Home Explore Help
Sign In
txlyre
/
dtlspipe
mirror of https://github.com/SenseUnit/dtlspipe
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #11 from Snawoot/skip_hello_verify_by_default

Skip HelloVerify by default
Snawoot 1 year ago
parent
57285a25fc ca1c69b281
commit
215bbf11bd
2 changed files with 5 additions and 3 deletions
Unified View Show Diff Stats
  1. 4 2
      README.md
  2. 1 1
      cmd/dtlspipe/main.go

+ 4 - 2
README.md
View File 

@@ -55,7 +55,9 @@ You need to make following adjustments to wireguard client config:
 
 AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0
 
 AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0
 
 ```
 
 ```
 
 
 
-**Note:** consider use of `-skip-hello-verify` option on server to workaround DPI if such filtering is the case for you.
 
+## Additional notes
 
+
 
+dtlspipe server skips HelloVerify message by default in order to workaround some DPI systems. It's associated with [some DoS security risks](https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1). Please add server option `-skip-hello-verify=false` if such behavior is undesirable. Alternatively such risks may be mitigated with firewall, restricting sessions count on server port.
 
 
 
 ## Synopsis
 
 ## Synopsis
 
 
 
@@ -88,7 +90,7 @@ Options:
 
   -psk string
 
   -psk string
 
     	hex-encoded pre-shared key. Can be generated with genpsk subcommand
 
     	hex-encoded pre-shared key. Can be generated with genpsk subcommand
 
   -skip-hello-verify
 
   -skip-hello-verify
 
-    	(server only) skip hello verify request. Useful to workaround DPI
 
+    	(server only) skip hello verify request. Useful to workaround DPI (default true)
 
   -stale-mode value
 
   -stale-mode value
 
     	which stale side of connection makes whole session stale (both, either, left, right) (default either)
 
     	which stale side of connection makes whole session stale (both, either, left, right) (default either)
 
   -time-limit duration
 
   -time-limit duration

+ 1 - 1
cmd/dtlspipe/main.go
View File 

@@ -68,7 +68,7 @@ var (
 
 	identity        = flag.String("identity", "", "client identity sent to server")
 
 	identity        = flag.String("identity", "", "client identity sent to server")
 
 	mtu             = flag.Int("mtu", 1400, "MTU used for DTLS fragments")
 
 	mtu             = flag.Int("mtu", 1400, "MTU used for DTLS fragments")
 
 	cpuprofile      = flag.String("cpuprofile", "", "write cpu profile to file")
 
 	cpuprofile      = flag.String("cpuprofile", "", "write cpu profile to file")
 
-	skipHelloVerify = flag.Bool("skip-hello-verify", false, "(server only) skip hello verify request. Useful to workaround DPI")
 
+	skipHelloVerify = flag.Bool("skip-hello-verify", true, "(server only) skip hello verify request. Useful to workaround DPI")
 
 	ciphersuites    = cipherlistArg{}
 
 	ciphersuites    = cipherlistArg{}
 
 	curves          = curvelistArg{}
 
 	curves          = curvelistArg{}
 
 	staleMode       = util.EitherStale
 
 	staleMode       = util.EitherStale