From a164df66046076cc2409d5229f8788dadae98229 Mon Sep 17 00:00:00 2001 From: Alexander Zhirov Date: Fri, 9 May 2025 17:32:16 +0300 Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D0=B5=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83?= =?UTF-8?q?=D1=80=D0=B0=D1=86=D0=B8=D0=B8=20=D0=B7=D0=B0=D0=BF=D1=83=D1=81?= =?UTF-8?q?=D0=BA=D0=B0=20-=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D1=8B=20=D1=81=D0=B5=D1=80=D0=B2=D0=B8=D1=81=D1=8B=20?= =?UTF-8?q?=D0=B7=D0=B0=D0=BF=D1=83=D1=81=D0=BA=D0=B0=20=D1=81=D0=B5=D1=80?= =?UTF-8?q?=D0=B2=D0=B5=D1=80=D0=B0=20=D0=B8=20=D0=BA=D0=BB=D0=B8=D0=B5?= =?UTF-8?q?=D0=BD=D1=82=D0=B0=20-=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BE=D0=B1=D0=B5=D1=80=D1=82=D0=BA=D0=B8?= =?UTF-8?q?=20=D0=B4=D0=BB=D1=8F=20=D0=B7=D0=B0=D0=BF=D1=83=D1=81=D0=BA?= =?UTF-8?q?=D0=B0=20=D1=81=D0=B5=D1=80=D0=B2=D0=B5=D1=80=D0=B0=20=D0=B8=20?= =?UTF-8?q?=D0=BA=D0=BB=D0=B8=D0=B5=D0=BD=D1=82=D0=B0=20-=20=D0=94=D0=BE?= =?UTF-8?q?=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0=20=D0=BE=D0=B1=D1=89?= =?UTF-8?q?=D0=B0=D1=8F=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80?= =?UTF-8?q?=D0=B0=D1=86=D0=B8=D1=8F=20=D0=B4=D0=BB=D1=8F=20=D1=81=D0=B5?= =?UTF-8?q?=D1=80=D0=B2=D0=B5=D1=80=D0=B0=20=D0=B8=20=D0=BA=D0=BB=D0=B8?= =?UTF-8?q?=D0=B5=D0=BD=D1=82=D0=B0=20-=20=D0=92=D0=BE=D0=B7=D0=BC=D0=BE?= =?UTF-8?q?=D0=B6=D0=BD=D0=BE=D1=81=D1=82=D1=8C=20=D0=B8=D1=81=D0=BF=D0=BE?= =?UTF-8?q?=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D0=BD=D0=B8=D1=8F=20=D0=BF?= =?UTF-8?q?=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB?= =?UTF-8?q?=D1=8C=D1=81=D0=BA=D0=BE=D0=B9=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8?= =?UTF-8?q?=D0=B3=D1=83=D1=80=D0=B0=D1=86=D0=B8=D0=B8=20=D0=B8=D0=B7=20?= =?UTF-8?q?=D0=BF=D0=BE=D0=B4=20/etc/wstunnel/wstunnel.conf=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=B7=D0=B0=D0=BF=D1=83=D1=81=D0=BA=D0=B0=D0=B5=D0=BC?= =?UTF-8?q?=D1=8B=D1=85=20=D1=81=D0=B5=D1=80=D0=B2=D0=B8=D1=81=D0=BE=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- files/wstunnel-client | 236 ++++++++++++++++++++++++++++++++++ files/wstunnel-client.service | 12 ++ files/wstunnel-server | 200 ++++++++++++++++++++++++++++ files/wstunnel-server.service | 12 ++ files/wstunnel.conf | 159 +++++++++++++++++++++++ package.yml | 10 +- 6 files changed, 628 insertions(+), 1 deletion(-) create mode 100755 files/wstunnel-client create mode 100644 files/wstunnel-client.service create mode 100755 files/wstunnel-server create mode 100644 files/wstunnel-server.service create mode 100644 files/wstunnel.conf diff --git a/files/wstunnel-client b/files/wstunnel-client new file mode 100755 index 0000000..f3dcea7 --- /dev/null +++ b/files/wstunnel-client @@ -0,0 +1,236 @@ +#!/bin/bash + +# Script to launch wstunnel client using parameters from the [client] section of a configuration file + +# Configuration file paths +PRIMARY_CONFIG="/etc/wstunnel/wstunnel.conf" +FALLBACK_CONFIG="/usr/share/defaults/etc/wstunnel/wstunnel.conf" + +# Determine which configuration file to use +CONFIG_FILE="" +if [ -f "$PRIMARY_CONFIG" ]; then + CONFIG_FILE="$PRIMARY_CONFIG" +elif [ -f "$FALLBACK_CONFIG" ]; then + CONFIG_FILE="$FALLBACK_CONFIG" +else + echo "Error: Configuration file not found at '$PRIMARY_CONFIG' or '$FALLBACK_CONFIG'." + exit 1 +fi + +# Check if a configuration file is provided as an argument (overrides default paths) +if [ $# -eq 1 ]; then + CONFIG_FILE="$1" + if [ ! -f "$CONFIG_FILE" ]; then + echo "Error:Specified configuration file '$CONFIG_FILE' not found." + exit 1 + fi +fi + +# Initialize variables for wstunnel client parameters +SERVER_ADDRESS="" +LOCAL_TO_REMOTE=() +REMOTE_TO_LOCAL=() +NO_COLOR="" +SOCKET_SO_MARK="" +CONNECTION_MIN_IDLE="" +NB_WORKER_THREADS="" +CONNECTION_RETRY_MAX_BACKOFF="" +LOG_LEVEL="" +TLS_SNI_OVERRIDE="" +TLS_SNI_DISABLE="" +TLS_VERIFY_CERTIFICATE="" +HTTP_PROXY="" +HTTP_PROXY_LOGIN="" +HTTP_PROXY_PASSWORD="" +HTTP_UPGRADE_PATH_PREFIX="" +HTTP_UPGRADE_CREDENTIALS="" +WEBSOCKET_PING_FREQUENCY="" +WEBSOCKET_MASK_FRAME="" +HTTP_HEADERS=() +HTTP_HEADERS_FILE="" +TLS_CERTIFICATE="" +TLS_PRIVATE_KEY="" +DNS_RESOLVER=() +DNS_RESOLVER_PREFER_IPV4="" + +# Function to trim whitespace +trim() { + local var="$1" + var="${var#"${var%%[![:space:]]*}"}" # Remove leading whitespace + var="${var%"${var##*[![:space:]]}"}" # Remove trailing whitespace + echo -n "$var" +} + +# Parse the [client] section of the INI file +current_section="" +while IFS='=' read -r key value; do + # Skip empty lines and comments + if [[ -z "$key" || "$key" =~ ^\s*# || "$key" =~ ^\s*\; ]]; then + continue + fi + + # Check for section headers + if [[ "$key" =~ ^\s*\[.*\]\s*$ ]]; then + current_section=$(echo "$key" | sed 's/^\s*\[\(.*\)\]\s*$/\1/') + continue + fi + + # Process only the [client] section + if [ "$current_section" != "client" ]; then + continue + fi + + # Trim whitespace from key and value + key=$(trim "$key") + value=$(trim "$value") + + # Skip if value is empty + if [ -z "$value" ]; then + continue + fi + + # Map INI keys to wstunnel client parameters + case "$key" in + server_address) + SERVER_ADDRESS="$value" + ;; + local_to_remote) + # Split comma-separated values into array + IFS=',' read -ra ltr_array <<< "$value" + for ltr in "${ltr_array[@]}"; do + LOCAL_TO_REMOTE+=("$(trim "$ltr")") + done + ;; + remote_to_local) + # Split comma-separated values into array + IFS=',' read -ra rtl_array <<< "$value" + for rtl in "${rtl_array[@]}"; do + REMOTE_TO_LOCAL+=("$(trim "$rtl")") + done + ;; + no_color) + NO_COLOR="$value" + ;; + socket_so_mark) + SOCKET_SO_MARK="$value" + ;; + connection_min_idle) + CONNECTION_MIN_IDLE="$value" + ;; + nb_worker_threads) + NB_WORKER_THREADS="$value" + ;; + connection_retry_max_backoff) + CONNECTION_RETRY_MAX_BACKOFF="$value" + ;; + log_level) + LOG_LEVEL="$value" + ;; + tls_sni_override) + TLS_SNI_OVERRIDE="$value" + ;; + tls_sni_disable) + TLS_SNI_DISABLE="$value" + ;; + tls_verify_certificate) + TLS_VERIFY_CERTIFICATE="$value" + ;; + http_proxy) + HTTP_PROXY="$value" + ;; + http_proxy_login) + HTTP_PROXY_LOGIN="$value" + ;; + http_proxy_password) + HTTP_PROXY_PASSWORD="$value" + ;; + http_upgrade_path_prefix) + HTTP_UPGRADE_PATH_PREFIX="$value" + ;; + http_upgrade_credentials) + HTTP_UPGRADE_CREDENTIALS="$value" + ;; + websocket_ping_frequency) + WEBSOCKET_PING_FREQUENCY="$value" + ;; + websocket_mask_frame) + WEBSOCKET_MASK_FRAME="$value" + ;; + http_headers) + # Split comma-separated values into array + IFS=',' read -ra headers_array <<< "$value" + for header in "${headers_array[@]}"; do + HTTP_HEADERS+=("$(trim "$header")") + done + ;; + http_headers_file) + HTTP_HEADERS_FILE="$value" + ;; + tls_certificate) + TLS_CERTIFICATE="$value" + ;; + tls_private_key) + TLS_PRIVATE_KEY="$value" + ;; + dns_resolver) + DNS_RESOLVER+=("$value") + ;; + dns_resolver_prefer_ipv4) + DNS_RESOLVER_PREFER_IPV4="$value" + ;; + esac +done < "$CONFIG_FILE" + +# Build the wstunnel client command +CMD=("wstunnel" "client") + +# Add server address (required argument) +if [ -z "$SERVER_ADDRESS" ]; then + echo "Error: server_address is required in the [client] section of the configuration file." + exit 1 +fi +CMD+=("$SERVER_ADDRESS") + +# Add optional parameters +for ltr in "${LOCAL_TO_REMOTE[@]}"; do + CMD+=("-L" "$ltr") +done +for rtl in "${REMOTE_TO_LOCAL[@]}"; do + CMD+=("-R" "$rtl") +done +[ "$NO_COLOR" = "true" ] && CMD+=("--no-color" "true") +[ -n "$SOCKET_SO_MARK" ] && CMD+=("--socket-so-mark" "$SOCKET_SO_MARK") +[ -n "$CONNECTION_MIN_IDLE" ] && CMD+=("--connection-min-idle" "$CONNECTION_MIN_IDLE") +[ -n "$CONNECTION_RETRY_MAX_BACKOFF" ] && CMD+=("--connection-retry-max-backoff" "$CONNECTION_RETRY_MAX_BACKOFF") +[ -n "$LOG_LEVEL" ] && CMD+=("--log-lvl" "$LOG_LEVEL") +[ -n "$TLS_SNI_OVERRIDE" ] && CMD+=("--tls-sni-override" "$TLS_SNI_OVERRIDE") +[ "$TLS_SNI_DISABLE" = "true" ] && CMD+=("--tls-sni-disable") +[ "$TLS_VERIFY_CERTIFICATE" = "true" ] && CMD+=("--tls-verify-certificate") +[ -n "$HTTP_PROXY" ] && CMD+=("--http-proxy" "$HTTP_PROXY") +[ -n "$HTTP_PROXY_LOGIN" ] && CMD+=("--http-proxy-login" "$HTTP_PROXY_LOGIN") +[ -n "$HTTP_PROXY_PASSWORD" ] && CMD+=("--http-proxy-password" "$HTTP_PROXY_PASSWORD") +[ -n "$HTTP_UPGRADE_PATH_PREFIX" ] && CMD+=("--http-upgrade-path-prefix" "$HTTP_UPGRADE_PATH_PREFIX") +[ -n "$HTTP_UPGRADE_CREDENTIALS" ] && CMD+=("--http-upgrade-credentials" "$HTTP_UPGRADE_CREDENTIALS") +[ -n "$WEBSOCKET_PING_FREQUENCY" ] && CMD+=("--websocket-ping-frequency" "$WEBSOCKET_PING_FREQUENCY") +[ "$WEBSOCKET_MASK_FRAME" = "true" ] && CMD+=("--websocket-mask-frame") +for header in "${HTTP_HEADERS[@]}"; do + CMD+=("--http-headers" "$header") +done +[ -n "$HTTP_HEADERS_FILE" ] && CMD+=("--http-headers-file" "$HTTP_HEADERS_FILE") +[ -n "$TLS_CERTIFICATE" ] && CMD+=("--tls-certificate" "$TLS_CERTIFICATE") +[ -n "$TLS_PRIVATE_KEY" ] && CMD+=("--tls-private-key" "$TLS_PRIVATE_KEY") +for resolver in "${DNS_RESOLVER[@]}"; do + CMD+=("--dns-resolver" "$resolver") +done +[ "$DNS_RESOLVER_PREFER_IPV4" = "true" ] && CMD+=("--dns-resolver-prefer-ipv4") + +# Set environment variable for nb_worker_threads if specified +if [ -n "$NB_WORKER_THREADS" ]; then + export TOKIO_WORKER_THREADS="$NB_WORKER_THREADS" +fi + +# Print the command for debugging +echo "Using configuration file: $CONFIG_FILE" + +# Execute the wstunnel client command +exec "${CMD[@]}" diff --git a/files/wstunnel-client.service b/files/wstunnel-client.service new file mode 100644 index 0000000..453b6c2 --- /dev/null +++ b/files/wstunnel-client.service @@ -0,0 +1,12 @@ +[Unit] +Description=wstunnel client service +After=network.target + +[Service] +Type=simple +Restart=always +RestartSec=1 +ExecStart=/usr/bin/wstunnel-client + +[Install] +WantedBy=multi-user.target diff --git a/files/wstunnel-server b/files/wstunnel-server new file mode 100755 index 0000000..0d6c7fb --- /dev/null +++ b/files/wstunnel-server @@ -0,0 +1,200 @@ +#!/bin/bash + +# Script to launch wstunnel server using parameters from the [server] section of a configuration file + +# Configuration file paths +PRIMARY_CONFIG="/etc/wstunnel/wstunnel.conf" +FALLBACK_CONFIG="/usr/share/defaults/etc/wstunnel/wstunnel.conf" + +# Determine which configuration file to use +CONFIG_FILE="" +if [ -f "$PRIMARY_CONFIG" ]; then + CONFIG_FILE="$PRIMARY_CONFIG" +elif [ -f "$FALLBACK_CONFIG" ]; then + CONFIG_FILE="$FALLBACK_CONFIG" +else + echo "Error: Configuration file not found at '$PRIMARY_CONFIG' or '$FALLBACK_CONFIG'." + exit 1 +fi + +# Check if a configuration file is provided as an argument (overrides default paths) +if [ $# -eq 1 ]; then + CONFIG_FILE="$1" + if [ ! -f "$CONFIG_FILE" ]; then + echo "Error: Specified configuration file '$CONFIG_FILE' not found." + exit 1 + fi +fi + +# Initialize variables for wstunnel server parameters +BIND_ADDRESS="" +SOCKET_SO_MARK="" +WEBSOCKET_PING_FREQUENCY="" +NO_COLOR="" +WEBSOCKET_MASK_FRAME="" +DNS_RESOLVER=() +DNS_RESOLVER_PREFER_IPV4="" +LOG_LEVEL="" +RESTRICT_TO=() +RESTRICT_HTTP_UPGRADE_PATH_PREFIX=() +RESTRICT_CONFIG="" +TLS_CERTIFICATE="" +TLS_PRIVATE_KEY="" +TLS_CLIENT_CA_CERTS="" +HTTP_PROXY="" +HTTP_PROXY_LOGIN="" +HTTP_PROXY_PASSWORD="" +REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT="" +NB_WORKER_THREADS="" + +# Function to trim whitespace +trim() { + local var="$1" + var="${var#"${var%%[![:space:]]*}"}" # Remove leading whitespace + var="${var%"${var##*[![:space:]]}"}" # Remove trailing whitespace + echo -n "$var" +} + +# Parse the [server] section of the INI file +current_section="" +while IFS='=' read -r key value; do + # Skip empty lines and comments + if [[ -z "$key" || "$key" =~ ^\s*# || "$key" =~ ^\s*\; ]]; then + continue + fi + + # Check for section headers + if [[ "$key" =~ ^\s*\[.*\]\s*$ ]]; then + current_section=$(echo "$key" | sed 's/^\s*\[\(.*\)\]\s*$/\1/') + continue + fi + + # Process only the [server] section + if [ "$current_section" != "server" ]; then + continue + fi + + # Trim whitespace from key and value + key=$(trim "$key") + value=$(trim "$value") + + # Skip if value is empty + if [ -z "$value" ]; then + continue + fi + + # Map INI keys to wstunnel server parameters + case "$key" in + bind_address) + BIND_ADDRESS="$value" + ;; + socket_so_mark) + SOCKET_SO_MARK="$value" + ;; + websocket_ping_frequency) + WEBSOCKET_PING_FREQUENCY="$value" + ;; + no_color) + NO_COLOR="$value" + ;; + websocket_mask_frame) + WEBSOCKET_MASK_FRAME="$value" + ;; + dns_resolver) + DNS_RESOLVER+=("$value") + ;; + dns_resolver_prefer_ipv4) + DNS_RESOLVER_PREFER_IPV4="$value" + ;; + log_level) + LOG_LEVEL="$value" + ;; + restrict_to) + # Split comma-separated values into array + IFS=',' read -ra restrict_array <<< "$value" + for restrict in "${restrict_array[@]}"; do + RESTRICT_TO+=("$(trim "$restrict")") + done + ;; + restrict_http_upgrade_path_prefix) + # Split comma-separated values into array + IFS=',' read -ra prefix_array <<< "$value" + for prefix in "${prefix_array[@]}"; do + RESTRICT_HTTP_UPGRADE_PATH_PREFIX+=("$(trim "$prefix")") + done + ;; + restrict_config) + RESTRICT_CONFIG="$value" + ;; + tls_certificate) + TLS_CERTIFICATE="$value" + ;; + tls_private_key) + TLS_PRIVATE_KEY="$value" + ;; + tls_client_ca_certs) + TLS_CLIENT_CA_CERTS="$value" + ;; + http_proxy) + HTTP_PROXY="$value" + ;; + http_proxy_login) + HTTP_PROXY_LOGIN="$value" + ;; + http_proxy_password) + HTTP_PROXY_PASSWORD="$value" + ;; + remote_to_local_server_idle_timeout) + REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT="$value" + ;; + nb_worker_threads) + NB_WORKER_THREADS="$value" + ;; + esac +done < "$CONFIG_FILE" + +# Build the wstunnel server command +CMD=("wstunnel" "server") + +# Add bind address (required argument) +if [ -z "$BIND_ADDRESS" ]; then + echo "Error: bind_address is required in the [server] section of the configuration file." + exit 1 +fi +CMD+=("$BIND_ADDRESS") + +# Add optional parameters +[ -n "$SOCKET_SO_MARK" ] && CMD+=("--socket-so-mark" "$SOCKET_SO_MARK") +[ -n "$WEBSOCKET_PING_FREQUENCY" ] && CMD+=("--websocket-ping-frequency" "$WEBSOCKET_PING_FREQUENCY") +[ "$NO_COLOR" = "true" ] && CMD+=("--no-color" "true") +[ "$WEBSOCKET_MASK_FRAME" = "true" ] && CMD+=("--websocket-mask-frame") +for resolver in "${DNS_RESOLVER[@]}"; do + CMD+=("--dns-resolver" "$resolver") +done +[ "$DNS_RESOLVER_PREFER_IPV4" = "true" ] && CMD+=("--dns-resolver-prefer-ipv4") +[ -n "$LOG_LEVEL" ] && CMD+=("--log-lvl" "$LOG_LEVEL") +for restrict in "${RESTRICT_TO[@]}"; do + CMD+=("--restrict-to" "$restrict") +done +for prefix in "${RESTRICT_HTTP_UPGRADE_PATH_PREFIX[@]}"; do + CMD+=("--restrict-http-upgrade-path-prefix" "$prefix") +done +[ -n "$RESTRICT_CONFIG" ] && CMD+=("--restrict-config" "$RESTRICT_CONFIG") +[ -n "$TLS_CERTIFICATE" ] && CMD+=("--tls-certificate" "$TLS_CERTIFICATE") +[ -n "$TLS_PRIVATE_KEY" ] && CMD+=("--tls-private-key" "$TLS_PRIVATE_KEY") +[ -n "$TLS_CLIENT_CA_CERTS" ] && CMD+=("--tls-client-ca-certs" "$TLS_CLIENT_CA_CERTS") +[ -n "$HTTP_PROXY" ] && CMD+=("--http-proxy" "$HTTP_PROXY") +[ -n "$HTTP_PROXY_LOGIN" ] && CMD+=("--http-proxy-login" "$HTTP_PROXY_LOGIN") +[ -n "$HTTP_PROXY_PASSWORD" ] && CMD+=("--http-proxy-password" "$HTTP_PROXY_PASSWORD") +[ -n "$REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT" ] && CMD+=("--remote-to-local-server-idle-timeout" "$REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT") + +# Set environment variable for nb_worker_threads if specified +if [ -n "$NB_WORKER_THREADS" ]; then + export TOKIO_WORKER_THREADS="$NB_WORKER_THREADS" +fi + +# Print the command for debugging +echo "Using configuration file: $CONFIG_FILE" + +# Execute the wstunnel server command +exec "${CMD[@]}" diff --git a/files/wstunnel-server.service b/files/wstunnel-server.service new file mode 100644 index 0000000..4219aba --- /dev/null +++ b/files/wstunnel-server.service @@ -0,0 +1,12 @@ +[Unit] +Description=wstunnel server service +After=network.target + +[Service] +Type=simple +Restart=always +RestartSec=1 +ExecStart=/usr/bin/wstunnel-server + +[Install] +WantedBy=multi-user.target diff --git a/files/wstunnel.conf b/files/wstunnel.conf new file mode 100644 index 0000000..657a2e4 --- /dev/null +++ b/files/wstunnel.conf @@ -0,0 +1,159 @@ +[server] +; Address to bind the wstunnel server (ws:// for non-TLS, wss:// for TLS) +; Example: wss://0.0.0.0:8080 or ws://[::]:8080 +bind_address = wss://0.0.0.0:8080 + +; (Linux only) Mark network packets with SO_MARK sockoption +; Requires root, sudo, or specific capabilities +; socket_so_mark = 123 + +; Frequency of websocket ping to clients (set to 0 to disable) +websocket_ping_frequency = 30s + +; Disable color output in logs +; no_color = true + +; Enable masking of websocket frames (only for non-TLS ws://, adds overhead) +; websocket_mask_frame = false + +; DNS resolver(s) for domain name lookups +; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com) +; Use system://0.0.0.0 for libc resolver +; dns_resolver = dns://1.1.1.1 + +; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections) +; dns_resolver_prefer_ipv4 = false + +; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF) +log_level = INFO + +; Restrict connections to specific destination:port pairs +; Can specify multiple restrictions +; restrict_to = google.com:443, localhost:22 + +; Restrict websocket upgrade to specific path prefix (acts as a client authentication secret) +; restrict_http_upgrade_path_prefix = /custom/path + +; Path to YAML restriction config file (automatically reloaded on change) +; restrict_config = /path/to/restrict.yaml + +; Custom TLS certificate (PEM format, auto-reloaded on change) +; tls_certificate = /path/to/certificate.pem + +; Custom TLS private key (PEM, EC, or RSA, auto-reloaded on change) +; tls_private_key = /path/to/private_key.pem + +; Enable mTLS by specifying CA certificates for client authentication (PEM, auto-reloaded) +; tls_client_ca_certs = /path/to/ca_certs.pem + +; HTTP proxy to connect to clients (format: user:pass@host:port) +; http_proxy = user:pass@proxy.example.com:8080 + +; Override HTTP proxy login +; http_proxy_login = custom_login + +; Override HTTP proxy password +; http_proxy_password = custom_password + +; Idle timeout for remote-to-local server before unbinding (default: 3 minutes) +remote_to_local_server_idle_timeout = 3m + +; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS) +; Note: This flag is ignored in the command line, use environment variable instead +; nb_worker_threads = 4 + +[client] +; Address of the wstunnel server (supports ws://, wss://, http://, https://) +; Example: wss://wstunnel.example.com or https://wstunnel.example.com +server_address = wss://wstunnel.example.com + +; Local-to-remote forwarding rules (tcp, udp, socks5, stdio, unix) +; Can specify multiple rules +; Examples: +; - tcp://1212:google.com:443 (listen locally on port 1212, forward to google.com:443) +; - udp://1212:1.1.1.1:53?timeout_sec=10 (listen on UDP port 1212, forward to 1.1.1.1:53, timeout after 10s) +; - socks5://[::1]:1212?login=admin&password=admin (SOCKS5 proxy with authentication) +; - stdio://google.com:443 (forward stdio to google.com:443) +; - unix:///tmp/wstunnel.sock:google.com:443 (listen on Unix socket, forward to google.com:443) +; local_to_remote = tcp://1212:google.com:443 + +; Remote-to-local forwarding rules (tcp, udp, socks5, unix) +; Can specify multiple rules +; Examples: +; - tcp://1212:google.com:443 (server listens on port 1212, forwards to local google.com:443) +; - socks5://[::1]:1212 (server listens for SOCKS5, forwards dynamically to local) +; remote_to_local = tcp://1212:google.com:443 + +; Disable color output in logs +; no_color = true + +; (Linux only) Mark network packets with SO_MARK sockoption +; Requires root, sudo, or specific capabilities +; socket_so_mark = 123 + +; Maximum number of idle connections to keep open to the server +connection_min_idle = 0 + +; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS) +; Note: This flag is ignored in the command line, use environment variable instead +; nb_worker_threads = 4 + +; Maximum backoff time for retrying server connections +connection_retry_max_backoff = 5m + +; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF) +log_level = INFO + +; Domain name for SNI during TLS handshake +; Required if behind a CDN like Cloudflare to match HTTP HOST header +; tls_sni_override = example.com + +; Disable sending SNI during TLS handshake +; tls_sni_disable = false + +; Enable TLS certificate verification (disabled by default, allows self-signed certs) +; tls_verify_certificate = false + +; HTTP proxy to connect to the server (format: user:pass@host:port) +; http_proxy = user:pass@proxy.example.com:8080 + +; Override HTTP proxy login +; http_proxy_login = custom_login + +; Override HTTP proxy password +; http_proxy_password = custom_password + +; HTTP upgrade path prefix for websocket upgrade request +http_upgrade_path_prefix = v1 + +; Basic auth credentials for HTTP upgrade request (format: user:pass) +; http_upgrade_credentials = user:pass + +; Frequency of websocket pings to the server (set to 0 to disable) +websocket_ping_frequency = 30s + +; Enable masking of websocket frames (only for non-TLS ws://, adds overhead) +; websocket_mask_frame = false + +; Custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE) +; Can specify multiple headers +; http_headers = X-Custom-Header: Value + +; File containing custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE per line) +; http_headers_file = /path/to/headers.txt + +; TLS certificate (PEM) for mTLS client authentication +; Automatically reloaded on change +; tls_certificate = /path/to/certificate.pem + +; TLS private key (PEM) for mTLS client authentication +; Automatically reloaded on change +; tls_private_key = /path/to/private_key.pem + +; DNS resolver(s) for domain name lookups +; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com) +; Use system://0.0.0.0 for libc resolver +; dns_resolver = dns://1.1.1.1 + +; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections) +; dns_resolver_prefer_ipv4 = false diff --git a/package.yml b/package.yml index 8a5eed2..2edc6bf 100644 --- a/package.yml +++ b/package.yml @@ -1,6 +1,6 @@ name : wstunnel version : 10.2.0 -release : 2 +release : 3 source : - https://github.com/erebe/wstunnel/archive/refs/tags/v10.2.0.tar.gz : e5b29465c447c110e4f7d2c1e99a9e6e883f2ddaf6373459d1008607811e637d homepage : https://github.com/erebe/wstunnel @@ -18,3 +18,11 @@ build : | %cargo_build --package wstunnel-cli install : | %cargo_install + + install -Dm00644 $pkgfiles/wstunnel-client.service $installdir/%libdir%/systemd/system/wstunnel-client.service + install -Dm00644 $pkgfiles/wstunnel-server.service $installdir/%libdir%/systemd/system/wstunnel-server.service + + install -Dm00644 $pkgfiles/wstunnel.conf /usr/share/defaults/etc/wstunnel/wstunnel.conf + + install -Dm00755 $pkgfiles/wstunnel-client $installdir/usr/bin/wstunnel-client + install -Dm00755 $pkgfiles/wstunnel-server $installdir/usr/bin/wstunnel-server