Your ultimate connection tunnel. TCP websocket tunnel. TLS sockets tunnel. Serial connection socket tunnel. One executable for the client and the server. Multiple platforms supported. Written in go.
Ever had an issue with restrictive firewalls? Well, this tool will help out. Socketace allows you to tunnel multiple connections through:
- sockets
- TLS-encrypted sockets (direct replacement for stunnel)
- websockets
- TLS-encrypted websockets
Socketace is mainly meant for restricted environments where the firewall won't allow you to open an SSH connection or even won't allow any other traffic other than on port 80 and 443. Socketace is also able to tunnel the connection through HTTP (websockets) so even firewalls that do deep packet inspection / proxy ports 80 and 443 should work fine.
Unlike other solutions which use HTTP CONNECT to
establish connection, socketace will actually overlay the TCP over HTTP.
DISCLAIMER: Please note that you are using socketace at your own risk.
SocketAce will use one pyhiscal connection and overlay multiple logical connections within that connection:
+-----------+ +-----------+
| | | |
| | | |
| | | |
| | +-------------------------------------+ | |
localhost:1234 -----| | | MULTIPLEXED (SECURE) CONNECTION VIA | | | ----- 1.2.3.4:5555
| | +-------------------------------------+ | |
| | | simple sockets (TCP or Unix) | | |
| SOCKETACE | | TLS-encrypted sockets (TCP or Unix) | | SOCKETACE |
std. input/output --| |---| packet sockets (UDP or UnixPacket) |---| | ----- /var/some/other.sock
| CLIENT | | websockets on plain HTTP | | SERVER |
| | | websockets on TLS-encrpyted HTTPS | | |
| | | standard input/output | | |
/var/unix.sock -----| | | DNS server | | | -- SOCKS PROXY
| | +-------------------------------------+ | |
| | | |
| | | |
| | | |
+-----------+ +-----------+
This allows you to do wild combinations, such as:
- listen on a local TCP socket, forward connection via SSH + standard in/out to remote server
(e.g.
rsync -esshworks) - listen on a local TCP socket, wrap the connection TLS and forward to a service on a remote server
(i.e. replicate what
stunneldoes) - listen on a local standard in/out, forward to remote service via websocket (i.e. "expose ssh via websockets")
- listen on a TCP socket, forward to a local UNIX socket (i.e. to expose a UNIX-only service to Windows-based machines)
There are several use cases where SocektAce might come in handy:
-
Encrypting connections If your protocol does not support encryption, you can simply wrap the connection with SocketAce and pass it over the Internet.
-
Restrictive firewalls Sometimes you might find yourself behind a quite restrictive firewall. The firewall might:
- let through only specific ports (80, 443)
- use deep packet inspection and block non-HTTP / non-HTTPs traffic
-
Expose Unix sockets as TCP streams If your service is only available as a Unix socket, you can use SocketAce to expose it on a host and access it from other (even Windows) servers
This software uses goreleaser and buildx to create software distribution. There are several ways to install it:
The simplest way to use SOCKETACE is by referencing a pre-build docker image, e.g.
docker run --rm -it boky/socketacebrew tap bokysan/socketace https://github.com/bokysan/socketace-brew.git
brew install socketaceThe build system provides RPM, DEB and APK packages:
- Go to Releases page.
- Download the version appropriate for your system.
- Execute install for your distribution, e.g.
dpkg -i <package>.deb
To install manually:
- Go to Releases page.
- Download the version appropriate for your system into
$HOME/binor similar.
socketace - A tool for tunneling connections over the internet
For the server:
socketace server
[--help]
[-v[v[v[v[v[v]]]]]]
[-c|--config <yaml-config-file>]
[-l|--log-file <log-file>]
[-f|--log-format text|json]
[-C|--log-color yes|no|true|false|auto]
[--log-full-timestamp]
[--log-report-caller]
For the client:
socketace client
[--help]
[-v[v[v[v[v[v]]]]]]
[-c|--config <yaml-config-file>]
[-l|--log-file <log-file>]
[-f|--log-format text|json]
[-C|--log-color yes|no|true|false|auto]
[--log-full-timestamp]
[--log-report-caller]
[--ca-certificate <string> | --ca-certificate-file=<file>]
[--certificate <string> | --certificate-file=<file>]
[--private-key <string> | --private-key-file=<file>]
[--private-key-password <string> | --private-key-password-program=<string>]
[-k|--insecure]
[-s|--secure]
[-l|--listen <string>]...
[-u|--upstream <string>...
SocketAce can proxy multiple protocol across a single connection. You need to pick the right protocol when setting up a connection on the client.
The server can listen on multiple ports / protocols at the same time. To configure the server, you need to set up:
You may configure the channels in the YAML channels section. They define the external services that will be accessible
through this server setup.
server:
channels:
- name: <service-name>
address: <address>
...You may define multiple channels (upstreams). Each channel needs the following properties:
nameis the unique name given to this upstream server. This is then referenced later on in theserverssection and on the client. A good example would bessh,web,oracleetc.addressis the address of the upstream. Fortcpthis is the host and the port, e.g.tcp://127.0.0.1:22,tcp://www.google.com:80ortcp://[::1]:8080,unix:///var/sock/app.sock,unixpacket:///var/sock/app.sock.
At this stage, the following "kinds" (protocols) are supported: websocket, tcp, stdin and unix, unixpacket,
udp, dns+udp and dns+tcp. To configure the server, add it to the servers section of the configuration.
server:
servers:
- address: <address>
[channels: [list of channels]]
[caCertificate: <ca-certificate>]
[caCertificateFile: <ca-file>]
[certificate: <certificate>]
[certificateFile: <certificate-file>]
[privateKey: <private-key>]
[privateKeyFile: <private-key-file>]
[privateKeyPassword: <private-key-password>]
[privateKeyPasswordProgram: <private-key-password-program>]
[ ... other server-specific configuration ... ]Where:
addressis the type of server and listening location. Can behttp,https,tcp,tcp+tls,stdinstdin+tls,unixorunix+tls,udp,unixpacket,dns+udpanddns+tcp.- Always use a valid url, e.g.
tcp://0.0.0.0:5000,https://0.0.0.0:8900. - Address type will define the listening server style, e.g.
httpandhttpswill start an HTTP / websocket server,tcpandunixwill start a standard socket server,udpandunixgramwill start a packet socket server,stdinwill start a stream on standard input/output.
stdinandstdin+tlslisten to stdin/stdout. As expected, only onestdinserver can be configured. This allows you to use SocketAce viassh(like rsync overssh) or any other service which can stream via standard input and output (e.g. viatelnetornetcator even serial connection).- TLS-secured tunnels will need the certificate info.
- You can also listen on a non-secured channel (e.g. HTTP) and provide certificate info. If provided, server will
support the
StartTLScommand, which executes TLS handshake after connecting. Especially useful if you're proxying the connection over an existing HTTP server.
- Always use a valid url, e.g.
channelsdefines a list of upstream channels that this connection proxies. If not defined, all channels are proxied.- Define
caCertificateorcaCertificateFileif you want to use mutual (client and server) certificate authentication. When defined, the server will accept client connections only if signed by the given CA certificate. certificateorcertificateFileis the server's certificate. Needed fortlsconnections. If provided for non-TLS connections, server will suggest to the client to switch to secure communication viaStartTLS.privateKey,privateKeyFile,privateKeyPasswordandprivateKeyPasswordProgramshould be pretty self-explanatory. They must be defined whencertificateis set up.
Configure SocketAce to listen for HTTP or HTTPS requests. Example configuration is as follows:
server:
servers:
# Setup a HTTP websocket server, answering at http://192.168.1.1:8000/ws/all
- address: http://192.168.1.1:8000
endpoints:
- endpoint: /ws/all
# Setup a HTTP websocket server, secured by StartTLS. This allows you to proxy
# secure SocketAce connections over plain :80 HTTP connection
- address: http://192.168.1.1:8000
endpoints:
- endpoint: /ws/all
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234
# Setup a HTTPS websocket server, answering at http://192.168.1.1:8443/ws/ssh
- address: http://192.168.1.1:8000
endpoints:
- channels: [ 'ssh' ]
endpoint: /ws/ssh
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234Additional options are as follows:
endpointsdefines the list of URLs the server should listen to. For example/ws/allor/my/secret/connection. You may listen on multiple URLs.
Configure SocketAce to listen on an unecrypted or encrypted socket. Example configuration is as follows:
server:
servers:
# Simple socket proxy. No security. Expose all channels.
- address: tcp://192.168.1.1:9000
# Simple socket proxy. Secure by directly encrypting the socket.
- address: tcp+tls://192.168.1.1:9443
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234TCP and TLS sockets require no additional options.
Configure SocketAce to listen on an unecrypted UDP socket. Example configuration is as follows:
server:
servers:
# Simple UDP proxy. Secured by StartTLS.
- address: udp://127.0.0.1:9992
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234SokcetAce can also listen on standard input/output. This allows you to carry the SocketAce connection over alternative means (e.g. via SSH, TELNET or serial ports). As long as you can then pipe it to a standard input / output, you're good to go. Notice that this option may be used only once.
server:
servers:
# Simple socket proxy listening on stdin/stdout.
- address: "stdin://"server:
servers:
# Simple socket proxy listening on stdin/stdout. Secured by StartTLS.
- address: "stdin://"
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234SocketAce may be proxied over DNS server. It works similar to iodine (in fact, much of the code was referenced from there) but carries a SocketAce connection instead. Gone is the shared-secret password and SocketAce security is used in stead. Note that it might be a good idea to use mutual TLS authentication with public DNS servers.
server:
servers:
# UDP DNS server for SocketAce-over-DNS Secured by StartTLS.
- address: "dns+udp://192.168.8.1:53"
domain: "example.org"
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234
- address: "dns+tcp://192.168.8.1:53"
domain: "example.org"
certificateFile: cert.pem
privateKeyFile: privatekey.pem
privateKeyPassword: test1234The domain represents the listening domain. You will need to make your server an authorative nameserver for
this domain. Check the iodine's tutorial on how to do this if you are not certain.
Client configuration is a bit simpler and can be done via a config file or via a command line. Basically, only two options are important:
--upstream <url>may be specified multiple times. Defines a list of upstream servers that the client will try to connect to. The format is<protocol>[://<host|path>]. Protocol may be any of the following:tcp,tcp+tls,stdin,stdin+tls,unix,unix+tls,http,https,unixgram,udpordns. Examples:tcp://127.0.0.1:9995to connect to a socket server onlocalhoston9995udp://127.0.0.1:9993to connect to a UDP server onlocalhoston9993tcp+tls://127.0.0.1:9995to connect to a TLS-encrypted socket server onlocalhoston9995dns://example.orgconnect via auto-detected DNS servers, try connecting directly firstdns://example.org?dns=1.1.1.1,1.0.0.1&direct=falseconnect via provided DNS serversstdinto connect to server through standard input / output
--listen <channel>~<listen-url>[~<forward-url>]will open a listening socket on the client.channelname must be the same as defined on the server.listen-urlis the protocol and the host/path to listen on. Protocol may betcp,unixandstdinfoward-urlis the optional direct address of the service. If specified, the client will try to connect to this service directly first and, failing that, start going through upstream services.
The easiest way to set up a server is with a YAML file. The examples directory contains a configuration which
provides different server setups.
socketace client -k --upstream tcp+tls://server.example.com:80 --upstream https://server.example.com/proxy --listen smtp~stdin://ssh localhost -o ProxyCommand='socketace client --upstream http://127.0.0.1:9999/ws/all --listen ssh~stdin://'socketace client -e tcp+tls://server.example.com:80 --listen imap~tcp://127.0.0.1:143 --listen imap~tcp://127.0.0.2:587If you configure your SSH ProxyCommand like the following, you should be able to connect to your SSH server even
in the most restrictive environments. SocketAce will try to connect to the server in decreasing order of preference
through different connection tunnels. The first one to succeeed will establish the connection.
socketace client \
--upstream udp://server.example.com:8000 \ # Try UDP first...
--upstream tcp://server.example.com:8443 \ # ...then try TCP
--upstream http://server.example.com/socketace \ # ...then try HTTP
--upstream https://server.example.com/socketace \ # ...then try HTTPS
--upstream dns://server.example.com \ # ...finally try over DNS
--listen ssh~stdin://If you are trying to proxy a connection to a secure service, you will most likely run into certificate errors. E.g.
If you configure your server with the following:
server:
channels:
- name: google
address: tcp://www.google.com:443
servers:
# Simple socket proxy. No security.
- address: tcp://127.0.0.1:9995...and start the server like this:
socketace server -c config.yml...and start the client like this:
socketace client --upstream tcp://localhost:9995 --listen google~tcp://127.0.0.1:9898Then this will produce a certificate error:
curl https://localhost:9898You need to supply the correct host name (either by overriding your hostfile or supplying the host name, if possible).
With curl, this is trivial:
curl -H "Host: www.google.com" https://localhost:9898There's still some things to be done. If anybody's willing to pick up issues, pull requests are welcome:
- add functionality similar to sslh to be able to "hide" the proxy and share the port with other services
- add proxying of UDP connections
- document the SOCKS proxy option and add tests
- add support for TUN (and TAP?) connections
There's Chisel which tries to achieve about the same goal, but goes about it in a bit of a different way.
