commit 66a824d9fd7100a33075cd9d6bb4b0e6000e9c09
parent a4555c61fc901f47d7478ff19119f45a1ebd349f
Author: parazyd <parazyd@dyne.org>
Date: Mon, 26 Apr 2021 10:38:21 +0200
Implement forwarding over TLS.
Diffstat:
2 files changed, 36 insertions(+), 15 deletions(-)
diff --git a/README.md b/README.md
@@ -5,8 +5,8 @@ tlstun is a simple Go program that will add TLS support for your
programs that do not have it.
It simply proxies from one TLS-listening host:port to another plaintext
-host:port. If TLS is not your thing, you can also proxy plain TCP
-traffic.
+(or TLS if using `-forwardtls`) host:port. If TLS is not your thing,
+you can also proxy plain TCP traffic.
Installation
@@ -31,12 +31,14 @@ Usage of ./tlstun:
Path for Certificate file (default "server.pem")
-forward string
Forward address (default "127.0.0.1:72")
+ -forwardtls
+ Forward using TLS
-key string
Path for Key file (default "server-key.pem")
-listen string
Listen address (default "127.0.0.1:7443")
-notls
- Disable TLS and just tunnel plain TCP
+ Disable TLS and tunnel plain TCP
-tlsver int
TLS version to use (11, 12, 13) (default 13)
-verbose
diff --git a/tlstun.go b/tlstun.go
@@ -33,6 +33,7 @@ var (
key = flag.String("key", "server-key.pem", "Path for Key file")
listen = flag.String("listen", "127.0.0.1:7443", "Listen address")
forward = flag.String("forward", "127.0.0.1:72", "Forward address")
+ fwtls = flag.Bool("forwardtls", false, "Forward using TLS")
client = flag.Bool("verifyclient", false, "Do client verification")
verbose = flag.Bool("verbose", false, "Verbose mode")
notls = flag.Bool("notls", false, "Disable TLS and tunnel plain TCP")
@@ -48,7 +49,10 @@ func tlsConfig(cert, key string) (*tls.Config, error) {
tlscfg := &tls.Config{Certificates: []tls.Certificate{creds}}
if *client {
- certpool := x509.NewCertPool()
+ certpool, _ := x509.SystemCertPool()
+ if certpool == nil {
+ certpool = x509.NewCertPool()
+ }
pem, err := ioutil.ReadFile(*cacert)
if err != nil {
return nil, err
@@ -74,8 +78,16 @@ func tlsConfig(cert, key string) (*tls.Config, error) {
return tlscfg, nil
}
-func tunnel(conn net.Conn) {
- client, err := net.Dial("tcp", *forward)
+func tunnel(conn net.Conn, tlsCfg *tls.Config) {
+ var client net.Conn
+ var err error
+
+ if *fwtls {
+ client, err = tls.Dial("tcp", *forward, tlsCfg)
+ } else {
+ client, err = net.Dial("tcp", *forward)
+ }
+
if err != nil {
log.Fatal(err)
}
@@ -99,7 +111,7 @@ func tunnel(conn net.Conn) {
}()
}
-func server() (net.Listener, error) {
+func server(tlsCfg *tls.Config) (net.Listener, error) {
t, err := net.Listen("tcp", *listen)
if err != nil {
return nil, err
@@ -109,18 +121,25 @@ func server() (net.Listener, error) {
return t, nil
}
- cfg, err := tlsConfig(*cert, *key)
- if err != nil {
- return nil, err
- }
-
- return tls.NewListener(t, cfg), nil
+ return tls.NewListener(t, tlsCfg), nil
}
func main() {
flag.Parse()
- tcpsock, err := server()
+ var tlsCfg *tls.Config
+ var err error
+
+ if *notls {
+ tlsCfg = nil
+ } else {
+ tlsCfg, err = tlsConfig(*cert, *key)
+ if err != nil {
+ log.Fatal(err)
+ }
+ }
+
+ tcpsock, err := server(tlsCfg)
if err != nil {
log.Fatal(err)
}
@@ -133,6 +152,6 @@ func main() {
if *verbose {
log.Printf("Accepted connection from %s\n", conn.RemoteAddr())
}
- go tunnel(conn)
+ go tunnel(conn, tlsCfg)
}
}
