add local socks server

Author: gjmzj

cmd/agent/main.go

@@ -20,9 +20,9 @@ func main() {
 	flag.StringVar(&a.AuthKey, "auth", "xxx", "Specify the authentication key")
 	flag.BoolVar(&a.EnableTLS, "tls", true, "To enable tls between agent and server or not")
 	flag.BoolVar(&a.EnablePprof, "pprof", false, "To enable pprof or not")
-	flag.StringVar(&a.CaFile, "ca", "./certs/ca.pem", "Specify the trusted ca file")
-	flag.StringVar(&a.CertFile, "cert", "./certs/client.pem", "Specify the agent cert file")
-	flag.StringVar(&a.KeyFile, "key", "./certs/client-key.pem", "Specify the agent key file")
+	flag.StringVar(&a.CaFile, "ca", "./ca.pem", "Specify the trusted ca file")
+	flag.StringVar(&a.CertFile, "cert", "./agent.pem", "Specify the agent cert file")
+	flag.StringVar(&a.KeyFile, "key", "./agent-key.pem", "Specify the agent key file")
 	flag.StringVar(&a.LocalAddress, "local", ":16116", "Specify the local address")
 	flag.StringVar(&a.ServerAddress, "server", "127.0.0.1:8443", "Specify the server address")
 	flag.Parse()

cmd/server/main.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/easzlab/ezvpn/config"
 	"github.com/easzlab/ezvpn/server"
+	"github.com/easzlab/ezvpn/socks"
 )
 
 func main() {
@@ -17,9 +18,9 @@ func main() {
 	flag.BoolVar(&s.EnablePprof, "pprof", false, "To enable pprof or not")
 	flag.StringVar(&s.ControlAddress, "listen", ":8443", "Specify the control address")
 	flag.StringVar(&s.ConfigFile, "config", "./config/allowed-agents.yml", "Specify the config file")
-	flag.StringVar(&s.CaFile, "ca", "./certs/ca.pem", "Specify the trusted ca file")
-	flag.StringVar(&s.CertFile, "cert", "./certs/server.pem", "Specify the server cert file")
-	flag.StringVar(&s.KeyFile, "key", "./certs/server-key.pem", "Specify the server key file")
+	flag.StringVar(&s.CaFile, "ca", "./ca.pem", "Specify the trusted ca file")
+	flag.StringVar(&s.CertFile, "cert", "./server.pem", "Specify the server cert file")
+	flag.StringVar(&s.KeyFile, "key", "./server-key.pem", "Specify the server key file")
 	flag.StringVar(&s.SocksServer, "socks5", "0.0.0.0:6116", "Specify the socks server address")
 	flag.Parse()
 
@@ -31,6 +32,11 @@ func main() {
 		go http.ListenAndServe("0.0.0.0:6060", nil)
 	}
 
+	// run socks server
+	socksServer := socks.Server{ListenAddr: s.SocksServer}
+	go socksServer.Run()
+
+	// run ezvpn server
 	if err := server.Start(); err != nil {
 		fmt.Fprintln(os.Stderr, "error:", err)
 		os.Exit(1)

server/server.go

@@ -42,10 +42,10 @@ func Start() error {
 			ClientCAs:  certPool,
 			MinVersion: tls.VersionTLS12,
 		}
-		log.Println("https server is running on: " + config.SERVER.ControlAddress)
+		log.Println("ezvpn server is running on: " + config.SERVER.ControlAddress)
 		return s.ListenAndServeTLS(config.SERVER.CertFile, config.SERVER.KeyFile)
 	} else {
-		log.Println("http server is running on: " + config.SERVER.ControlAddress)
+		log.Println("ezvpn server is running on: " + config.SERVER.ControlAddress)
 		return s.ListenAndServe()
 	}
 }

socks/auth.go

@@ -0,0 +1,71 @@
+package socks
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"log"
+	"net"
+)
+
+func (s *Server) HandleAuth(conn net.Conn) error {
+	cli := conn.RemoteAddr().String()
+
+	// auth-check
+	reply, err := authReply(conn)
+	if err != nil {
+		log.Printf("auth failed from %s, error: %s", cli, err.Error())
+		return err
+	}
+
+	if n, e := conn.Write([]byte{0x05, reply}); e != nil || n != 2 {
+		senderr := fmt.Errorf("failed to send method selection reply: %v", e)
+		log.Printf("auth failed from %s, error: %s", cli, senderr.Error())
+		return senderr
+	}
+
+	return nil
+}
+
+func authReply(conn net.Conn) (uint8, error) {
+	bufConn := bufio.NewReader(conn)
+	reply := noAcceptableMethods
+
+	// Read the version byte
+	version := []byte{0}
+	if _, err := bufConn.Read(version); err != nil {
+		return reply, fmt.Errorf("failed to get version byte: %v", err)
+	}
+
+	// Ensure socks5 version
+	if version[0] != socks5Version {
+		return reply, fmt.Errorf("unsupported socks version: %v", version)
+	}
+
+	// Read the NMETHODS byte
+	numMethods := []byte{0}
+	if _, err := bufConn.Read(numMethods); err != nil {
+		return reply, fmt.Errorf("failed to get nmethods byte: %v", err)
+	}
+	nMethods := int(numMethods[0])
+
+	// Read the METHODS bytes
+	methods := make([]byte, nMethods)
+	if _, err := io.ReadAtLeast(bufConn, methods, nMethods); err != nil {
+		return reply, fmt.Errorf("failed to get methods bytes: %v", err)
+	}
+
+	// Only Support NoAuth method right now
+	for _, m := range methods {
+		if m == noAuthRequired {
+			reply = noAuthRequired
+			break
+		}
+	}
+
+	if reply == noAcceptableMethods {
+		return reply, fmt.Errorf("no acceptable methods")
+	}
+
+	return reply, nil
+}

socks/connect.go

@@ -0,0 +1,61 @@
+package socks
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"net"
+
+	"github.com/easzlab/ezvpn/config"
+)
+
+// CMD CONNECT
+func (s *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request) error {
+	cli := conn.RemoteAddr().String()
+
+	// Try to connect the destination
+	target, err := net.DialTimeout("tcp", req.DestAddr.Address(), config.NetDialTimeout)
+	if err != nil {
+		SendReply(conn, hostUnreachable, nil)
+		errcon := fmt.Errorf("connect to target failed: %v", err)
+		log.Printf("target unreachable, error: %s, client: %s, target: %s", errcon.Error(), cli, req.DestAddr.String())
+		return errcon
+	}
+	defer target.Close()
+
+	// Send success
+	local, ok := target.LocalAddr().(*net.TCPAddr)
+	if !ok {
+		msg := fmt.Sprintf("expect *net.TCPAddr, not %t", target.LocalAddr())
+		log.Printf("unknown type, error: %s, client: %s, target: %s", msg, cli, req.DestAddr.String())
+	}
+	bind := AddrSpec{IP: local.IP, Port: local.Port}
+	if err := SendReply(conn, successReply, &bind); err != nil {
+		log.Printf("failed to send reply, error: %s, client: %s, target: %s", err.Error(), cli, req.DestAddr.String())
+		return fmt.Errorf("failed to send reply: %v", err)
+	}
+
+	// Start proxying
+	errCh := make(chan error, 2)
+	go proxy(target, conn, errCh)
+	go proxy(conn, target, errCh)
+
+	// Wait
+	for i := 0; i < 2; i++ {
+		err := <-errCh
+		if err != nil {
+			// return from this function closes target (and conn).
+			return err
+		}
+	}
+	return nil
+}
+
+// proxy is used to suffle data from src to destination, and sends errors
+// down a dedicated channel
+func proxy(dst net.Conn, src net.Conn, errCh chan error) {
+	_, err := io.Copy(dst, src)
+	dst.Close()
+	errCh <- err
+}

socks/request.go

@@ -0,0 +1,174 @@
+package socks
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"strconv"
+)
+
+// AddrSpec is used to return the target AddrSpec
+// which may be specified as IPv4, IPv6, or a FQDN
+type AddrSpec struct {
+	FQDN string
+	IP   net.IP
+	Port int
+}
+
+func (a *AddrSpec) String() string {
+	if a.FQDN != "" {
+		return fmt.Sprintf("%s (%s):%d", a.FQDN, a.IP, a.Port)
+	}
+	return fmt.Sprintf("%s:%d", a.IP, a.Port)
+}
+
+// Address returns a string suitable to dial; prefer returning IP-based
+// address, fallback to FQDN
+func (a AddrSpec) Address() string {
+	if len(a.IP) > 0 {
+		return net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))
+	}
+	return net.JoinHostPort(a.FQDN, strconv.Itoa(a.Port))
+}
+
+// A Request represents request received by a server
+type Request struct {
+	// Protocol version
+	Version uint8
+	// Requested command
+	Command uint8
+	// AddrSpec of the the network that sent the request
+	RemoteAddr *AddrSpec
+	// AddrSpec of the desired destination
+	DestAddr *AddrSpec
+}
+
+func (r *Request) ParseRequest(conn net.Conn) error {
+	header := []byte{0, 0, 0}
+	if _, err := io.ReadAtLeast(conn, header, 3); err != nil {
+		return fmt.Errorf("read 3 bytes header error:%s", err.Error())
+	}
+
+	if header[0] != 0x05 {
+		return fmt.Errorf("unsupported proxy version")
+	}
+
+	// Read in the destination address
+	dest, err := readAddrSpec(conn)
+	if err != nil {
+		return err
+	}
+	remote, _ := conn.RemoteAddr().(*net.TCPAddr)
+
+	r.Version = 0x05
+	r.Command = header[1]
+	r.DestAddr = dest
+	r.RemoteAddr = &AddrSpec{IP: remote.IP, Port: remote.Port}
+
+	return nil
+}
+
+// readAddrSpec is used to read AddrSpec.
+// Expects an address type byte, follwed by the address and port
+func readAddrSpec(r io.Reader) (*AddrSpec, error) {
+	d := &AddrSpec{}
+
+	// Get the address type
+	addrType := []byte{0}
+	if _, err := r.Read(addrType); err != nil {
+		return nil, fmt.Errorf("read addr type error:%s", err.Error())
+	}
+
+	// Handle on a per type basis
+	switch addrType[0] {
+	case ipv4Address:
+		addr := make([]byte, 4)
+		if _, err := io.ReadAtLeast(r, addr, 4); err != nil {
+			return nil, fmt.Errorf("read ipv4 add error:%s", err.Error())
+		}
+		d.IP = net.IP(addr)
+
+	case ipv6Address:
+		addr := make([]byte, 16)
+		if _, err := io.ReadAtLeast(r, addr, 16); err != nil {
+			return nil, fmt.Errorf("read ipv6 add error:%s", err.Error())
+		}
+		d.IP = net.IP(addr)
+
+	case fqdnAddress:
+		buf := []byte{0}
+		if _, err := r.Read(buf); err != nil {
+			return nil, fmt.Errorf("read fqdn len error:%s", err.Error())
+		}
+		addrLen := int(buf[0])
+		fqdn := make([]byte, addrLen)
+		if _, err := io.ReadAtLeast(r, fqdn, addrLen); err != nil {
+			return nil, fmt.Errorf("read fqdn %d bytes error:%s", addrLen, err.Error())
+		}
+		d.FQDN = string(fqdn)
+
+	default:
+		return nil, fmt.Errorf("unrecognized address type")
+	}
+
+	// Read the port
+	port := []byte{0, 0}
+	if _, err := io.ReadAtLeast(r, port, 2); err != nil {
+		return nil, fmt.Errorf("read 2 bytes port error:%s", err.Error())
+	}
+	d.Port = (int(port[0]) << 8) | int(port[1])
+
+	return d, nil
+}
+
+// SendReply is used to send a reply message
+func SendReply(w io.Writer, rep uint8, addr *AddrSpec) error {
+	// Format the address
+	var addrType uint8
+	var addrBody []byte
+	var addrPort uint16
+	switch {
+	case addr == nil:
+		addrType = ipv4Address
+		addrBody = []byte{0, 0, 0, 0}
+		addrPort = 0
+
+	case addr.FQDN != "":
+		addrType = fqdnAddress
+		addrBody = append([]byte{byte(len(addr.FQDN))}, addr.FQDN...)
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To4() != nil:
+		addrType = ipv4Address
+		addrBody = []byte(addr.IP.To4())
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To16() != nil:
+		addrType = ipv6Address
+		addrBody = []byte(addr.IP.To16())
+		addrPort = uint16(addr.Port)
+
+	default:
+		err := fmt.Errorf("failed to format address: %v", addr)
+		log.Printf("failed to send reply, error: %s, client: , target: ", err.Error())
+		return err
+	}
+
+	// Format the message
+	reply := make([]byte, 6+len(addrBody))
+	reply[0] = socks5Version
+	reply[1] = rep
+	reply[2] = 0 // Reserved
+	reply[3] = addrType
+	copy(reply[4:], addrBody)
+	reply[4+len(addrBody)] = byte(addrPort >> 8)
+	reply[4+len(addrBody)+1] = byte(addrPort & 0xff)
+
+	// Send the message
+	_, err := w.Write(reply)
+	if err != nil {
+		log.Printf("failed to send reply, error: %s, client: , target: ", err.Error())
+	}
+	return err
+}