Tunneling TCP connections in WebSocket to circumventing firewalls. It's light and can run on some PaaS (with SSL support).
- Authentication
- Proxy support (using HTTP CONNECT; test your proxy)
- Display error message in browser (plain HTTP only)
- SOCKS v5 and HTTP(S) in the same port (HTTP proxy is slower)
WARN: Do not rely it on security when not using SSL (encryption always enabled, but is much weaker than SSH tunnel)
wstan [-h] [-g] [-c | -s] [-d] [-z] [-p PORT] [-t TUN_ADDR]
[-r TUN_PORT]
[uri] [key]
positional arguments:
uri URI of server
key base64 encoded 16-byte key
optional arguments:
-h, --help show this help message and exit
-g, --gen-key generate a key and exit
-c, --client run as client (default, also act as SOCKS5/HTTP(S)
server)
-s, --server run as server
-d, --debug
-y PROXY, --proxy PROXY
let client use a HTTPS proxy (host:port)
-z, --compatible useful when server is behind WS proxy
-p PORT, --port PORT listen port of SOCKS5/HTTP(S) server at localhost
(defaults 1080)
-t TUN_ADDR, --tun-addr TUN_ADDR
listen address of server, overrides URI
-r TUN_PORT, --tun-port TUN_PORT
listen port of server, overrides URI
Example:
# generate a key using "wstan -g"
wstan ws://yourserver.com KEY -s # server
wstan ws://yourserver.com KEY # client
# now a proxy server is listening at localhost:1080 (at client side)
Example for OpenShift with SSL:
wstan wss://yours.rhcloud.com:8443 KEY -s -z -t $OPENSHIFT_PYTHON_IP -r $OPENSHIFT_PYTHON_PORT # server
wstan wss://yours.rhcloud.com:8443 KEY -z # client
- chisel
- https://github.com/mhzed/wstunnel
- https://github.com/ffalcinelli/wstunnel
- shadowsocks-dotcloud
- multitun (VPN)
- etherws (VPN)
- websockify (not for circumventing FW)
- gost
Goal: make active probing against server side more difficult while still keeping low latency of connection establishment and being stateless (inspired by shadowsocks).
Tech Detail:
- request frame has HMAC and timestamp (data frame has nothing), and all frames are encrypted using AES-128-CTR
- when establishing a connection, request frame will be encoded into URI (to achieve low latency)
- it assumes that a TCP client will send some data to server right after connection established, and those data will be put into request frame
- it has a connection pool