Tunneling

Command grok provides standalone server terminating https and proxying requests in plain http over reverse ssh tunnels. Its main use-case is the same as of the ngrok tool from <https://ngrok.com>. Command grok listens https and ssh endpoints. On ssh connections it's looking for "tcpip-forward" request (RFC 4254, Section 7.1), once received, it establishes reverse proxy for domain derived from public key of the client. When receiving request over https, grok inspects request domain name, if matching active tunnel is found, request is proxied over found tunnel as plain HTTP/1.1 request. Certificates for matched domains are automatically obtained from https://letsencrypt.org authority as required. Domains are either derived from public key md5 fingerprint: hash.base.tld (where base.tld domain is set with -domain flag) or defined per-key in authorized_keys file as key option specification in form of domain=name.tld: Once set, developer may then connect to this service with ssh client setting up reverse port forwarding (i.e. to localhost:8080): Note the notation for -R used by ssh: When connecting to grok only host:hostport pair is significant, since they specify where ssh client will connect on forwarded connection, the first port can be set to arbitrary value and is ignored by the server.

Package core provides an entry point to use V2Ray core functionalities. V2Ray makes it possible to accept incoming network connections with certain protocol, process the data, and send them through another connection with the same or a difference protocol on demand. It may be configured to work with multiple protocols at the same time, and uses the internal router to tunnel through different inbound and outbound connections.

Package p2p is a teleport-based p2p application framework that penetrates the intranet through TCP tunnel. Copyright 2018 HenryLee. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package qcon implements the QuickConnect protocol for accessing Synology NAS devices over the best available connection using a globally unique identifier. The returned URLs will vary depending on the client network relative to the Synology - for example, if on the same LAN local URLs will be returned, otherwise URLs using remote address (or even a Synology created tunnel) will be returned. For most cases, all that is necessary is to pass the QuickConnect ID to the Resolve() function which will return a prioritized list of URLs: More control can be obtained by creating a Client with custom settings (including modifying the default http.Client).

Package qcon implements the QuickConnect protocol for accessing Synology NAS devices over the best available connection using a globally unique identifier. The returned URLs will vary depending on the client network relative to the Synology - for example, if on the same LAN local URLs will be returned, otherwise URLs using remote address (or even a Synology created tunnel) will be returned. For most cases, all that is necessary is to pass the QuickConnect ID to the Resolve() function which will return a prioritized list of URLs: More control can be obtained by creating a Client with custom settings (including modifying the default http.Client).

Package core provides an entry point to use V2Ray core functionalities. V2Ray makes it possible to accept incoming network connections with certain protocol, process the data, and send them through another connection with the same or a difference protocol on demand. It may be configured to work with multiple protocols at the same time, and uses the internal router to tunnel through different inbound and outbound connections.

Package core provides an entry point to use V2Ray core functionalities. V2Ray makes it possible to accept incoming network connections with certain protocol, process the data, and send them through another connection with the same or a difference protocol on demand. It may be configured to work with multiple protocols at the same time, and uses the internal router to tunnel through different inbound and outbound connections.

Package sshego is a golang libary that does secure port forwarding over ssh. Also `gosshtun` is a command line utility included here that demonstrates use of the library; and may be useful standalone. The intent of having a Go library is so that it can be used to secure (via SSH tunnel) any other traffic that your Go application would normally have to do over cleartext TCP. While you could always run a tunnel as a separate process, by running the tunnel in process with your application, you know the tunnel is running when the process is running. It's just simpler to administer; only one thing to start instead of two. Also this is much simpler, and much faster, than using a virtual private network (VPN). For a speed comparison, consider [1] where SSH is seen to be at least 2x faster than OpenVPN. [1] http://serverfault.com/questions/653211/ssh-tunneling-is-faster-than-openvpn-could-it-be The sshego library typically acts as an ssh client, but also provides options to support running an embedded sshd server daemon. Port forwarding is the most typical use of the client, and this is the equivalent of using the standalone `ssh` client program and giving the `-L` and/or `-R` flags. If you only trust the user running your application and not your entire host, you can further restrict access by using either DialConfig.Dial() for a direct-tcpip connection, or by using the unix-domain-socket support. For example, is equivalent to with the addendum that `gosshtun` requires the use of passwordless private `-key` file, and will never prompt you for a password at the keyboard. This makes it ideal for embedding inside your application to secure your (e.g. mysql, postgres, other cleartext) traffic. As many connections as you need will be multiplexed over the same ssh tunnel. We check the sshd server's host key. We prevent MITM attacks by only allowing new servers if `-new` is given. You should give `-new` only once at setup time. Then the lack of `-new` can protect you on subsequent runs, because the server's host key must match what we were given the first time. means the following two network hops will happen, when a local browser connects to localhost:8888 where (a) takes place inside the previously established ssh tunnel. Connection (b) takes place over basic, un-adorned, un-encrypted TCP/IP. Of course you could always run `gosshtun` again on the remote host to secure the additional hop as well, but typically -remote is aimed at the 127.0.0.1, which will be internal to the remote host itself and so needs no encryption.