Updated README with new capabilities

opencoff · Jul 3, 2020 · 3e92834 · 3e92834
1 parent 9030d64
commit 3e92834
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -1,17 +1,18 @@
-# go-tunnel - Robust TLS Tunnel (Stunnel replacement)
+# go-tunnel - Robust Quic/TLS Tunnel (Stunnel replacement)
 
 ## What is it?
-An [Stunnel](https://www.stunnel.org) replacement written in golang. It is
+A supercharged [Stunnel](https://www.stunnel.org) replacement written in golang. It is
 is in a sense a proxy enabling addition of network-encryption to existing
 clients without any source code changes.
 
 go-tunnel uses golang's TLS stack and built-in certification verification.
 
 ## Features
 
-- TLS 1.2 for client and server mode (TLS Connect or TLS Listen)
-- Optional TLS client certificate (for TLS Connect)
-- SNI on the listening TLS server
+- TLS 1.3 for client and server mode (TLS Connect or TLS Listen)
+- Quic client and server mode (Quic listen or Quic connect)
+- Optional TLS client certificate (for Quic/TLS Connect)
+- SNI on the listening Quic/TLS server
 - Ratelimits - global and per-IP
 - [Proxy-Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
   v1 support when connecting to downstream servers

diff --git a/etc/gotun.conf b/etc/gotun.conf
@@ -32,10 +32,11 @@ listen:
         connect:
             address: 55.66.77.88:443
             bind: 44.33.22.55
+
             tls:
                 # if quic is set to true, use QUIC over UDP to connect
                 # to the named addr/port
-                quic: true
+                #quic: true
                 cert: /path/to/crt
                 key: /path/to/key
                 ca: /path/to/ca.crt # server cert verification chain
@@ -48,13 +49,14 @@ listen:
     -   address: 127.0.0.1:9443
         allow: [127.0.0.1/8, 11.0.1.0/24, 11.0.2.0/24]
         deny: []
+
         timeout:
             connect: 8
             read: 9
             write: 27
         tls:
             # if quic is set to true, use QUIC over the named UDP port
-            quic: true
+            #quic: true
             sni: /path/to/cert/dir
 
 		    # clientcert can be "required" or "optional" or "blank" or absent.

diff --git a/gotun/quicdial.go b/gotun/quicdial.go
@@ -39,6 +39,10 @@ type qConn struct {
 }
 
 func newQuicDialer(r *Server, log *L.Logger) (Dialer, error) {
+
+	var nextproto = "relay"
+	r.clientTls.NextProtos = []string{nextproto}
+
 	q := &quicDialer{
 		r:    r,
 		log:  log,

diff --git a/gotun/server.go b/gotun/server.go
@@ -173,6 +173,10 @@ func (s *Server) newTCPServer() Proxy {
 func (s *Server) newQuicServer() Proxy {
 	addr := s.Addr
 
+	if len(s.tls.ServerName) == 0 {
+		die("Quic Server %s: No TLS server name specified", addr)
+	}
+
 	la, err := net.ResolveUDPAddr("udp", addr)
 	if err != nil {
 		die("Can't resolve %s: %s", addr, err)
@@ -183,6 +187,12 @@ func (s *Server) newQuicServer() Proxy {
 		die("Can't listen on %s: %s", addr, err)
 	}
 
+	// we need to set the next-proto to be relay or socks
+	var nextproto = "relay"
+	s.tls.NextProtos = []string{nextproto}
+
+	// XXX do we verify ServerName?
+
 	q, err := quic.Listen(ln, s.tls, &quic.Config{})
 	if err != nil {
 		die("can't start quic listener on %s: %s", addr, err)