Jayden/PSK-Proxy-Tunnel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

exit node as client

Browse Source
This commit is contained in:
Jayden
2025-09-28 09:35:23 -04:00
parent 3539b21f49
commit 2c47716c4e
3 changed files with 226 additions and 207 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
package-lock.json generated
View File

@@ -1,18 +1,19 @@
{ {
"name": "psk-proxy-tunnel", "name": "psk-proxy-tunnel",
"version": "1.0.0", "version": "1.1.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "psk-proxy-tunnel", "name": "psk-proxy-tunnel",
"version": "1.0.0", "version": "1.1.0",
"dependencies": { "dependencies": {
"commander": "^14.0.0" "commander": "^14.0.0"
}, },
"bin": { "bin": {
"psk-proxy-client": "proxy-client.js", "psk-proxy-client": "proxy-client.js",
"psk-proxy-server": "proxy-server.js" "psk-proxy-exit": "proxy-exit.js",
"psk-proxy-relay": "proxy-server.js"
}, },
"devDependencies": { "devDependencies": {
"pkg": "^5.8.1" "pkg": "^5.8.1"

289
proxy-exit.js
View File

@@ -1,13 +1,13 @@
#!/usr/bin/env node #!/usr/bin/env node
/** /**
* PSK Proxy Exit-Node (Server) * PSK Proxy Exit-Node (Client)
* *
* Listens for a TLS-PSK tunnel connection from the proxy relay. * Connects to the relay server as a client.
* Receives OPEN(host,port) to create outbound TCP connections to remote servers, * Receives OPEN(host,port) to create outbound TCP connections to remote servers,
* then forwards DATA/CLOSE frames bidirectionally. * then forwards DATA/CLOSE frames bidirectionally.
* *
* Also supports UDP relaying for SOCKS5 UDP ASSOCIATE via new UDP_* frames. * Also supports UDP relaying for SOCKS5 UDP ASSOCIATE via UDP_* frames.
*/ */
const net = require('net'); const net = require('net');
@@ -17,11 +17,12 @@ const dgram = require('dgram');
const { program } = require('commander'); const { program } = require('commander');
program program
.requiredOption('-P, --relay-port <port>', 'Port for proxy relay TLS-PSK tunnel connections') .requiredOption('-H, --relay-host <host>', 'Relay server host to connect to')
.requiredOption('-H, --host <host>', 'Host to bind to (e.g., 0.0.0.0)') .requiredOption('-P, --relay-port <port>', 'Relay server port for exit connections')
.requiredOption('--psk-file <path>', 'Path to PSK key file') .requiredOption('--psk-file <path>', 'Path to PSK key file')
.requiredOption('--identity <identity>', 'Expected PSK identity from relay') .requiredOption('--identity <identity>', 'PSK identity to use when connecting to relay')
.option('--connect-timeout <ms>', 'Timeout for outbound TCP connect (ms)', '10000') .option('--connect-timeout <ms>', 'Timeout for outbound TCP connect (ms)', '10000')
.option('--reconnect-delay <ms>', 'Delay before reconnecting to relay (ms)', '2000')
.parse(); .parse();
const options = program.opts(); const options = program.opts();
@@ -35,6 +36,7 @@ try {
} }
const OUT_CONNECT_TIMEOUT = parseInt(options.connectTimeout, 10) || 10000; const OUT_CONNECT_TIMEOUT = parseInt(options.connectTimeout, 10) || 10000;
const RECONNECT_DELAY = parseInt(options.reconnectDelay, 10) || 2000;
// Message Types // Message Types
const MSG_TYPES = { const MSG_TYPES = {
@@ -136,20 +138,7 @@ function buildUdpPayload(host, port, data) {
return buf; return buf;
} }
function pskCallback(socket, identity) { // Global state
console.log(`Relay client identity: ${identity}`);
if (identity !== options.identity) {
console.warn(`PSK identity mismatch. Expected '${options.identity}', got '${identity}'.`);
// Abort the connection by returning a falsy value.
// For TLS 1.2, this should cause the handshake to fail.
return null;
}
// For TLS 1.2, the callback should return the PSK as a Buffer.
return Buffer.from(pskKey, 'hex');
}
let relaySocket = null; let relaySocket = null;
const upstreamConns = new Map(); // connectionId -> net.Socket const upstreamConns = new Map(); // connectionId -> net.Socket
@@ -277,149 +266,161 @@ function ensureUdpSocketsForAssoc(connectionId) {
return entry; return entry;
} }
const server = tls.createServer( function connectToRelay() {
{ console.log(`Connecting to relay server ${options.relayHost}:${options.relayPort} via TLS-PSK...`);
pskCallback,
ciphers: 'PSK-AES256-GCM-SHA384:PSK-AES128-GCM-SHA256',
},
(socket) => {
console.log('Proxy relay connected');
relaySocket = socket;
socket.setNoDelay(true); const pskCb = () => ({
socket.setKeepAlive(true, 30000); identity: options.identity,
psk: Buffer.from(pskKey, 'hex'),
});
const reader = createMessageReader(); const sock = tls.connect(
{
host: options.relayHost,
port: parseInt(options.relayPort, 10),
pskCallback: pskCb,
ciphers: 'PSK-AES256-GCM-SHA384:PSK-AES128-GCM-SHA256',
checkServerIdentity: () => undefined,
},
() => {
console.log('Connected to relay server');
}
);
socket.on('data', (data) => { sock.setNoDelay(true);
reader(data, (type, connectionId, payload) => { sock.setKeepAlive(true, 30000);
if (type === MSG_TYPES.OPEN) {
const spec = parseOpenPayload(payload); relaySocket = sock;
if (!spec) { const reader = createMessageReader();
console.warn(`Invalid OPEN payload for connection ${connectionId}`);
writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(false)); sock.on('data', (data) => {
return; reader(data, (type, connectionId, payload) => {
if (type === MSG_TYPES.OPEN) {
const spec = parseOpenPayload(payload);
if (!spec) {
console.warn(`Invalid OPEN payload for connection ${connectionId}`);
writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(false));
return;
}
const { host, port } = spec;
// Create outbound TCP connection
const upstream = net.createConnection({ host, port });
upstream.setNoDelay(true);
upstream.setKeepAlive(true, 30000);
let connected = false;
const connectTimer = setTimeout(() => {
if (!connected) {
upstream.destroy(new Error('Connect timeout'));
} }
}, OUT_CONNECT_TIMEOUT);
const { host, port } = spec; upstream.once('connect', () => {
// Create outbound TCP connection connected = true;
const upstream = net.createConnection({ host, port }); clearTimeout(connectTimer);
upstream.setNoDelay(true); upstreamConns.set(connectionId, upstream);
upstream.setKeepAlive(true, 30000); // Notify open success
writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(true));
});
let connected = false; upstream.on('data', (chunk) => {
const connectTimer = setTimeout(() => { // Queue data with framing and backpressure-aware sending
if (!connected) { enqueueToRelay(connectionId, chunk);
upstream.destroy(new Error('Connect timeout')); });
}
}, OUT_CONNECT_TIMEOUT);
upstream.once('connect', () => { const cleanup = () => {
connected = true; clearTimeout(connectTimer);
clearTimeout(connectTimer); if (upstreamConns.get(connectionId) === upstream) {
upstreamConns.set(connectionId, upstream);
// Notify open success
writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(true));
});
upstream.on('data', (chunk) => {
// Queue data with framing and backpressure-aware sending
enqueueToRelay(connectionId, chunk);
});
const cleanup = () => {
clearTimeout(connectTimer);
if (upstreamConns.get(connectionId) === upstream) {
upstreamConns.delete(connectionId);
}
// Drop any pending TX data for this connection
txQueues.delete(connectionId);
writeMessage(relaySocket, MSG_TYPES.CLOSE, connectionId);
};
upstream.on('error', (err) => {
if (!connected) {
clearTimeout(connectTimer);
writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(false));
} else {
// Upstream error after established
cleanup();
}
});
upstream.on('close', () => {
cleanup();
});
} else if (type === MSG_TYPES.DATA) {
const upstream = upstreamConns.get(connectionId);
if (upstream && !upstream.destroyed) {
upstream.write(payload);
}
} else if (type === MSG_TYPES.CLOSE) {
const upstream = upstreamConns.get(connectionId);
if (upstream) {
upstream.destroy();
upstreamConns.delete(connectionId); upstreamConns.delete(connectionId);
} }
// Drop any pending TX data for this connection
txQueues.delete(connectionId);
writeMessage(relaySocket, MSG_TYPES.CLOSE, connectionId);
};
// UDP handling upstream.on('error', (err) => {
} else if (type === MSG_TYPES.UDP_OPEN) { if (!connected) {
try { clearTimeout(connectTimer);
ensureUdpSocketsForAssoc(connectionId); writeMessage(relaySocket, MSG_TYPES.OPEN_RESULT, connectionId, buildOpenResultPayload(false));
writeMessage(relaySocket, MSG_TYPES.UDP_OPEN_RESULT, connectionId, buildOpenResultPayload(true)); } else {
} catch (e) { // Upstream error after established
console.warn(`Failed to create UDP association for ${connectionId}: ${e.message}`); cleanup();
writeMessage(relaySocket, MSG_TYPES.UDP_OPEN_RESULT, connectionId, buildOpenResultPayload(false));
} }
} else if (type === MSG_TYPES.UDP_SEND) { });
const parsed = parseUdpPayload(payload);
if (!parsed) { upstream.on('close', () => {
console.warn(`Invalid UDP_SEND payload for ${connectionId}`); cleanup();
return; });
} } else if (type === MSG_TYPES.DATA) {
const { host, port, data } = parsed; const upstream = upstreamConns.get(connectionId);
const entry = udpAssoc.get(connectionId) || ensureUdpSocketsForAssoc(connectionId); if (upstream && !upstream.destroyed) {
// Choose v6 socket if IPv6 literal detected upstream.write(payload);
const isV6 = host.includes(':'); }
const sock = isV6 ? entry.udp6 : entry.udp4; } else if (type === MSG_TYPES.CLOSE) {
try { const upstream = upstreamConns.get(connectionId);
sock.send(data, port, host); if (upstream) {
} catch (e) { upstream.destroy();
console.warn(`UDP send failed (conn ${connectionId}) to ${host}:${port} - ${e.message}`); upstreamConns.delete(connectionId);
}
} else if (type === MSG_TYPES.UDP_CLOSE) {
const entry = udpAssoc.get(connectionId);
if (entry) {
try { entry.udp4 && entry.udp4.close(); } catch (_) {}
try { entry.udp6 && entry.udp6.close(); } catch (_) {}
udpAssoc.delete(connectionId);
}
} else {
// ignore unknown types
} }
});
});
socket.on('close', () => { // UDP handling
console.log('Proxy relay disconnected'); } else if (type === MSG_TYPES.UDP_OPEN) {
relaySocket = null; try {
closeAllUpstreams(); ensureUdpSocketsForAssoc(connectionId);
closeAllUdp(); writeMessage(relaySocket, MSG_TYPES.UDP_OPEN_RESULT, connectionId, buildOpenResultPayload(true));
} catch (e) {
console.warn(`Failed to create UDP association for ${connectionId}: ${e.message}`);
writeMessage(relaySocket, MSG_TYPES.UDP_OPEN_RESULT, connectionId, buildOpenResultPayload(false));
}
} else if (type === MSG_TYPES.UDP_SEND) {
const parsed = parseUdpPayload(payload);
if (!parsed) {
console.warn(`Invalid UDP_SEND payload for ${connectionId}`);
return;
}
const { host, port, data } = parsed;
const entry = udpAssoc.get(connectionId) || ensureUdpSocketsForAssoc(connectionId);
// Choose v6 socket if IPv6 literal detected
const isV6 = host.includes(':');
const sock = isV6 ? entry.udp6 : entry.udp4;
try {
sock.send(data, port, host);
} catch (e) {
console.warn(`UDP send failed (conn ${connectionId}) to ${host}:${port} - ${e.message}`);
}
} else if (type === MSG_TYPES.UDP_CLOSE) {
const entry = udpAssoc.get(connectionId);
if (entry) {
try { entry.udp4 && entry.udp4.close(); } catch (_) {}
try { entry.udp6 && entry.udp6.close(); } catch (_) {}
udpAssoc.delete(connectionId);
}
} else {
// ignore unknown types
}
}); });
});
socket.on('error', (err) => { sock.on('close', () => {
console.error('Relay socket error:', err.message); console.log(`Disconnected from relay server. Retrying in ${RECONNECT_DELAY}ms...`);
}); relaySocket = null;
} closeAllUpstreams();
); closeAllUdp();
setTimeout(connectToRelay, RECONNECT_DELAY);
});
server.listen(parseInt(options.relayPort, 10), options.host, () => { sock.on('error', (err) => {
console.log(`PSK Proxy Exit-Node listening on ${options.host}:${options.relayPort}`); console.error('Relay connection error:', err.message);
}); });
}
// Start connection to the relay server
connectToRelay();
process.on('SIGINT', () => { process.on('SIGINT', () => {
console.log('Shutting down...'); console.log('Shutting down...');
try { server.close(); } catch (_) {} if (relaySocket) try { relaySocket.destroy(); } catch (_) {}
closeAllUpstreams(); closeAllUpstreams();
closeAllUdp(); closeAllUdp();
process.exit(0); process.exit(0);

137
proxy-server.js
View File

@@ -3,9 +3,11 @@
/** /**
* PSK Proxy Relay-Node (Server) * PSK Proxy Relay-Node (Server)
* *
* Listens for a TLS-PSK tunnel connection from the proxy client. * Exposes two ports:
* Establishes a single TLS-PSK tunnel connection to an exit node. * 1. Client port: Listens for TLS-PSK tunnel connections from proxy clients
* Relays frames between the client and the exit node. * 2. Exit port: Listens for TLS-PSK tunnel connections from exit nodes
*
* Relays frames between connected clients and exits.
*/ */
const tls = require('tls'); const tls = require('tls');
@@ -13,12 +15,12 @@ const fs = require('fs');
const { program } = require('commander'); const { program } = require('commander');
program program
.requiredOption('-P, --tunnel-port <port>', 'Port for proxy client TLS-PSK tunnel connections') .requiredOption('-C, --client-port <port>', 'Port for proxy client TLS-PSK tunnel connections')
.requiredOption('-E, --exit-port <port>', 'Port for exit node TLS-PSK tunnel connections')
.requiredOption('-H, --host <host>', 'Host to bind to (e.g., 0.0.0.0)') .requiredOption('-H, --host <host>', 'Host to bind to (e.g., 0.0.0.0)')
.requiredOption('--psk-file <path>', 'Path to PSK key file for client and exit connections') .requiredOption('--psk-file <path>', 'Path to PSK key file for client and exit connections')
.requiredOption('--exit-host <host>', 'Exit node host') .requiredOption('--client-identity <identity>', 'Expected PSK identity for client connections')
.requiredOption('--exit-port <port>', 'Exit node port') .requiredOption('--exit-identity <identity>', 'Expected PSK identity for exit connections')
.requiredOption('--exit-identity <identity>', 'PSK identity for the exit node')
.parse(); .parse();
const options = program.opts(); const options = program.opts();
@@ -80,60 +82,31 @@ function writeMessage(socket, type, connectionId, data = Buffer.alloc(0)) {
socket.write(buf); socket.write(buf);
} }
function connectToExitNode() { // Client PSK callback
console.log(`Connecting to exit node ${options.exitHost}:${options.exitPort}...`);
const pskCb = () => ({
identity: options.exitIdentity,
psk: Buffer.from(pskKey, 'hex'),
});
const sock = tls.connect(
{
host: options.exitHost,
port: parseInt(options.exitPort, 10),
pskCallback: pskCb,
ciphers: 'PSK-AES256-GCM-SHA384:PSK-AES128-GCM-SHA256',
checkServerIdentity: () => undefined,
},
() => {
console.log('Connected to exit node');
}
);
sock.setNoDelay(true);
sock.setKeepAlive(true, 30000);
exitSocket = sock;
exitReader = createMessageReader((type, connId, data) => {
// Forward messages from exit to client
if (clientSocket && !clientSocket.destroyed) {
writeMessage(clientSocket, type, connId, data);
}
});
sock.on('data', (data) => exitReader(data));
sock.on('close', () => {
console.log('Disconnected from exit node. Retrying in 2s...');
exitSocket = null;
// If client is still here, it will be disconnected by the client server logic
if (clientSocket) {
try { clientSocket.destroy(); } catch (_) {}
}
setTimeout(connectToExitNode, 2000);
});
sock.on('error', (err) => {
console.error('Exit node connection error:', err.message);
});
}
const clientPskCallback = (socket, identity) => { const clientPskCallback = (socket, identity) => {
console.log(`Client identity: ${identity}`); console.log(`Client identity: ${identity}`);
if (identity !== options.clientIdentity) {
console.warn(`Client PSK identity mismatch. Expected '${options.clientIdentity}', got '${identity}'.`);
return null;
}
return Buffer.from(pskKey, 'hex'); return Buffer.from(pskKey, 'hex');
}; };
// Exit PSK callback
const exitPskCallback = (socket, identity) => {
console.log(`Exit identity: ${identity}`);
if (identity !== options.exitIdentity) {
console.warn(`Exit PSK identity mismatch. Expected '${options.exitIdentity}', got '${identity}'.`);
return null;
}
return Buffer.from(pskKey, 'hex');
};
// Create server for client connections
const clientServer = tls.createServer( const clientServer = tls.createServer(
{ {
pskCallback: clientPskCallback, pskCallback: clientPskCallback,
@@ -173,16 +146,60 @@ const clientServer = tls.createServer(
} }
); );
clientServer.listen(parseInt(options.tunnelPort, 10), options.host, () => { // Create server for exit connections
console.log(`PSK Proxy Relay-Node listening for clients on ${options.host}:${options.tunnelPort}`); const exitServer = tls.createServer(
{
pskCallback: exitPskCallback,
ciphers: 'PSK-AES256-GCM-SHA384:PSK-AES128-GCM-SHA256',
},
(socket) => {
if (exitSocket) {
console.log('Rejecting new exit connection, already have one.');
socket.destroy();
return;
}
console.log('Exit node connected');
exitSocket = socket;
socket.setNoDelay(true);
socket.setKeepAlive(true, 30000);
exitReader = createMessageReader((type, connId, data) => {
// Forward messages from exit to client
if (clientSocket && !clientSocket.destroyed) {
writeMessage(clientSocket, type, connId, data);
}
});
socket.on('data', (data) => exitReader(data));
socket.on('close', () => {
console.log('Exit node disconnected');
exitSocket = null;
// When exit disconnects, we can optionally close the client connection
// or keep it alive. For simplicity, we keep it.
});
socket.on('error', (err) => {
console.error('Exit socket error:', err.message);
});
}
);
// Start listening for client connections
clientServer.listen(parseInt(options.clientPort, 10), options.host, () => {
console.log(`PSK Proxy Relay-Node listening for clients on ${options.host}:${options.clientPort}`);
}); });
// Start connection to the exit node // Start listening for exit connections
connectToExitNode(); exitServer.listen(parseInt(options.exitPort, 10), options.host, () => {
console.log(`PSK Proxy Relay-Node listening for exit nodes on ${options.host}:${options.exitPort}`);
});
process.on('SIGINT', () => { process.on('SIGINT', () => {
console.log('Shutting down...'); console.log('Shutting down...');
try { clientServer.close(); } catch (_) {} try { clientServer.close(); } catch (_) {}
try { exitServer.close(); } catch (_) {}
if (clientSocket) try { clientSocket.destroy(); } catch (_) {} if (clientSocket) try { clientSocket.destroy(); } catch (_) {}
if (exitSocket) try { exitSocket.destroy(); } catch (_) {} if (exitSocket) try { exitSocket.destroy(); } catch (_) {}
process.exit(0); process.exit(0);