tls 流量加密

README.md

@@ -9,9 +9,21 @@
 
 ***DockerHub***： [NPS](https://hub.docker.com/r/yisier1/nps) [NPC](https://hub.docker.com/r/yisier1/npc)
 
+# 交流群
+聊天灌水QQ群：619833483
+
+# 捐赠
+![image](image/new/payCode.png)
+
+
 
 ## 更新日志
+- 2024-01-02  v0.27.01  
+  ***新增***：tls 流量加密，(客户端忽略证书校验，谨慎使用，客户端与服务端需要同时开启，或同时关闭)，使用方式：   
+             服务端：nps.conf `tls_enable=true`;    
+             客户端：npc.conf `tls_enable=true` 或者 `npc.exe  -server=xxx -vkey=xxx -tls_enable=true`  
 
+
 - 2023-06-01  v0.26.16  
   ***修复***：https 流量不统计 Bug 修复。  
   ***新增***：新增全局黑名单IP，用于防止被肉鸡扫描端口或被恶意攻击。  

bridge/bridge.go

@@ -1,6 +1,8 @@
 package bridge
 
 import (
+	"crypto/tls"
+	_ "crypto/tls"
 	"ehang.io/nps/lib/nps_mux"
 	"encoding/binary"
 	"errors"
@@ -23,6 +25,8 @@ import (
 	"github.com/astaxie/beego/logs"
 )
 
+var ServerTlsEnable bool = false
+
 type Client struct {
 	tunnel    *nps_mux.Mux
 	signal    *conn.Conn
@@ -82,8 +86,14 @@ func (s *Bridge) StartTunnel() error {
 			os.Exit(0)
 			return err
 		}
+
 		conn.Accept(listener, func(c net.Conn) {
-			s.cliProcess(conn.NewConn(c))
+			// tls
+			if ServerTlsEnable {
+				s.cliProcess(conn.NewConn(tls.Server(c, &tls.Config{Certificates: []tls.Certificate{crypt.GetCert()}})))
+			} else {
+				s.cliProcess(conn.NewConn(c))
+			}
 		})
 	}
 	return nil

client/control.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"bufio"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/binary"
 	"errors"
@@ -29,6 +30,16 @@ import (
 	"golang.org/x/net/proxy"
 )
 
+var tlsEnable1 = false
+
+func SetTlsEnable(tlsEnable11 bool) {
+	tlsEnable1 = tlsEnable11
+}
+
+func GetTlsEnable() bool {
+	return tlsEnable1
+}
+
 func GetTaskStatus(path string) {
 	cnf, err := config.NewConfig(path)
 	if err != nil {
@@ -96,6 +107,7 @@ func StartFromFile(path string) {
 	}
 	logs.Info("Loading configuration file %s successfully", path)
 
+	SetTlsEnable(cnf.CommonConfig.TlsEnable)
 re:
 	if first || cnf.CommonConfig.AutoReconnection {
 		if !first {
@@ -202,7 +214,15 @@ func NewConn(tp string, vkey string, server string, connType string, proxyUrl st
 				connection, err = NewHttpProxyConn(u, server)
 			}
 		} else {
-			connection, err = net.Dial("tcp", server)
+			if GetTlsEnable() {
+				//tls 流量加密
+				conf := &tls.Config{
+					InsecureSkipVerify: true,
+				}
+				connection, err = tls.Dial("tcp", server, conf)
+			} else {
+				connection, err = net.Dial("tcp", server)
+			}
 		}
 	} else {
 		sess, err = kcp.DialWithOptions(server, nil, 10, 3)

cmd/npc/npc.go

@@ -39,6 +39,7 @@ var (
 	stunAddr       = flag.String("stun_addr", "stun.stunprotocol.org:3478", "stun server address (eg:stun.stunprotocol.org:3478)")
 	ver            = flag.Bool("version", false, "show current version")
 	disconnectTime = flag.Int("disconnect_timeout", 60, "not receiving check packet times, until timeout will disconnect the client")
+	tlsEnable      = flag.Bool("tls_enable", false, "enable tls")
 )
 
 func main() {
@@ -228,8 +229,9 @@ func run() {
 	if *verifyKey == "" {
 		*verifyKey, _ = env["NPC_SERVER_VKEY"]
 	}
-	logs.Info("the version of client is %s, the core version of client is %s", version.VERSION, version.GetVersion())
+	logs.Info("the version of client is %s, the core version of client is %s,tls enable is %t", version.VERSION, version.GetVersion(), client.GetTlsEnable())
 	if *verifyKey != "" && *serverAddr != "" && *configPath == "" {
+		client.SetTlsEnable(*tlsEnable)
 		go func() {
 			for {
 				client.NewRPClient(*serverAddr, *verifyKey, *connType, *proxyUrl, nil, *disconnectTime).Start()

cmd/nps/nps.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"ehang.io/nps/bridge"
 	"ehang.io/nps/lib/daemon"
 	"flag"
 	"log"
@@ -80,6 +81,8 @@ func main() {
 		Option:      options,
 	}
 
+	bridge.ServerTlsEnable = beego.AppConfig.DefaultBool("tls_enable", false)
+
 	for _, v := range os.Args[1:] {
 		switch v {
 		case "install", "start", "stop", "uninstall", "restart":
@@ -227,7 +230,7 @@ func run() {
 	}
 
 	logs.Info("the config path is:" + common.GetRunPath())
-	logs.Info("the version of server is %s ,allow client core version to be %s", version.VERSION, version.GetVersion())
+	logs.Info("the version of server is %s ,allow client core version to be %s,tls enable is %t", version.VERSION, version.GetVersion(), bridge.ServerTlsEnable)
 	connection.InitConnectionService()
 	//crypt.InitTls(filepath.Join(common.GetRunPath(), "conf", "server.pem"), filepath.Join(common.GetRunPath(), "conf", "server.key"))
 	crypt.InitTls()

conf/npc.conf

@@ -14,6 +14,7 @@ crypt=true
 compress=true
 #pprof_addr=0.0.0.0:9999
 disconnect_timeout=60
+tls_enable = true
 
 [health_check_test1]
 health_check_timeout=1

conf/nps.conf

@@ -51,7 +51,9 @@ web_key_file=conf/server.key
 #Web API unauthenticated IP address(the len of auth_crypt_key must be 16)
 #Remove comments if needed
 #auth_key=test
-auth_crypt_key =1234567812345678
+auth_key=123
+#获取服务端authKey时的aes加密密钥，16位
+auth_crypt_key =213
 
 #allow_ports=9001-9009,10001,11000-12000
 
@@ -92,4 +94,8 @@ http_add_origin_header=false
 disconnect_timeout=60
 
 #管理面板开启验证码校验
-open_captcha=false
+open_captcha=false
+
+
+# 是否开启tls
+tls_enable=true

go.sum

@@ -1,6 +1,4 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-ehang.io/nps-mux v0.0.0-20210407130203-4afa0c10c992 h1:LvlcB+8JveSBprHnva0g+OyLwAH8CRxEwtWzTe6ocoE=
-ehang.io/nps-mux v0.0.0-20210407130203-4afa0c10c992/go.mod h1:v54y/8ICChiM/aVUuKxGIcWwjm4HGNRyyAwbgLBoMbI=
 fyne.io/fyne/v2 v2.0.2 h1:6pDvFuCmL1odyT/fPI+2L54hMJW1Zt9Dno41HmLInRs=
 fyne.io/fyne/v2 v2.0.2/go.mod h1:3+FYmLJVgeb8EvTPJ5YzZeo7LkAq4bbuY3Zrir6xHbg=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=

lib/config/config.go

@@ -15,6 +15,7 @@ type CommonConfig struct {
 	VKey             string
 	Tp               string //bridgeType kcp or tcp
 	AutoReconnection bool
+	TlsEnable        bool
 	ProxyUrl         string
 	Client           *file.Client
 	DisconnectTime   int
@@ -150,6 +151,8 @@ func dealCommon(s string) *CommonConfig {
 			common.InitPProfFromArg(item[1])
 		case "disconnect_timeout":
 			c.DisconnectTime = common.GetIntNoErrByStr(item[1])
+		case "tls_enable":
+			c.TlsEnable = common.GetBoolByStr(item[1])
 		}
 	}
 	return c

lib/crypt/tls.go

@@ -30,6 +30,10 @@ func InitTls() {
 	}
 }
 
+func GetCert() tls.Certificate {
+	return cert
+}
+
 func NewTlsServerConn(conn net.Conn) net.Conn {
 	var err error
 	if err != nil {

lib/version/version.go

@@ -1,8 +1,8 @@
 package version
 
-const VERSION = "0.26.16.1"
+const VERSION = "0.27.01"
 
 // Compulsory minimum version, Minimum downward compatibility to this version
 func GetVersion() string {
-	return "0.26.0"
+	return "0.27.0"
 }