README.md (1848B)
1 tlstun 2 ====== 3 4 tlstun is a simple Go program that will add TLS support for your 5 programs that do not have it. 6 7 It simply proxies from one TLS-listening host:port to another plaintext 8 (or TLS if using `-forwardtls`) host:port. If TLS is not your thing, 9 you can also proxy plain TCP traffic. 10 11 12 Installation 13 ------------ 14 15 ``` 16 $ go get github.com/parazyd/tlstun 17 ``` 18 19 Make sure you generate or acquire a TLS certificate keypair to use with 20 tlstun. 21 22 23 Usage 24 ----- 25 26 ``` 27 Usage of ./tlstun: 28 -cacert string 29 Path for CA certificate file (default "ca.pem") 30 -cert string 31 Path for Certificate file (default "server.pem") 32 -forward string 33 Forward address (default "127.0.0.1:72") 34 -forwardtls 35 Forward using TLS 36 -key string 37 Path for Key file (default "server-key.pem") 38 -listen string 39 Listen address (default "127.0.0.1:7443") 40 -notls 41 Disable TLS and tunnel plain TCP 42 -tlsver int 43 TLS version to use (11, 12, 13) (default 13) 44 -verbose 45 Verbose mode 46 -verifyclient 47 Do client verification 48 ``` 49 50 tlstun supports two different ways of multiplexing, one being normal TLS 51 proxying, and the other being TLS proxying with client certificate 52 authentication. In addition to this, tlstun can also opt-out of TLS and 53 proxy plain TCP without encryption by using the `-notls` flag. 54 55 56 ### Without client verification 57 58 Start tlstun with `-cert` and `-key`, and it will simply provide a TLS 59 forward to its destination with the given TLS certificate. 60 61 62 ### With client verification 63 64 With client verification, start tlstun with `-cacert`, `-cert`, `-key`, 65 and `-verifyclient` and it will do client certificate verification. This 66 means it will only allow access from clients providing a certificate 67 signed by the CA certificate that is being loaded/used with tlstun on 68 startup with `-cacert`.