![]() SNI needs a cert and key file with the file prefix of hostname. SNI isĮnabled by setting tls.sni config element to true and each hostname that is requested via SNI is exposed via domain specific certs & keys in the tls.certdir config block. Quic+SOCKS on a public server and a local laptop. The etc/ directory has example configurations for running ca: /path/to/ca.crt client-cert: required client-ca: /path/to/clientca.crt connect: Quic: true cert: /path/to/crt key: /path/to/key # path to CA bundle that can verify the server certificate. client-cert: required client-ca: /path/to/clientca.crt # plain connect but use proxy-protocol v1 when speaking # downstream connect:Īddress: 55.66.77.88:80 proxyprotocol: v1 # Listen on Quic + client auth and connect to SOCKS # if it is required/optional, then clientca must be set to the list of # CAs that can verify a presented client cert. Sni: /path/to/cert/dir # clientcert can be "required" or "optional" or "blank" or absent. # Not setting it => no verification (InsecureSkipVerify = true) # servername: a. # Listen using TLS with SNI # else, if it is an IP address, it must be set below. ca: /path/to/ca.crt # if address is a name, then servername is populated from it. Global: 2000 per-host: 30 cache-size: 10000 # Connect via TLS connect:Īddress: host.name:443 bind: my.ip.address tls:Ĭert: /path/to/crt key: /path/to/key # path to CA bundle that can verify the server certificate. address: 127.0.0.1:9090 allow: deny: timeout:Ĭonnect: 5 read: 2 write: 2 # limit to N reqs/sec globally ratelimit: config-dir: /etc/gotun # Listeners listen: # Log file can be one of: # - Absolute path # - SYSLOG # - STDOUT # - STDERR log: STDOUT #log: STDOUT # Logging level - "DEBUG", "INFO", "WARN", "ERROR" loglevel: DEBUG # config dir - where all non-absolute file references below will # apply. Where the server and client both use certificates to authenticate each other.Īssuming the config on "Gotunnel Laptop" is in file nf, and theĬonfig on "Gotunnel Server" is in nf, to run the above example, The config file shown above actually demonstrates a really secure tunnel Gotun will tunnel the packets via Quic to a remote endpoint whereĪ second gotun instance will unbundle the SOCKS protocol and In the setup above, the laptop browser clients will treatġ27.0.0.1:1080 as their "real" SOCKS server. The picture below explains the connectivity: Strong authentication on the external server. Using Quic to connect the two gotun instances reduces the TCP/TLS Server gotun instance on the external host configured to acceptĪuthenticated Quic connections and proxy via SOCKS.Ĭonfigure your laptop browser to use the "local" SOCKS server. ![]() Local gotun instance on your laptop configured to accept TCP andĬonnect using Quic to the external server Using two instances of gotun, you can accomplish this: Lets also assume that you have a laptop that wants to connect to the For security reasons, you want to limitĪccess to only clients that are TLS authenticated (TLS client Listening on Quic/UDP supporting SOCKS protocol for connecting to Impossible to ask for interactive password in the middle of a client connection setup. Possible to obtain the password in an interactive manner. The main reason for this is that when gotun is daemonized, it may not be Note that TLS private keys need to be unencrypted we don't support password protected Comes with end-to-end tests covering variety of scenarios.Strong ciphers and curves preferred on both client & server.Access Control on per IP or subnet basis (allow/deny combination). ![]() V1 support when connecting to downstream servers
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |