Commit 182e3e76 authored by atanarjuat's avatar atanarjuat
Browse files

simplify testing of client and server

parent a809112a
obfsproxy/test_data/*
obfsproxy/obfsproxy
obfsclient/obfsclient
*.swp
*.swo
OBFS4_ENDPOINT ?=
OBFS4_CERT ?=
certs:
curl -k https://black.riseup.net/ca.crt > /tmp/ca.crt
curl -k https://api.black.riseup.net/3/cert > /tmp/cert.pem
build-client:
go get ./...
go build -o obfsvpn-client ./client
run-client:
./obfsvpn-client -c ${OBFS4_CERT}
run-openvpn:
./scripts/run-openvpn-client.sh
check:
curl https://wtfismyip.com/json
package main
import (
"flag"
"fmt"
"io"
"log"
"net"
"os"
"0xacab.org/leap/obfsvpn"
socks5 "github.com/armon/go-socks5"
)
func main() {
// Setup logging.
logger := log.New(os.Stderr, "", log.LstdFlags)
debug := log.New(io.Discard, "DEBUG ", log.LstdFlags)
// setup command line flags.
var (
verbose bool
obfs4Cert string
obfs4Remote string
socksPort string
socksHost string
)
socksPort = "8080"
socksHost = "127.0.0.1"
flags := flag.NewFlagSet(os.Args[0], flag.ContinueOnError)
flags.BoolVar(&verbose, "v", verbose, "Enable verbose logging")
flags.StringVar(&obfs4Cert, "c", obfs4Cert, "The remote obfs4 certificate")
flags.StringVar(&obfs4Remote, "r", obfs4Remote, "The remote obfs4 endpoint (ip:port)")
flags.StringVar(&socksPort, "p", socksPort, "The port for the local socks5 proxy (default: 8080)")
flags.StringVar(&socksHost, "i", socksHost, "The host for the local socks5 proxy (default: localhost)")
err := flags.Parse(os.Args[1:])
if err != nil {
logger.Fatalf("error parsing flags: %v", err)
}
// Configure logging.
if verbose {
debug.SetOutput(os.Stderr)
}
dialer, err := obfsvpn.NewDialerFromCert(obfs4Cert)
if err != nil {
logger.Fatalf("cannot get dialer: %v", err)
}
socksConf := &socks5.Config{
Dial: dialer.Dial,
}
server, err := socks5.New(socksConf)
if err != nil {
panic(err)
}
addr := net.JoinHostPort(socksHost, socksPort)
fmt.Printf("[+] Started socks5 proxy at %s\n", addr)
if err := server.ListenAndServe("tcp", addr); err != nil {
panic(err)
}
}
......@@ -76,21 +76,22 @@ func unpackCert(cert string) (*ntor.NodeID, *ntor.PublicKey, error) {
return nodeID, pubKey, nil
}
// NewDialerCert creates a dialer from a node certificate.
func NewDialerCert(cert string) (*Dialer, error) {
// NewDialerFromCert creates a dialer from a node certificate.
func NewDialerFromCert(cert string) (*Dialer, error) {
nodeID, publicKey, err := unpackCert(cert)
if err != nil {
return nil, err
}
return &Dialer{
d := &Dialer{
NodeID: nodeID,
PublicKey: publicKey,
}, nil
}
return d, nil
}
// NewDialerArgs creates a dialer from existing pluggable transport arguments.
func NewDialerArgs(args pt.Args) (*Dialer, error) {
// NewDialerFromArgs creates a dialer from existing pluggable transport arguments.
func NewDialerFromArgs(args pt.Args) (*Dialer, error) {
cf, err := (&obfs4.Transport{}).ClientFactory("")
if err != nil {
return nil, err
......
# Developing
These are notes to test the different components separately while developing.
## Server-side proxy
### 1. Compile and run obfserver
First, we're going to set up the server-side proxy. Do note that we will skip
the part that generates the obfs4 keys (we will use the `obfsproxy/test_data`
folder for testing).
`LHOST` is the local IP of the server (in case it's different than the public IP).
`RHOST` is the OpenVPN gateway IP.
```
export LHOST=10.10.1.10:4430 # this is our obfs4 endpoint (private network; if your public IP is exposed directly you should use the IP:PORT here instead).
export RHOST=163.172.126.44:443 # this is the GW IP (each obfsproxy is routing to only one openvpn GW).
cd server && make build
sudo ./server -addr $(LHOST) -vpn $(RHOST) -state test_data -c test_data/obfs4.json
```
### 2. Run `obfsclient` to start a socks5 proxy in localhost
It will start a local socks5 proxy, to where we will connect with `openvpn`.
For now, this is `TCP` only. By default, the socks5 proxy will listen in `127.0.0.1:8080`.
```
make build-client
make run-client OBFS4_CERT=8nuAbPJwFrKc/29KcCfL5LBuEWxQrjBASYXdUbwcm9d9pKseGK4r2Tg47e23+t6WghxGGw
```
### 3. Get certificates for the riseup gateways.
```
make certs
```
You should have certificates in `/tmp/cert.pem`, and the ca file in `/tmp/ca.crt`.
### 4. Run the `openvpn` client using the local `socks5` proxy.
The `openvpn` binary needs to be invoked with the `OBFS4_ENDPOINT` as the
`--remote`, and the local `socks5` port as the `--proxy`.
In this example, we pass the `OBFS4_ENDPOINT` variable via the `Makefile`:
```
make run-openvpn OBFS4_ENDPOINT=2.2.2.2
```
If everything went well, now you should be connected to the gateway remote, and
all routes set up.
```
❯ make run-openvpn OBFS4_ENDPOINT=2.2.2.2
./scripts/run-openvpn-client.sh
+ sudo openvpn --verb 3 --tls-cipher DHE-RSA-AES128-SHA --cipher AES-128-CBC --auth-nocache --proto tcp --dev tun --client --tls-client --remote-cert-tls server --tls-version-min 1.2 --ca /tmp/ca.crt --cert /tmp/cert.pem --key /tmp/cert.pem --pull-filter ignore ifconfig-ipv6 --pull-filter ignore route-ipv6 --socks-proxy 127.0.0.1 8080 --remote 2.2.2.2 443 --route 2.2.2.2 255.255.255.255 net_gateway
2022-05-21 03:41:35 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-05-21 03:41:35 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-05-21 03:41:35 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
2022-05-21 03:41:35 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:8080
2022-05-21 03:41:35 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-21 03:41:35 Attempting to establish TCP connection with [AF_INET]127.0.0.1:8080 [nonblock]
2022-05-21 03:41:35 TCP connection established with [AF_INET]127.0.0.1:8080
2022-05-21 03:41:35 TCP_CLIENT link local: (not bound)
2022-05-21 03:41:35 TCP_CLIENT link remote: [AF_INET]127.0.0.1:8080
2022-05-21 03:41:35 TLS: Initial packet from [AF_INET]127.0.0.1:8080, sid=61e85660 36666a7a
2022-05-21 03:41:35 VERIFY OK: depth=1, O=Riseup Networks, OU=https://riseup.net, CN=Riseup Networks Root CA
2022-05-21 03:41:35 VERIFY KU OK
2022-05-21 03:41:35 Validating certificate extended key usage
2022-05-21 03:41:35 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-05-21 03:41:35 VERIFY EKU OK
2022-05-21 03:41:35 VERIFY OK: depth=0, CN=mouette.riseup.net, O=Riseup Networks, L=Seattle, ST=WA, C=US
2022-05-21 03:41:36 Control Channel: TLSv1.2, cipher SSLv3 DHE-RSA-AES128-SHA, 4096 bit RSA
2022-05-21 03:41:36 [mouette.riseup.net] Peer Connection Initiated with [AF_INET]127.0.0.1:8080
2022-05-21 03:41:37 SENT CONTROL [mouette.riseup.net]: 'PUSH_REQUEST' (status=1)
2022-05-21 03:41:37 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.41.0.1,redirect-gateway def1,route-ipv6 2000::/3,tun-ipv6,route-gateway 10.41.0.1,topology subnet,ping 10,ping-restart 30,socket-flags TCP_NODELAY,ifconfig-ipv6 2001:db8:123::100d/64 2001:db8:123::1,ifconfig 10.41.0.15 255.255.248.0,peer-id 0,cipher AES-256-GCM'
2022-05-21 03:41:37 Pushed option removed by filter: 'route-ipv6 2000::/3'
2022-05-21 03:41:37 Pushed option removed by filter: 'ifconfig-ipv6 2001:db8:123::100d/64 2001:db8:123::1'
2022-05-21 03:41:37 OPTIONS IMPORT: timers and/or timeouts modified
2022-05-21 03:41:37 OPTIONS IMPORT: --socket-flags option modified
2022-05-21 03:41:37 Socket flags: TCP_NODELAY=1 succeeded
2022-05-21 03:41:37 OPTIONS IMPORT: --ifconfig/up options modified
2022-05-21 03:41:37 OPTIONS IMPORT: route options modified
2022-05-21 03:41:37 OPTIONS IMPORT: route-related options modified
2022-05-21 03:41:37 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-05-21 03:41:37 OPTIONS IMPORT: peer-id set
2022-05-21 03:41:37 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-05-21 03:41:37 OPTIONS IMPORT: data channel crypto options modified
2022-05-21 03:41:37 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-05-21 03:41:37 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-05-21 03:41:37 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-05-21 03:41:37 net_route_v4_best_gw query: dst 0.0.0.0
2022-05-21 03:41:37 net_route_v4_best_gw result: via 192.168.1.1 dev eth0
2022-05-21 03:41:37 ROUTE_GATEWAY 192.168.1.1/255.255.255.0
2022-05-21 03:41:37 TUN/TAP device tun0 opened
2022-05-21 03:41:37 net_iface_mtu_set: mtu 1500 for tun0
2022-05-21 03:41:37 net_iface_up: set tun0 up
2022-05-21 03:41:37 net_addr_v4_add: 10.41.0.15/21 dev tun0
2022-05-21 03:41:37 net_route_v4_add: 127.0.0.1/32 via 192.168.18.1 dev [NULL] table 0 metric -1
2022-05-21 03:41:37 net_route_v4_add: 0.0.0.0/1 via 10.41.0.1 dev [NULL] table 0 metric -1
2022-05-21 03:41:37 net_route_v4_add: 128.0.0.0/1 via 10.41.0.1 dev [NULL] table 0 metric -1
2022-05-21 03:41:37 net_route_v4_add: 2.2.2.2/32 via 192.168.1.1 dev [NULL] table 0 metric -1
2022-05-21 03:41:37 Initialization Sequence Completed
```
You should verify that your exit IP has changed:
```
curl https://wtfismyip.com/json
{
"YourFuckingIPAddress": "51.159.55.86",
"YourFuckingLocation": "Paris, IDF, France",
"YourFuckingHostname": "51-159-55-86.rev.poneytelecom.eu",
"YourFuckingISP": "Scaleway",
"YourFuckingTorExit": false,
"YourFuckingCountryCode": "FR"
}
```
......@@ -4,14 +4,15 @@ go 1.17
require (
git.torproject.org/pluggable-transports/goptlib.git v1.0.0
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
// Do not update obfs4 past e330d1b7024b, a backwards incompatible change was
// made that will break negotiation.
gitlab.com/yawning/obfs4.git v0.0.0-20210511220700-e330d1b7024b
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
)
require (
github.com/dchest/siphash v1.2.1 // indirect
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
)
git.torproject.org/pluggable-transports/goptlib.git v1.0.0 h1:ElTwFFPKf/tA6x5nuIk9g49JZzS4T5WN+eTQTjqd00A=
git.torproject.org/pluggable-transports/goptlib.git v1.0.0/go.mod h1:YT4XMSkuEXbtqlydr9+OxqFAyspUv0Gr9qhM3B++o/Q=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/dchest/siphash v1.2.1 h1:4cLinnzVJDKxTCl9B01807Yiy+W7ZzVHj/KIroQRvT4=
github.com/dchest/siphash v1.2.1/go.mod h1:q+IRvb2gOSrUnYoPqHiyHXS0FOBBOdl6tONBlVnOnt4=
github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
......@@ -8,12 +10,8 @@ github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ=
gitlab.com/yawning/edwards25519-extra.git v0.0.0-20211229043746-2f91fcc9fbdb h1:qRSZHsODmAP5qDvb3YsO7Qnf3TRiVbGxNG/WYnlM4/o=
gitlab.com/yawning/edwards25519-extra.git v0.0.0-20211229043746-2f91fcc9fbdb/go.mod h1:gvdJuZuO/tPZyhEV8K3Hmoxv/DWud5L4qEQxfYjEUTo=
gitlab.com/yawning/obfs4.git v0.0.0-20210511220700-e330d1b7024b h1:w/f20IHUkUYEp+xYgpKz4Bs78zms0DbjPZCep5lc0xA=
gitlab.com/yawning/obfs4.git v0.0.0-20210511220700-e330d1b7024b/go.mod h1:OM1ngEp5brdANPox+rqk2AGTLQvzobyB5Dwm3vu3CgM=
gitlab.com/yawning/obfs4.git v0.0.0-20220204003609-77af0cba934d h1:tJ8F7ABaQ3p3wjxwXiWSktVDgjZEXkvaRawd2rIq5ws=
gitlab.com/yawning/obfs4.git v0.0.0-20220204003609-77af0cba934d/go.mod h1:9GcM8QNU9/wXtEEH2q8bVOnPI7FtIF6VVLzZ1l6Hgf8=
gitlab.com/yawning/utls.git v0.0.12-1/go.mod h1:3ONKiSFR9Im/c3t5RKmMJTVdmZN496FNyk3mjrY1dyo=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
......
......@@ -28,8 +28,9 @@ type ListenConfig struct {
StateDir string
}
// NewListenConfig
// perhaps this is redundant, but using the same json format than ss for debug.
// kali: feel free to remove this if/when we make sure unwrapping the cert is enough for us.
func NewListenConfig(nodeIDStr, privKeyStr, pubKeyStr, seedStr, stateDir string) (*ListenConfig, error) {
var err error
var seed [ntor.KeySeedLength]byte
......
#!/bin/sh
set -x
sudo openvpn \
--verb 3 \
--tls-cipher DHE-RSA-AES128-SHA \
--cipher AES-128-CBC \
--auth-nocache \
--proto tcp \
--dev tun --client --tls-client \
--remote-cert-tls server --tls-version-min 1.2 \
--ca /tmp/ca.crt --cert /tmp/cert.pem --key /tmp/cert.pem \
--proto tcp4 \
--remote localhost 4430 \
--socks-proxy localhost 4430 \
--route $GW 255.255.255.255 net_gateway \
--persist-tun
--pull-filter ignore ifconfig-ipv6 \
--pull-filter ignore route-ipv6 \
--socks-proxy 127.0.0.1 8080 \
--remote $OBFS4_ENDPOINT 443 \
--route $OBFS4_ENDPOINT 255.255.255.255 net_gateway
RHOST=163.172.126.44:443
LHOST="10.0.0.209:443"
build:
go build
run:
sudo ./obfsproxy -addr ${LHOST} -vpn ${RHOST} -state test_data -c test_data/obfs4.json
certs:
curl -k https://black.riseup.net/ca.crt > /tmp/ca.crt
curl -k https://api.black.riseup.net/3/cert > /tmp/cert.pem
check:
curl https://wtfismyip.com/json
stop:
pkill -9 obfsproxy
obfsproxy:
go build
......@@ -14,7 +14,7 @@ import (
"os/signal"
"0xacab.org/leap/obfsvpn"
"git.torproject.org/pluggable-transports/goptlib.git"
pt "git.torproject.org/pluggable-transports/goptlib.git"
)
const transportName = "obfs4"
......@@ -35,10 +35,10 @@ func main() {
// Setup command line flags.
var (
verbose bool
addr string = "[::1]:0"
vpnAddr string
cfgFile string
stateDir string
addr = "[::1]:0"
)
flags := flag.NewFlagSet(os.Args[0], flag.ContinueOnError)
flags.BoolVar(&verbose, "v", verbose, "Enable verbose logging")
......@@ -56,6 +56,7 @@ func main() {
logger.Fatal("must specify -vpn")
}
// TODO this needs to be configurable if we switch to UDP mode for OpenVPN.
tcpVPNAddr, err := net.ResolveTCPAddr("tcp", vpnAddr)
log.Println("target:", tcpVPNAddr)
if err != nil {
......@@ -83,11 +84,16 @@ func main() {
// Setup graceful shutdown.
ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
listenConfig, err := obfsvpn.NewListenConfig(cfg.NodeID, cfg.PrivateKey, cfg.PublicKey, cfg.DRBGSeed, stateDir)
listenConfig, err := obfsvpn.NewListenConfig(
cfg.NodeID, cfg.PrivateKey, cfg.PublicKey,
cfg.DRBGSeed,
stateDir)
if err != nil {
logger.Fatalf("error creating listener from config: %v", err)
logger.Fatalf("Error creating listener from config: %v", err)
}
log.Println("DEBUG:", listenConfig)
logger.Printf("DEBUG: %v", listenConfig)
ln, err := listenConfig.Listen(ctx, "tcp", addr)
if err != nil {
logger.Fatalf("error binding to %s: %v", addr, err)
......@@ -109,7 +115,8 @@ func main() {
OrAddr: tcpVPNAddr,
}
logger.Printf("listening on %s…", ln.Addr())
logger.Printf("Listening on %s…", ln.Addr())
for {
conn, err := ln.Accept()
if err != nil {
......@@ -121,12 +128,12 @@ func main() {
}
}
// obfsConn is a connection to the obfs4 client that we have accepted. we will dial to the remote contained in info
// proxyConn is a connection to the obfs4 client that we have accepted. we will dial to the remote contained in info
func proxyConn(ctx context.Context, info *pt.ServerInfo, obfsConn net.Conn, logger, debug *log.Logger) {
defer func() {
err := obfsConn.Close()
if err != nil {
debug.Printf("error closing connection: %v", err)
debug.Printf("Error closing connection: %v", err)
}
}()
......@@ -172,8 +179,8 @@ func proxyConn(ctx context.Context, info *pt.ServerInfo, obfsConn net.Conn, logg
}
}
// a stock copy loop. let's not dwell too much on who's client and who's server
// CopyLoop is a standard copy loop. We don't care too much who's client and
// who's server
func CopyLoop(left net.Conn, right net.Conn) error {
fmt.Println("--> Entering copy loop.")
......
......@@ -6,6 +6,7 @@ import (
"testing"
)
/*
type testWriter struct {
t *testing.T
prefix string
......@@ -15,6 +16,7 @@ func (w testWriter) Write(p []byte) (int, error) {
w.t.Logf("%s%s", w.prefix, p)
return len(p), nil
}
*/
func TestMain(m *testing.M) {
runProxy := flag.Bool("runproxy", false, "Start the command instead of running the tests")
......
{"node-id":"f27b806cf27016b29cff6f4a7027cbe4b06e116c","private-key":"540bd146653b484bd84c5ec646f6ba8232ec1ec2d91320b4fd50ced640d9e139","public-key":"50ae30404985dd51bc1c9bd77da4ab1e18ae2bd93838ededb7fade96821c461b","drbg-seed":"b96054e02220e45ecd128a63ba64771c7b4a2bfb0aeda045","iat-mode":0}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment