Giters

BlinkyStitt / quic-tunnel

Tunnel UDP or TCP over a client-cert authenticated QUIC tunnel.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

QUIC Tunnel

Tunnel Unix Sockets, UDP, or TCP over a client-cert authenticated QUIC tunnel.

You should probably use Cloudflare's VPN instead. It works very similarly to this.

I'm on an airplane and the packet loss is terrible. For SSH, I use mosh, but my other services are bad too. One day, VPNs and video streaming apps will probably use QUIC on their own and this won't be needed.

Long ago I found UDPSpeeder, but it makes bandwidth usage worse. The retrying built into QUIC along with NewReno congestion control should work well in a high latency, low bandwidth, high loss network.

Would a combination of stunnel/socat/iptables be enough? Are there other similar tools? Probably, but I want to code something for fun to play with QUIC and maybe io_uring.

Usage

Create Certificates

Create some self-signed certificates:

cargo run -- quick_certs data first

For more complicated (and secure) certificates, you can use other tools like mkcert.

DNS Tunnel

Start the server:

cargo run -- udp_server data/first 127.0.0.1:8053 1.1.1.1:53

Start the client:

cargo run -- udp_client data/first 127.0.0.1:18053 127.0.0.1:8053 first_server

Test the client:

dig example.com @127.0.0.1 -p 18053

WireGuard Tunnel

Under construction. I need to figure out the route add command to run.

Start the wireguard server:

...

Start the server (locally for testing):

cargo run -- udp_server data/first 127.0.0.1:51819 "$wireguard_server_ip:51820"

Start the tunnel client (locally for testing):

cargo run -- udp_client data/first 127.0.0.1:51818 127.0.0.1:51819 first_server

Configure the wireguard client:

  • instead of $wireguard_server_ip:51820, connect to 127.0.0.1:51818

TCP Reverse Proxy

Start your app listening on TCP. For this example, it will be a simple docker container:

docker run --rm -p 8080:80 --name quic-tunnel-example nginx

This test curl command will go directly to nginx:

curl localhost:8080

Start the tunnel server:

cargo run -- reverse_proxy_server first 127.0.0.1:8443 --tcp-accept 127.0.0.1:18080

Start the tunnel client:

cargo run -- reverse_proxy_client first 127.0.0.1:8443 --tcp-connect 127.0.0.1:8080

This test curl command will go through the server to the client and finally to the nginx docker container:

curl localhost:18080

TCP Proxy

...

TUN/TAP device

...

Unix Socket

...

Todo

  • keepalive/timeouts aren't working properly
  • client cert
  • compression? mixing encryption and compression are very difficult to do securely
  • cute name
  • cute mascot
  • tokio-iouring feature
  • translate docs to match places with airplane-quality internet connections
  • Instead of running Wireguard on top of this tunnel, use boringtun and run wireguard in this process
  • single binary for all commands
  • run in a cloudflare edge worker (or similar) on demand
  • make it faster

About

Tunnel UDP or TCP over a client-cert authenticated QUIC tunnel.

Languages

Language:Rust 99.3%Language:Dockerfile 0.7%