go-vpn

command module

v1.0.0 Latest Latest Go to latest Published: May 28, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/wushilin/go-vpn

Links

Open Source Insights

README ¶

go-vpn

A secure, single executable (same for client/server) point to point VPN server that uses QUIC protocol. It also supports routing propagation by options

This program only supports LINUX at the moment. But it is easy to port this over to other platform.

Let me know if you need other platform support!

Before you start

make sure you have root access!
make sure your /usr/sbin/ip is there. It uses the command to manipulate IP address assignment and routes

How it works

This program has server mode and client mode.

Both server and client must run as root, as we need to manipulate the system tunnel device.

By default tunnel device used is TUN17, you can specify the name by -tunname tun12 to switch to tun12 instead.

Server will start binding to QUIC (UDP) port and wait for client to connect.

Client connects via QUIC with mutual TLS as authentication. This is the security mechanism the VPN is offering.

Server always load server.pem, server.key, ca.pem for TLS configuration.
Client always load client.pem, client.key, ca.pem for TLS configuration.

Server and client can specify the cert's common name by -commonName to validate. If peer certificate's commonName is not matching, connection will be disconnected.

Client and server both can propogate the additional route rules to request remote host to route the IP ranges to local.

If route setup fails, the connection will be reset and all routing rule that had been requested will be deleted.

If more than 1 subnet is required, separate by ;. For example -route "192.168.44.0/24;10.251.116.0/24"

Server

# ./go-vpn -l -b 0.0.0.0:4792 -laddr 172.47.88.1/24 -route "192.168.44.0/24;10.251.116.0/24" -commonName client003

Explantion:

Listen on UDP: 0.0.0.0:4792
Assign Local Tun Device IP of 172.47.88.1/24
Request remote to route 192.168.44.0/24;10.251.116.0/24 in addition to 172.47.88.1/32 (the local IP)
Require client certificate is signed by ca.pem and has commonName of client003

Client

# ./go-vpn -s 192.168.44.105:4792 -laddr 192.168.115.211/24 -route "172.19.0.0/16;172.31.0.0/16" -commonName vpnServer

Explanation

Connect to server on UDP: 0.0.0.0:4792
Assign Local Tun Device IP of 192.168.115.211/24
Request remote to route 172.19.0.0/16;172.31.0.0/16 in addition to 192.168.115.211/32 (the local IP)
Require client certificate is signed by ca.pem and has commonName of vpnServer

Fault tolerance

Connection will be forever retried. It would eventually re-establish connection whenever network disconnect is encountered.

Built in certificate

The built in certificate is valid for server hostname that looks like *.local. If you want to use the default certificate (not recommended), you can add your server's IP address to client's /etc/hosts as something.local, and connect by that hostname with -s something.local:4792.

Create your own cert

Please consider using https://github.com/wushilin/minica

Alternatively, a script version is available at https://github.com/wushilin/minica-script

Enjoy

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
common
encryption
message
piper
service
transport

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL