Simple network tunnel (and how to work with Linux TUN interface) as an example.
Tunnel is working on only on Linux or inside Docker containers.
Generate private and public keys.
cargo run -- generateFirst of all you need to setup NAT routing and forwarding in the operating system.
Use ifconfig to find an proper interface which has an access to the global network. For example network interface can have a name enp1s0.
sudo iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADETo check that command was successfully executed you can use following command and find your rule.
sudo iptables-saveAlso you need to setup ip forwarding.
sudo sysctl -w net.ipv4.ip_forward=1
Use command to check.
sysctl net.ipv4.ip_forward
You should see and output with = 1.
After that you can run tunnel server.
cargo build && \
sudo target/debug/tunnel run \
<server_private_key> <client_public_key> \
--tun-iface-ip 10.0.0.2/24# Build and run tunnel client.
cargo build && \
sudo target/debug/tunnel run \
<client_private_key> <server_public_key> \
--tun-iface-ip 10.0.0.3/24 --udp-server-ip <tunnel_server_public_ip>
# Route all traffic to 1.1.1.1 through client tunnel interface.
sudo ip route add 1.1.1.1/32 dev tun0To check that tunnel is setup correctly you can use ping command: ping 1.1.1.1 -c 1.
It is very crucial to setup different IPs for client and server TUN interfaces, others packets not going correctly through tunnel.
# Server.
cargo build && \
sudo target/debug/tunnel run \
nE84pUNAM0LsWx+tjJLElU9vEEi1fm5UxucRyTfTrok= /i4WwxYB7KPoFNFCiIR67KpROr6f8Y6Ht56Z2LXZOLE= \
--tun-iface-ip 10.0.0.2/24
# Client.
cargo build && \
sudo target/debug/tunnel run \
7y6VlMKnBWxFoCc06E2BCEaBTk9rKu8MQOwsjGcmHdw= ioABH93leNl4oiHy9k8O5NVPM7W8TEwgj9IGtycZUKM= \
--tun-iface-ip 10.0.0.3/24 --udp-server-ip 127.0.0.1In order to run the tunnel (client and server) in the Docker you first need to build docker image.
# To build without encryption.
make build_docker
# To build with encryption capabilities.
make build_docker_cryptoAfter that you need to start tunnel server.
# To run without encryption.
make run_docker_server log_level=off
# To run with encryption capabilities.
make run_docker_server_crypto log_level=traceAnd finally you can start tunne client. To run this command jq is required to be installed.
# To run without encryption.
make run_docker_client log_level=off
# To run with encryption capabilities.
make run_docker_server_client log_level=traceWait until client HTTP server will be started.
To test that tunnel is working you can request DNS HTTP proxy server to resolve some DNS name.
curl -iX GET 'http://127.0.0.1:8888/resolve?name=cloudflare.com'You can see in the client and server tunnels logs that packets were going through them before reached 1.1.1.1 DNS server.
If you are encountering some problems and packets are not going through tunnel correctly, use tcpdump.
# To check only ICMP packets.
tcpdump -v -i tun0 proto \\icmp
# Check any packets for particular IP.
tcpdump -i enp1s0 dst 1.1.1.1 or src 1.1.1.1To use custom DNS server (clouddns, for example) you can run following command:
make run_dns_serverAfter that when you start docker containers for establish a tunnel it will find this server address automatically.
In order to run firmware on macOS for demo purposes it is required to sign it by self-issued certificate.
You can check following docs how to do it. Use name app-signer (you can choose any name but in that case you need to update commands below) for your certificate.
Commands to check that everything is fine:
# By following command you can check that your certificate in the list.
security find-identity -p codesigning
codesign -f -s "app-signer" <some-file> --deepAfter signing key creation you need to be able to build macOS bundle after Rust binary compilation. Install this tool to do it automatically.
Cargo.toml contains [package.metadata.bundle] section to describe bundle metadata. Also we have some configuration in ./macos_bundle folder.
To build you can use target from Makefile: make build_macos_notifications. It will be built, bundled and signed.
Then, to execute binary, use following binary: target/debug/bundle/osx/tunnel.app/Contents/MacOS/tunnel.
Thanks to https://shadowfacts.net/2023/rust-swift/.
Start client and server. On the client side use following command:
make run_benchmarks name=tunnel_dig
make run_benchmarks name=tunnel_go| Time | RPS | Memory | Swap | CPUs |
|---|---|---|---|---|
| 1m | 50rps | 0.5g | 0.5g | 1 |
| Avg | Min | Max | Successful calls | |
|---|---|---|---|---|
| Without tunnel and without local DNS [DQI] | 6.4ms | 762.33ns | 541ms | 3000 |
| Without tunnel but with local DNS | 4.43ms | 1.00ms | 12.84ms | 3000 |
| With tunnel but without local DNS [DQI] | 9.97ms | 5.55ms | 98.91ms | 3000 |
| With tunnel and with local DNS | 2.32ms | 1.01ms | 5.80ms | 3000 |
| With encrypted tunnel and with local DNS | 2.44ms | 867.25ns | 11.00ms | 3000 |
| With tunnel and with local DNS (dig) | 57.77ms | 32.84ms | 136.72ms | 3000 |
[DQI] means benchmark depends on the quality of the Internet (ping).
(dig) means dig command was used by DNS HTTP proxy server to reach DNS server.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent