kptunnel

# -*- coding:utf-8 -*-
#+AUTHOR: ifritJP
#+STARTUP: nofold

#+TITLE: Tunnel/Reverse Tunnel over WebSocket and TCP/IP.

* What's this tool.

- TCP sessions inside the tunnel can hold connected
  even if the tunnel connection will be  temporarily disconnected.


* usage

: $ kptunnel <mode> <server> [forwarding [forwarding [...]]] [options]

- mode
  - This argument sets following mode.
  - for server
    - wsserver
    - r-wsserver
    - server
    - r-server
  - for client
    - wsclient
    - r-wsclient
    - client
    - r-client
  - The mode has the prefix "r-" is the reverse tunnel.
  - The mode has the prefix "ws" is 'over websocket'.
  - The mode does not has the prefix "ws" is to directly connect.
    - The connection by tcp is experimental function.
  - "r-", "ws" of the mode must match between client and server.
- server
  - This argument sets the listening port for the server,
    or the port of server to connect from the client.
  - This argument must set with following format.
    - =[host]:port=
    - e.g. localhost:1234  :1234

- forwarding
  - This argument sets the forwarding port.
  - This option can set one or more.
  - When the mode is the reverse tunnel, this argument must set from the server side.
  - When the mode is the normal tunnel, this argument must set from the client side.
  - This argument must set with following format.
    - =[<r|t>,][localhost]:local-port,serverhost:server-port=
    - r: use as the reverse tunnel
    - t: use as the tunnel
    - e.g.1  :20000,hoge.com:22
    - e.g.2  r,:20000,hoge.com:22
    - e.g.3  t,:20000,hoge.com:22
  - 'serverhost' is sent directory widthout change to the server.
    - When the forwarding is ':20000,localhost:22', this 'localhost' shows the server.
  - When server side sets the forwarding, client side's forwarding is overridden.

It shows the sample of the command.

- server

: $ kptunnel r-wsserver :6666 :8001,localhost:22 -pass XXXXXXX -encPass YYYYYYYY

This command run following server.

| option            | description                                            |
|-------------------+--------------------------------------------------------|
| r-wsserver        | run reverse websocket server                           |
| :6666             | listen port 6666                                       |
| :8001,localost:22 | forwarding from server's 8001 port to client's 22 port |
| -pass             | authentication password XXXXXXX for client             |
| -encPass          | password for the tunnel communication encryption       |
  
- client

: $ kptunnel r-wsclient hoge.hoge.com:80 -proxy http://user:pass@proxy.hoge.com:8080/ -pass XXXXXXX -encPass YYYYYYYY

This command run following client.

| option           | description                                                                     |
|------------------+---------------------------------------------------------------------------------|
| r-wsclient       | run reverse websocket client                                                    |
| hoge.hoge.com:80 | connect to hoge.hoge.com:80 port                                                |
| -proxy           | connect via proxy http://proxy.hoge.com::8080/ and authenticate with user, pass |
| -pass            | authentication password XXXXXXX for client                                      |
| -encPass         | password for the tunnel communication encryption                                |
  
- connect to tunnel

Above-described samples construct reverse tunnel forwarding from server's 8001 port to client's 22 port.
To run following command at the server side, it can connect to ssh of client side.

: $ ssh -p 8001 localhost
  
*** option list

**** basic 

- -proxy string
  - This option set the proxy to connect websocket server.
  - When the proxy needs auth, it sets with following format.
    - http://user:pass@proxy.hoge.com:port/ 
  - This tool only supports HTTP proxy.
  - This option is valid for client side.
- -UA string
  - This option set the user-agent to connect to the proxy.
  - This option is valid for client side.

**** security
    
- -pass string
  - This option sets password for the client authentication.
  - This password must set same password at the client and the server.
- -encPass string
  - This option sets the password for the tunnel communication encryption.
  - This password must set same password at the client and the server.
- -encCount int
  - This option sets the count for the tunnel communication encryption.  (default -1)
    - -1 : infinity
    - 0 : plain, no encrypt.
    - N > 0 : packet count
- -ip string
  - This option sets the IP address range that can connect to the server.
  - When this option is omitted, the server does not limit IP address of the client.
  

* demo

[[https://ifritjp.github.io/blog2/public/posts/2020/2020-05-29-tunnel/#headline-12]]  

* performance

  
** direct

: localhost -- 5201 --> localhost

#+BEGIN_SRC txt
$ iperf3 -c localhost -p 5201
Connecting to host localhost, port 5201
[  4] local 127.0.0.1 port 53034 connected to 127.0.0.1 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  7.23 GBytes  62.1 Gbits/sec    0   1.37 MBytes       
[  4]   1.00-2.00   sec  7.32 GBytes  62.9 Gbits/sec    0   1.37 MBytes       
[  4]   2.00-3.00   sec  7.18 GBytes  61.7 Gbits/sec    0   1.37 MBytes       
[  4]   3.00-4.00   sec  7.02 GBytes  60.3 Gbits/sec    0   1.37 MBytes       
[  4]   4.00-5.00   sec  6.87 GBytes  59.0 Gbits/sec    0   1.37 MBytes       
[  4]   5.00-6.00   sec  7.35 GBytes  63.2 Gbits/sec    0   1.50 MBytes       
[  4]   6.00-7.00   sec  7.10 GBytes  61.0 Gbits/sec    0   1.81 MBytes       
[  4]   7.00-8.00   sec  7.13 GBytes  61.2 Gbits/sec    0   2.19 MBytes       
[  4]   8.00-9.00   sec  7.14 GBytes  61.4 Gbits/sec    0   2.19 MBytes       
[  4]   9.00-10.00  sec  7.29 GBytes  62.6 Gbits/sec    0   2.19 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  71.6 GBytes  61.5 Gbits/sec    0             sender
[  4]   0.00-10.00  sec  71.6 GBytes  61.5 Gbits/sec                  receiver

iperf Done.
#+END_SRC


** tunnel

: localhost -- 8001 --> tunnel client -- 8000 --> tunnel server -- 5201 --> localhost


#+BEGIN_SRC txt
$ iperf3 -c localhost -p 8001
Connecting to host localhost, port 8001
[  4] local 127.0.0.1 port 40716 connected to 127.0.0.1 port 8001
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   569 MBytes  4.77 Gbits/sec    0   1.50 MBytes       
[  4]   1.00-2.00   sec   546 MBytes  4.58 Gbits/sec    0   1.50 MBytes       
[  4]   2.00-3.00   sec   562 MBytes  4.72 Gbits/sec    0   1.50 MBytes       
[  4]   3.00-4.00   sec   555 MBytes  4.65 Gbits/sec    0   1.50 MBytes       
[  4]   4.00-5.00   sec   558 MBytes  4.67 Gbits/sec    0   1.50 MBytes       
[  4]   5.00-6.00   sec   552 MBytes  4.64 Gbits/sec    0   1.50 MBytes       
[  4]   6.00-7.00   sec   555 MBytes  4.65 Gbits/sec    0   1.50 MBytes       
[  4]   7.00-8.00   sec   542 MBytes  4.55 Gbits/sec    0   1.50 MBytes       
[  4]   8.00-9.00   sec   554 MBytes  4.65 Gbits/sec    0   1.50 MBytes       
[  4]   9.00-10.00  sec   545 MBytes  4.57 Gbits/sec    0   1.50 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  5.41 GBytes  4.65 Gbits/sec    0             sender
[  4]   0.00-10.00  sec  5.40 GBytes  4.64 Gbits/sec                  receiver

iperf Done.
#+END_SRC