getqujing / qtunnel Goto Github PK

A secure socket tunnel works on getqujing.com

License: Other

Go 98.91% Makefile 1.09%

qtunnel's Introduction

qTunnel

qTunnel - a simpler and (possibily) faster tunnel program

qtunnel is a network tunneling software working as an encryption wrapper between clients and servers (remote/local). It can work as a Stunnel/stud replacement.

qtunnel has been serving over 10 millions connections on Qu Jing each day for the past few months.

Why Another Wrapper

Stunnel/stud is great in SSL/TLS based environments, but what we want is a lighter and faster solution that only does one job: transfer encrypted data between servers and clients. We don't need to deal with certification settings and we want the transfer is as fast as possible. So we made qTunnel. Basically, it's a Stunnel/stud without certification settings and SSL handshakes, and it's written in Go.

Requirements

qtunnel is writen in golang 1.3.1, after building it can run on almost every OS.

Build

To build qtunnel

$ make

To test qtunnel

$ make test

Usage

$ ./bin/qtunnel -h
Usage of ./bin/qtunnel:
	-backend="127.0.0.1:6400": host:port of the backend
	-clientmode=false: if running at client mode
	-crypto="rc4": encryption method
	-listen=":9001": host:port qtunnel listen on
	-logto="stdout": stdout or syslog
	-secret="secret": password used to encrypt the data

qtunnel supports two encryption methods: rc4 and aes256cfb. Both servers and clients should use the same crypto and same secret.

Example

Let's say, you have a redis server on host-a, you want to connect to it from host-b, normally, just use:

$ redis-cli -h host-a -p 6379

will do the job. The topology is:

redis-cli (host-b) <------> (host-a) redis-server

If the host-b is in some insecure network environment, i.e. another data center or another region, the clear-text based redis porocol is not good enough, you can use qtunnel as a secure wrapper

On host-b:

$ qtunnel -listen=127.1:6379 -backend=host-a:6378 -clientmode=true -secret=secret -crypto=rc4

On host-a:

$ qtunnel -listen=:6378 -backend=127.1:6379 -secret=secret -crypto=rc4

Then connect on host-b as:

$ redis-cli -h 127.1 -p 6379

This will establish a secure tunnel between your redis-cli and redis server, the topology is:

redis-cli (host-b) <--> qtunnel (client,host-b) <--> qtunnel (host-a) <--> redis-server

After this, you can communicate over a encrypted wrapper rather than clear text.

Credits

Special thanks to Paul for reviewing the code.

Contributing

We encourage you to contribute to qtunnel! Please feel free to submit a bug report, fork the repo or create a pull request.

License

qtunnel is released under the Apache License 2.0.

qtunnel's People

Contributors

Stargazers

Watchers

Forkers

baiyunping333 footuser imcom feixueping xiaozhenliang fashtimedotcom okamisupport rouxyang fising xxr3376 xujack fchypzero googya zhanglei pippolover wclssdn canghai908 zengcheng wheelcomplex nodephp gregmeng 1fei kiritostudio stamhe vicenteforever eryx catinred2 syshack yangruishan jianggest zhaoya kliu haitao-wang xuanhan863 sloww pwd coolpanda iyidan guanxiaochao tomheng hxlbuzz holydays ahnan4arch iqiancheng yunxing alford087 likaiguo goldengoat qudianso fireball2018 brownwn yonngwoo svcvit junnny debug001 alliadt chyh1990 puresteelzhang hsudb amumu-dev xurenlu jkyin iceflow markli lhyhfut suninus julykobe passwind bagualing proj-network blueicesir chintj json-wong znanl 7kjn3mhq krait-yxin jannson xiaofengng avldya no2key komorebi42 c77cc linexjlin cfcboy jiaoming se77en iuyo5678 matrix10 badrookie youngtrips objectmarshaler letup darren dreamkeep juli-so netpainter zhoujiangang0911 wenyitian read-later eth4io

qtunnel's Issues

secretToKey 能够安全些吗？比如用 pbkdf2 ?

另外，如果支持 AES-GCM 加密那就更好！！！！

这个可以自己搭建么？

可以自己搭建么？做为翻墙工具？？

centos 6.5+go1.3.1

centos 6.5+go1.3.1下面编译make之后没有bin...
debian LICENSE Makefile pkg README.md src

mac下可以

qtunnel + cow是否能实现科学上网？

用cow做二级代理？

windows make error

go 1.5

Z:\qtunnel-master>make
# qtunnel

z:\qtunnel-master\src\qtunnel\main.go:39: undefined: syslog.New
z:\qtunnel-master\src\qtunnel\main.go:39: undefined: syslog.LOG_INFO
make: *** [all] Error 2

go 1.3.1

Z:\qtunnel-master>make
# qtunnel
z:\qtunnel-master\src\qtunnel\main.go:10: import z:\qtunnel-master\pkg\windows_amd64/tunnel.a: object is [windows amd64 go1.5rc1 X:none] expected [windows amd64 go1.3.1 X:precisestack]
make: *** [all] Error 2

brother i have problem can u please help

i have this error on my screen
2018/01/20 11:54:08 r:243797 w:288030 ct:0.000 t:213.674 [#20]
2018/01/20 11:54:08 r:244107 w:289042 ct:0.000 t:213.686 [#19]
2018/01/20 11:54:08 r:244177 w:289385 ct:0.002 t:213.688 [#18]
2018/01/20 11:54:08 r:244894 w:288599 ct:0.003 t:213.688 [#17]
2018/01/20 11:54:08 r:245678 w:292045 ct:0.000 t:213.711 [#16]
2018/01/20 11:54:08 r:245568 w:286651 ct:0.001 t:213.711 [#15]
2018/01/20 11:54:08 r:248041 w:289036 ct:0.000 t:213.718 [#14]
2018/01/20 11:54:08 r:244536 w:288188 ct:0.000 t:213.795 [#13]
2018/01/20 11:54:08 r:243668 w:288573 ct:0.001 t:213.792 [#12]

怎么用来科学上网

how to use on client?

How tu run in server?How to use on client?

ipv6 support

你好

我想利用qtunnel做ipv4在ipv6上的穿越，所以两台qtunnel的服务端和客户端都是运行在ipv6上的，启动都没有问题，但是当我用ipv4访问qtunnel客户端时，会出现如下问题：

dial tcp [:::]:6378: getsockopt: permission denied

中括弧内为服务端ipv6地址。root下运行同样出现此问题。

It seems you defined recycler but did not make user of it?

连接没有及时关闭错误 accept: too many open files

log:

dial tcp  REMOTE-IP:PORT: too many open files
accept: accept tcp 127.0.0.1:8080: too many open files
accept: accept tcp 127.0.0.1:8080: too many open files

系统 maxfiles 已经设置大于 51200，应该是连接没有及时关闭造成的。

qtunnel似乎没有加密数据？

NewRecycler function is useless.

是否有必要每次连接都生成新的cipher？

hello，您好：
cipher := NewCipher(t.crypotMethod, t.secret)

这句在每次连接时都会有新的cipher，但每次都生成有必要吗？
全程都应该是同样的加密方法，用一个cipher是不是就可以了，这样也减少开销。

谢谢。

曲径官网没有注册按钮？

曲径官网没有注册按钮？曲径官网没有注册按钮？曲径官网没有注册按钮？

Numerous design flaws

Designing a transport encryption protocol is among the most difficult undertakings in cryptography. It's something that I would leave in the hands of a professional cryptographer who is already well-versed in the attacks on TLS.

Your project more or less duplicates the functionality of spiped:

https://www.tarsnap.com/spiped.html

However, you have made a number of mistakes in your design:

There is no reason to use RC4 in new protocols. RC4 has known biases which can be used for plaintext recovery. ChaCha20 is faster than RC4 and substantially more secure
There is no reason to use AES-CFB in new protocols. Use AES-GCM.
No cryptographic MAC is applied to the ciphertext, leaving you vulnerable to ciphertext malleability attacks. Your protocol is, in fact, less secure than SSLv3. Again, use AES-GCM, or ChaCha20+Poly1305
MD5 is used as a KDF. That's gross. Use HKDF with a hash function considered secure today, like SHA-256 or SHA-512, or a keyed hash like Blake2
AES-256 is used with a key derived from 128-bits entropy. That's pointless. If you have 128-bits entropy for your keying material, use AES-128
The same key is used in both directions, increasing the chances of IV reuse. Ideally you use a separate key for each direction
I can't even figure out the IV strategy here. I hope some high level API is picking your IVs randomly
No defense against replay attacks

...and that's what I found after looking at it for about 20 minutes.

You should probably be using spiped or TLS in PSK mode