Documentation
¶
Index ¶
- Constants
- Variables
- func IsControlPacket(t PacketType) bool
- func PKCS5Padding(ciphertext []byte, blockSize int) []byte
- func PKCS5Trimming(encrypt []byte) []byte
- type Adapter
- type AdapterConfig
- type Addr
- type AuthInfo
- type CipherBlockMethod
- type CipherCryptoAlg
- type ControlPacket
- type OVpn
- type Options
- type PacketType
- type Peer
- func (p *Peer) AppendAck(msgid uint32)
- func (p *Peer) Close()
- func (p *Peer) GotAck(msgid uint32)
- func (p *Peer) Key() Addr
- func (p *Peer) Send(pkt []byte) error
- func (p *Peer) SendAck() error
- func (p *Peer) SendData(data []byte) error
- func (p *Peer) SendPacket(pkt *ControlPacket) error
- func (p *Peer) SendPacketLocked(pkt *ControlPacket) error
- func (p *Peer) String() string
- func (p *Peer) Unregister()
- type PeerConfig
- type PeerConn
- func (pc *PeerConn) Close() error
- func (pc *PeerConn) LocalAddr() net.Addr
- func (pc *PeerConn) Read(b []byte) (n int, err error)
- func (pc *PeerConn) RemoteAddr() net.Addr
- func (pc *PeerConn) SetDeadline(t time.Time) error
- func (pc *PeerConn) SetReadDeadline(t time.Time) error
- func (pc *PeerConn) SetWriteDeadline(t time.Time) error
- func (pc *PeerConn) Write(b []byte) (n int, err error)
- type PeerConnection
- type PeerKeys
- type ServerTcp
- type ServerUdp
Constants ¶
View Source
const ( KEY_EXPANSION_ID = "OpenVPN" // Used in the TLS PRF function P_KEY_ID_MASK = 0x07 // packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte P_OPCODE_SHIFT = 3 CONTROL_SEND_ACK_MAX = 4 TLS_RELIABLE_N_SEND_BUFFERS = 4 TLS_RELIABLE_N_REC_BUFFERS = 8 PUBLIC_NETWORK_MTU = 1500 MAX_CONTROL_HEADER_SIZE = 38 CONTROL_CHANNEL_MTU = PUBLIC_NETWORK_MTU - MAX_CONTROL_HEADER_SIZE KEY_METHOD_MASK = 0x0f // this string is used to announce PIA control payload in P_CONTROL_HARD_RESET_CLIENT_V2 PIA_CONTROL_PREFIX = `53eo0rk92gxic98p1asgl5auh59r1vp4lmry1e3chzi100qntd` )
View Source
const ( AES CipherCryptoAlg = 1 CBC CipherBlockMethod = 1 GCM CipherBlockMethod = 2 )
Variables ¶
View Source
var (
OPENVPN_PING = []byte{
0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48,
}
)
Functions ¶
func IsControlPacket ¶
func IsControlPacket(t PacketType) bool
func PKCS5Padding ¶
func PKCS5Trimming ¶
TODO ensure trimmed bytes are indeed padding
Types ¶
type Adapter ¶
type Adapter struct {
// contains filtered or unexported fields
}
Adapter bridges OpenVPN peers to pktkit networking. Each peer that completes a TLS handshake and authenticates gets a per-peer device connected to the configured connector.
In tun mode with an pktkit.L3Connector: each peer gets a namespace- isolated L3Device. Decrypted IP packets flow directly between the OpenVPN tunnel and the network.
In tap mode with an pktkit.L2Connector: each peer gets an L2Device on a shared broadcast domain. Decrypted Ethernet frames flow between the tunnel and the hub.
func NewAdapter ¶
func NewAdapter(cfg AdapterConfig) (*Adapter, error)
NewAdapter creates a new OpenVPN adapter with the given configuration.
type AdapterConfig ¶
type AdapterConfig struct {
// TLSConfig is the TLS configuration for the OpenVPN server.
// Must include at least one certificate.
TLSConfig *tls.Config
// ListenAddr is the address to listen on (e.g. ":1194").
// Both TCP and UDP listeners are started on this address.
ListenAddr string
// Connector wires each peer's L3Device to the network. Use a
// [slirp.Stack] or [nat.NAT] for per-peer namespace-isolated NAT.
// Exactly one of Connector or L2Connector must be set.
Connector pktkit.L3Connector
// L2Connector wires each peer as an L2Device on a shared network.
// Use an [*pktkit.L2Hub] for a shared broadcast domain.
// Exactly one of Connector or L2Connector must be set.
L2Connector pktkit.L2Connector
// Addr is the IP prefix for L2Connector mode (used by the L2Adapter
// for ARP). Ignored in L3Connector mode.
Addr netip.Prefix
// OnAuth is called when a peer authenticates. It receives the
// credentials and must return the IP configuration to push to the
// client, or an error to reject the connection.
OnAuth func(AuthInfo) (PeerConfig, error)
}
AdapterConfig configures an OpenVPN Adapter.
type AuthInfo ¶
type AuthInfo struct {
Username string
Password string
RemoteAddr net.Addr
PeerInfo map[string]string
DevType string // "tun" or "tap"
}
AuthInfo contains the authentication credentials presented by an OpenVPN client during the TLS key exchange.
type CipherBlockMethod ¶
type CipherBlockMethod uint8
func (CipherBlockMethod) String ¶
func (i CipherBlockMethod) String() string
type CipherCryptoAlg ¶
type CipherCryptoAlg uint8
func (CipherCryptoAlg) String ¶
func (i CipherCryptoAlg) String() string
type ControlPacket ¶
type ControlPacket struct {
RemoteId [8]byte
// contains filtered or unexported fields
}
func MakeControlPacket ¶
func MakeControlPacket(p *Peer, t PacketType, kid byte) *ControlPacket
func ParseControlPacket ¶
func ParseControlPacket(t PacketType, kid byte, buf *bytes.Reader, p *Peer) (*ControlPacket, error)
func (*ControlPacket) Bytes ¶
func (pkt *ControlPacket) Bytes(ack []uint32) []byte
func (*ControlPacket) Dump ¶
func (cp *ControlPacket) Dump(rcvd bool, action string)
func (*ControlPacket) SetPid ¶
func (pkt *ControlPacket) SetPid(pid uint32)
type Options ¶
type Options struct {
Version int // 4
IsServer bool
DevType string // "tun" or "tap"
LinkMtu, TunMtu uint64
Proto string // "UDPv4", etc
Compression string // "" "lzo" "lz4"
CipherCrypto CipherCryptoAlg // AES
CipherSize int // 128|256
CipherBlock CipherBlockMethod // CBC|GCM
Auth crypto.Hash // hmac algo, for example "SHA256"
KeySize uint64 // 128
KeyMethod uint64 // 2
// generated local values for faster processing
AuthHashSize int
AuthHashNew func() hash.Hash
CipherBlockDecrypt cipher.Block
CipherBlockEncrypt cipher.Block
DecryptAEAD cipher.AEAD
EncryptAEAD cipher.AEAD
}
V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
func NewOptions ¶
func NewOptions() *Options
func (*Options) HashString ¶
func (*Options) ParseCipher ¶
type PacketType ¶
type PacketType byte
const ( P_CONTROL_HARD_RESET_CLIENT_V1 PacketType = 1 // initial key from client, forget previous state P_CONTROL_HARD_RESET_SERVER_V1 PacketType = 2 // initial key from server, forget previous state P_CONTROL_SOFT_RESET_V1 PacketType = 3 // new key, graceful transition from old to new key P_CONTROL_V1 PacketType = 4 // control channel packet (usually TLS ciphertext) P_ACK_V1 PacketType = 5 // acknowledgement for packets received P_DATA_V1 PacketType = 6 // data channel packet P_DATA_V2 PacketType = 9 // data channel packet with peer-id P_CONTROL_HARD_RESET_CLIENT_V2 PacketType = 7 // initial key from client, forget previous state P_CONTROL_HARD_RESET_SERVER_V2 PacketType = 8 // initial key from server, forget previous state )
func (PacketType) String ¶
func (i PacketType) String() string
type Peer ¶
type Peer struct {
IdleTimer uint32
// contains filtered or unexported fields
}
func (*Peer) SendPacket ¶
func (p *Peer) SendPacket(pkt *ControlPacket) error
func (*Peer) SendPacketLocked ¶
func (p *Peer) SendPacketLocked(pkt *ControlPacket) error
func (*Peer) Unregister ¶
func (p *Peer) Unregister()
type PeerConfig ¶
type PeerConfig struct {
// IP is the tunnel address to assign to the client.
IP netip.Addr
// Mask is the subnet mask (formatted as IP for OpenVPN's ifconfig).
Mask net.IP
// Gateway is the gateway address (used in tun/net30 topology).
Gateway netip.Addr
// PrefixLen is the prefix length for the L3Device's address.
PrefixLen int
}
PeerConfig is returned by the OnAuth callback and describes the IP configuration to push to the authenticated client.
type PeerConn ¶
type PeerConn struct {
// contains filtered or unexported fields
}
func MakePeerConn ¶
func (*PeerConn) RemoteAddr ¶
type PeerConnection ¶
type PeerKeys ¶
type PeerKeys struct {
CipherEncrypt []byte
HmacEncrypt []byte
CipherDecrypt []byte
HmacDecrypt []byte
}
func NewPeerKeys ¶
Source Files
Click to show internal directories.
Click to hide internal directories.