config.Compress { b = snappy.Encode(nil, b) } ph := &xproto.ServerSendPacketHeader{ ProtocolVersion: xproto.ProtocolVersion, Length: len(b), } _, err := v.(net.Conn).Write(ph.Bytes()) if err != nil { cache.GetCache().Delete(key) continue } n, err := v.(net.Conn).Write(b[:]) if err != nil { cache.GetCache().Delete(key) continue } counter.IncrWrittenBytes(n) } } } } // toServer sends packets from tlsConn to iFace func toServer(config config.Config, tlsConn net.Conn, iFace *water.Interface) { defer func(tlsConn net.Conn) { err := tlsConn.Close() if err != nil { netutil.PrintErr(err, config.Verbose) } }(tlsConn) header := make([]byte, xproto.ClientSendPacketHeaderLength) packet := make([]byte, config.BufferSize) authKey := xproto.ParseAuthKeyFromString(config.Key) for { n, err := tlsConn.Read(header) if err != nil { netutil.PrintErr(err, config.Verbose) break } if n != xproto.ClientSendPacketHeaderLength { netutil.PrintErr(errors.New(fmt.Sprintf("received length <%d> not equals <%d>!", n, xproto.ClientSendPacketHeaderLength)), config.Verbose) break } ph := xproto.ParseClientSendPacketHeader(header[:n]) if ph == nil { netutil.PrintErr(errors.New("ph == nil"), config.Verbose) break } if !ph.Key.Equals(authKey) { netutil.PrintErr(errors.New("authentication failed"), config.Verbose) break } n, err = tlsConn.Read(packet[:ph.Length]) if err != nil { netutil.PrintErr(err, config.Verbose) break } if n != ph.Length { netutil.PrintErr(errors.New(fmt.Sprintf("received length <%d> not equals <%d>!", n, ph.Length)), config.Verbose) break } b := packet[:n] if config.Compress { b, err = snappy.Decode(nil, b) if err != nil { netutil.PrintErr(err, config.Verbose) break } } if config.Obfs { b = cipher.XOR(b) } if key := netutil.GetSrcKey(b); key != "" { cache.GetCache().Set(key, tlsConn, 24*time.Hour) n, err := iFace.Write(b) if err != nil { netutil.PrintErr(err, config.Verbose) break } counter.IncrReadBytes(n) } } }