tlstun

simple go program to add tls support to other listeners
git clone https://git.parazyd.org/tlstun
Log | Files | Refs | README | LICENSE

commit 66a824d9fd7100a33075cd9d6bb4b0e6000e9c09
parent a4555c61fc901f47d7478ff19119f45a1ebd349f
Author: parazyd <parazyd@dyne.org>
Date:   Mon, 26 Apr 2021 10:38:21 +0200

Implement forwarding over TLS.

Diffstat:
MREADME.md | 8+++++---
Mtlstun.go | 43+++++++++++++++++++++++++++++++------------
2 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md @@ -5,8 +5,8 @@ tlstun is a simple Go program that will add TLS support for your programs that do not have it. It simply proxies from one TLS-listening host:port to another plaintext -host:port. If TLS is not your thing, you can also proxy plain TCP -traffic. +(or TLS if using `-forwardtls`) host:port. If TLS is not your thing, +you can also proxy plain TCP traffic. Installation @@ -31,12 +31,14 @@ Usage of ./tlstun: Path for Certificate file (default "server.pem") -forward string Forward address (default "127.0.0.1:72") + -forwardtls + Forward using TLS -key string Path for Key file (default "server-key.pem") -listen string Listen address (default "127.0.0.1:7443") -notls - Disable TLS and just tunnel plain TCP + Disable TLS and tunnel plain TCP -tlsver int TLS version to use (11, 12, 13) (default 13) -verbose diff --git a/tlstun.go b/tlstun.go @@ -33,6 +33,7 @@ var ( key = flag.String("key", "server-key.pem", "Path for Key file") listen = flag.String("listen", "127.0.0.1:7443", "Listen address") forward = flag.String("forward", "127.0.0.1:72", "Forward address") + fwtls = flag.Bool("forwardtls", false, "Forward using TLS") client = flag.Bool("verifyclient", false, "Do client verification") verbose = flag.Bool("verbose", false, "Verbose mode") notls = flag.Bool("notls", false, "Disable TLS and tunnel plain TCP") @@ -48,7 +49,10 @@ func tlsConfig(cert, key string) (*tls.Config, error) { tlscfg := &tls.Config{Certificates: []tls.Certificate{creds}} if *client { - certpool := x509.NewCertPool() + certpool, _ := x509.SystemCertPool() + if certpool == nil { + certpool = x509.NewCertPool() + } pem, err := ioutil.ReadFile(*cacert) if err != nil { return nil, err @@ -74,8 +78,16 @@ func tlsConfig(cert, key string) (*tls.Config, error) { return tlscfg, nil } -func tunnel(conn net.Conn) { - client, err := net.Dial("tcp", *forward) +func tunnel(conn net.Conn, tlsCfg *tls.Config) { + var client net.Conn + var err error + + if *fwtls { + client, err = tls.Dial("tcp", *forward, tlsCfg) + } else { + client, err = net.Dial("tcp", *forward) + } + if err != nil { log.Fatal(err) } @@ -99,7 +111,7 @@ func tunnel(conn net.Conn) { }() } -func server() (net.Listener, error) { +func server(tlsCfg *tls.Config) (net.Listener, error) { t, err := net.Listen("tcp", *listen) if err != nil { return nil, err @@ -109,18 +121,25 @@ func server() (net.Listener, error) { return t, nil } - cfg, err := tlsConfig(*cert, *key) - if err != nil { - return nil, err - } - - return tls.NewListener(t, cfg), nil + return tls.NewListener(t, tlsCfg), nil } func main() { flag.Parse() - tcpsock, err := server() + var tlsCfg *tls.Config + var err error + + if *notls { + tlsCfg = nil + } else { + tlsCfg, err = tlsConfig(*cert, *key) + if err != nil { + log.Fatal(err) + } + } + + tcpsock, err := server(tlsCfg) if err != nil { log.Fatal(err) } @@ -133,6 +152,6 @@ func main() { if *verbose { log.Printf("Accepted connection from %s\n", conn.RemoteAddr()) } - go tunnel(conn) + go tunnel(conn, tlsCfg) } }