Simple network tunnel (and how to work with Linux TUN device) as an example.
Tunnel is working on only on Linux or inside Docker containers.
Generate private and public keys.
cargo run -- generate
First of all you need to setup NAT routing and forwarding in the operating system.
Use ifconfig
to find an proper interface which has an access to the global network. For example network interface can have a name enp1s0
.
sudo iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
To check that command was successfully executed you can use following command and find your rule.
sudo iptables-save
Also you need to setup ip forwarding.
sudo sysctl -w net.ipv4.ip_forward=1
Use command to check.
sysctl net.ipv4.ip_forward
You should see and output with = 1
.
After that you can run tunnel server.
cargo build && \
sudo target/debug/tunnel run \
<server_private_key> <client_public_key> \
--tun-device-ip 10.0.0.2/24
# Build and run tunnel client.
cargo build && \
sudo target/debug/tunnel run \
<client_private_key> <server_public_key> \
--tun-device-ip 10.0.0.3/24 --udp-server-ip <tunnel_server_public_ip>
# Route all traffic to 1.1.1.1 through client tunnel interface.
sudo ip route add 1.1.1.1/32 dev tun0
To check that tunnel is setup correctly you can use ping
command: ping 1.1.1.1 -c 1
.
It is very crucial to setup different IPs for client and server TUN devices, others packets not going correctly through tunnel.
# Server.
cargo build && \
sudo target/debug/tunnel run \
nE84pUNAM0LsWx+tjJLElU9vEEi1fm5UxucRyTfTrok= /i4WwxYB7KPoFNFCiIR67KpROr6f8Y6Ht56Z2LXZOLE= \
--tun-device-ip 10.0.0.2/24
# Client.
cargo build && \
sudo target/debug/tunnel run \
7y6VlMKnBWxFoCc06E2BCEaBTk9rKu8MQOwsjGcmHdw= ioABH93leNl4oiHy9k8O5NVPM7W8TEwgj9IGtycZUKM= \
--tun-device-ip 10.0.0.3/24 --udp-server-ip 127.0.0.1
In order to run the tunnel (client and server) in the Docker you first need to build docker image.
# To build without encryption.
make build_docker
# To build with encryption capabilities.
make build_docker_crypto
After that you need to start tunnel server.
# To run without encryption and with disabled logs.
make run_docker_server log_level=off
# To run with encryption capabilities and log level is trace.
make run_docker_server_crypto log_level=trace
And finally you can start tunne client. To run this command jq is required to be installed.
# To run without encryption.
make run_docker_client log_level=off
# To run with encryption capabilities.
make run_docker_server_client log_level=trace
Wait until client HTTP server will be started.
To test that tunnel is working you can request DNS HTTP proxy server to resolve some DNS name.
curl -iX GET 'http://127.0.0.1:8888/resolve?name=cloudflare.com&method=go'
curl -iX GET 'http://127.0.0.1:8888/resolve?name=cloudflare.com&method=dig&server=1.1.1.1'
server
query param is not nessery. It is only used in case of dig
method to specify target DNS server. By default we are using 1.1.1.1
.
You can see in the client and server tunnels logs that packets were going through them before reached 1.1.1.1
DNS server.
Client side supports two types of routing:
single
- single means only network packets to target dns server will go through tunnelfull
- full means all requests will go through tunnel
make run_docker_client log_level=trace routing=full
single
is used by default.
If you are encountering some problems and packets are not going through tunnel correctly, use tcpdump
.
# To check only ICMP packets.
tcpdump -v -i tun0 proto \\icmp
# Check any packets for particular IP.
tcpdump -i enp1s0 dst 1.1.1.1 or src 1.1.1.1
To use custom DNS server (clouddns, for example) you can run following command:
make run_dns_server
After that when you start docker containers for establish a tunnel it will find this server address automatically.
In order to run firmware on macOS for demo purposes it is required to sign it by self-issued certificate.
You can check following docs how to do it. Use name app-signer
(you can choose any name but in that case you need to update commands below) for your certificate.
Commands to check that everything is fine:
# By following command you can check that your certificate in the list.
security find-identity -p codesigning
codesign -f -s "app-signer" <some-file> --deep
After signing key creation you need to be able to build macOS bundle after Rust binary compilation. Install this tool to do it automatically.
Cargo.toml
contains [package.metadata.bundle]
section to describe bundle metadata. Also we have some configuration in ./macos_bundle
folder.
To build you can use target from Makefile: make build_macos_notifications
. It will be built, bundled and signed.
Then, to execute binary, use following binary: target/debug/bundle/osx/tunnel.app/Contents/MacOS/tunnel
.
Thanks to https://shadowfacts.net/2023/rust-swift/.
Start client and server. On the client side use following command:
make run_benchmarks name=tunnel_dig
make run_benchmarks name=tunnel_go
Time | RPS | Memory | Swap | CPUs |
---|---|---|---|---|
1m | 50rps | 0.5g | 0.5g | 1 |
Avg | Min | Max | |
---|---|---|---|
Without tunnel and without local DNS [DQI] | 6.4ms | 762.33ns | 541ms |
Without tunnel but with local DNS | 4.43ms | 1.00ms | 12.84ms |
With tunnel but without local DNS [DQI] | 9.97ms | 5.55ms | 98.91ms |
With tunnel and with local DNS | 2.32ms | 1.01ms | 5.80ms |
With encrypted tunnel and with local DNS | 2.44ms | 867.25ns | 11.00ms |
With tunnel and with local DNS (dig) | 57.77ms | 32.84ms | 136.72ms |
[DQI] means benchmark depends on the quality of the Internet (ping).
(dig) means dig
command was used by DNS HTTP proxy server to reach DNS server.