Kaynağa Gözat

Merge pull request #1 from Snawoot/skip_hello_verify

Skip hello verify option
Snawoot 2 yıl önce
ebeveyn
işleme
1acd852341
4 değiştirilmiş dosya ile 33 ekleme ve 25 silme
  1. 4 0
      README.md
  2. 16 14
      cmd/dtlspipe/main.go
  3. 8 7
      server/config.go
  4. 5 4
      server/server.go

+ 4 - 0
README.md

@@ -55,6 +55,8 @@ But you also need to make following adjustments to wireguard client config:
 AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0
 AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0
 ```
 ```
 
 
+**Note:** consider use of `-skip-hello-verify` option on server to workaround DPI if such filtering is the case for you.
+
 ## Synopsis
 ## Synopsis
 
 
 ```
 ```
@@ -79,6 +81,8 @@ Options:
     	MTU used for DTLS fragments (default 1400)
     	MTU used for DTLS fragments (default 1400)
   -psk string
   -psk string
     	hex-encoded pre-shared key. Can be generated with genpsk subcommand
     	hex-encoded pre-shared key. Can be generated with genpsk subcommand
+  -skip-hello-verify
+    	(server only) skip hello verify request. Useful to workaround DPI
   -timeout duration
   -timeout duration
     	network operation timeout (default 10s)
     	network operation timeout (default 10s)
 ```
 ```

+ 16 - 14
cmd/dtlspipe/main.go

@@ -26,13 +26,14 @@ const (
 var (
 var (
 	version = "undefined"
 	version = "undefined"
 
 
-	timeout    = flag.Duration("timeout", 10*time.Second, "network operation timeout")
-	idleTime   = flag.Duration("idle-time", 90*time.Second, "max idle time for UDP session")
-	pskHexOpt  = flag.String("psk", "", "hex-encoded pre-shared key. Can be generated with genpsk subcommand")
-	keyLength  = flag.Uint("key-length", 16, "generate key with specified length")
-	identity   = flag.String("identity", "", "client identity sent to server")
-	mtu        = flag.Int("mtu", 1400, "MTU used for DTLS fragments")
-	cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file")
+	timeout         = flag.Duration("timeout", 10*time.Second, "network operation timeout")
+	idleTime        = flag.Duration("idle-time", 90*time.Second, "max idle time for UDP session")
+	pskHexOpt       = flag.String("psk", "", "hex-encoded pre-shared key. Can be generated with genpsk subcommand")
+	keyLength       = flag.Uint("key-length", 16, "generate key with specified length")
+	identity        = flag.String("identity", "", "client identity sent to server")
+	mtu             = flag.Int("mtu", 1400, "MTU used for DTLS fragments")
+	cpuprofile      = flag.String("cpuprofile", "", "write cpu profile to file")
+	skipHelloVerify = flag.Bool("skip-hello-verify", false, "(server only) skip hello verify request. Useful to workaround DPI")
 )
 )
 
 
 func usage() {
 func usage() {
@@ -115,13 +116,14 @@ func cmdServer(bindAddress, remoteAddress string) int {
 	defer cancel()
 	defer cancel()
 
 
 	cfg := server.Config{
 	cfg := server.Config{
-		BindAddress:   bindAddress,
-		RemoteAddress: remoteAddress,
-		PSKCallback:   keystore.NewStaticKeystore(psk).PSKCallback,
-		Timeout:       *timeout,
-		IdleTimeout:   *idleTime,
-		BaseContext:   appCtx,
-		MTU:           *mtu,
+		BindAddress:     bindAddress,
+		RemoteAddress:   remoteAddress,
+		PSKCallback:     keystore.NewStaticKeystore(psk).PSKCallback,
+		Timeout:         *timeout,
+		IdleTimeout:     *idleTime,
+		BaseContext:     appCtx,
+		MTU:             *mtu,
+		SkipHelloVerify: *skipHelloVerify,
 	}
 	}
 
 
 	srv, err := server.New(&cfg)
 	srv, err := server.New(&cfg)

+ 8 - 7
server/config.go

@@ -6,13 +6,14 @@ import (
 )
 )
 
 
 type Config struct {
 type Config struct {
-	BindAddress   string
-	RemoteAddress string
-	Timeout       time.Duration
-	IdleTimeout   time.Duration
-	BaseContext   context.Context
-	PSKCallback   func([]byte) ([]byte, error)
-	MTU           int
+	BindAddress     string
+	RemoteAddress   string
+	Timeout         time.Duration
+	IdleTimeout     time.Duration
+	BaseContext     context.Context
+	PSKCallback     func([]byte) ([]byte, error)
+	MTU             int
+	SkipHelloVerify bool
 }
 }
 
 
 func (cfg *Config) populateDefaults() *Config {
 func (cfg *Config) populateDefaults() *Config {

+ 5 - 4
server/server.go

@@ -59,10 +59,11 @@ func New(cfg *Config) (*Server, error) {
 			dtls.TLS_PSK_WITH_AES_128_GCM_SHA256,
 			dtls.TLS_PSK_WITH_AES_128_GCM_SHA256,
 			dtls.TLS_PSK_WITH_AES_128_CBC_SHA256,
 			dtls.TLS_PSK_WITH_AES_128_CBC_SHA256,
 		},
 		},
-		ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
-		ConnectContextMaker:  srv.contextMaker,
-		PSK:                  srv.psk,
-		MTU:                  cfg.MTU,
+		ExtendedMasterSecret:    dtls.RequireExtendedMasterSecret,
+		ConnectContextMaker:     srv.contextMaker,
+		PSK:                     srv.psk,
+		MTU:                     cfg.MTU,
+		InsecureSkipVerifyHello: cfg.SkipHelloVerify,
 	}
 	}
 	lc := udp.ListenConfig{
 	lc := udp.ListenConfig{
 		AcceptFilter: func(packet []byte) bool {
 		AcceptFilter: func(packet []byte) bool {