udig
udig is a public-key addressed TCP tunnel software. It allows anybody to expose a local network
service through a public stable ingress, even if the local service is behind a NAT or firewall.
This project is still under heavy work in progress
Background
There are things like ngrok and other commercial software.
udig is suitable for automation because users don't need to create any account.
How it works
It has of two logical endpoints:
- uplink: clients building a tunnel open a TCP connection to our servers and sets up a gRPC service listening on the client connection (yep in reverse; nothing new).
- ingress: another endpoint is for connections entering the tunnel; traffic is then forwarded to any active uplink active matching a tunnel ID encoded in the TLS SNI field.
Tunnel IDs are base32 encoded hashes of the public key (technically a multihash encoded as a base32 multibase).
Tunnel ingress addresses look like this: bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq.udig.io
Install
$ go get -u github.com/mkmik/udig/...
Client usage
Shell 1:
$ udiglink -R 443:localhost:8080
https://bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq
Shell 2:
$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Shell 3:
$ curl https://bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq.udig.io/README.md
# udig
...
Run locally
Shell 1:
$ (cd cmd/udiglink && go build && ./udiglink -alsologtostderr -addr localhost:4000 -http :8081 -R 8443:localhost:1234)
Shell 2:
$ (cd cmd/udigd && go build && ./udigd -alsologtostderr -http :8001 -port 8080 -port 8443 -cert ../../pkg/ingress/testdata/cert.pem -key ../../pkg/ingress/testdata/key.pem)
Shell 3:
$ python3 -m http.server 1234
Shell 4:
$ curl --connect-to ::127.0.0.1:8443 -k https://bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq.udig.io/README.md
(use the actual hostname you get in tunnel ingress addresses: ["bahw....
in Shell 1 for ^^^)
NOTE: This command requires curl
version 7.49.0 or above.
For earlier versions of curl
this can be tested by adding the host to /etc/hosts
file as 127.0.0.1
(or C:\Windows\System32\drivers\etc\hosts
on Windows) - like:
127.0.0.1 bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq.udig.io
And then running the curl command with port 8443:
curl https://bahwqcerazdp76ea6rpuwvbbwxkjtypdntmw4bohi6amkzkfz2kswpxlpgykq.udig.io:8443/README.md
Off-the-shelf tunnel client example
Udig forces you to use a TLS client and one that supports SNI nonetheless!
If you have a plaintext TCP client on one side that needs to talk to a plaintext TCP server on the other side of the tunnel, this is an example of how you can setup the client side of the tunnel with standard off the-shelf-tools:
$ echo "openssl s_client -quiet -connect $DST:$PORT -servername $DST" >/tmp/cmd.sh
$ chmod +x /tmp/cmd.sh
$ socat TCP-LISTEN:1234,reuseaddr,fork 'SYSTEM:/tmp/cmd.sh' &
Contributing
PRs accepted