Skip to content

Latest commit

 

History

History
115 lines (72 loc) · 2.45 KB

README.md

File metadata and controls

115 lines (72 loc) · 2.45 KB

NetGuard

Introduction

A layer 4 Single Packet Authentication (SPA) Server, used to conceal TCP/UDP ports on public facing machines and add an extra layer of security.

Project structure

netguard-server: SPA service program responsible for authenticating knock packets and connection tracking.

netguard-tool: generate signing certificates, generate and send knock packets.

Source code directory

.
├── Makefile        # convenient compilation
├── crypto          # encryption and decryption crate
│   ├── Cargo.toml
│   └── src
├── server          # netguard-server implement
│   ├── Cargo.toml
│   ├── config      # config file used for running netguard-server
│   └── src
└── tool            # netguard-tool implement
    ├── Cargo.toml
    └── src

Basic Usage

Run server protection ports

Run netguard-server on the server side to hide tcp port 10022:

$ netguard-server -c ./netguard.toml

Run knock tool

On client site, Using netguard-tool to send TCP port knock packets.

The following command sends a knock packet to unlock TCP port 10022:

$ sudo ./netguard-tool auth --server 45.76.195.141 --protocol=tcp --unlock 10022 --key=./rsa_key

If want to unlock a UDP port, use --protocol=udp

Example

Two devices, one listening on port 10022 and then taken over by netguard-server:

image

Generating an Key Pair Manually

Generating an RSA Key Pair with Default Options:

$ netguard-tool keygen

The parameters for the default option are equivalent to: netguard-tool keygen -a rsa -b 4096 -o .netguard/rsa

More parameter help:

$ netguard-tool keygen --help

Reload config

Reload netguard-server config file:

$ pkill -HUP netguard-server

Build

Build release version.

$ make release

or

$ cargo build --release

Notice

The nfqueue function is provided by iptables, before starting netguard-server, you need to make sure that iptables is started.

TODO

  • Add query and reject connection Interfaces
  • More certificate signing algorithms
  • Hot update bin executable program
  • Audit log
  • Knock SDK APIs

Reference