7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #304 from bjdgyc/dev 

Dev
This commit is contained in:
bjdgyc 2024-03-19 17:01:03 +08:00 committed by GitHub
parent 8ea158a71e 268e9c4e92
commit bdc8e267a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 109 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -108,10 +108,11 @@ sudo ./anylink
- [x] 兼容 AnyConnect - [x] 兼容 AnyConnect
- [x] 兼容 OpenConnect - [x] 兼容 OpenConnect
- [x] 基于 tun 设备的 nat 访问模式 - [x] 基于 tun 设备的 nat 访问模式
- [x] 基于 tap 设备的桥接访问模式 - [x] 基于 tun 设备的桥接访问模式
- [x] 基于 macvtap 设备的桥接访问模式 - [x] 基于 macvtap 设备的桥接访问模式
- [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议 - [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
- [x] 用户组支持 - [x] 用户组支持
- [x] 用户组策略支持
- [x] 多用户支持 - [x] 多用户支持
- [x] 用户策略支持 - [x] 用户策略支持
- [x] TOTP 令牌支持 - [x] TOTP 令牌支持
@ -119,10 +120,15 @@ sudo ./anylink
- [x] 流量速率限制 - [x] 流量速率限制
- [x] 后台管理界面 - [x] 后台管理界面
- [x] 访问权限管理 - [x] 访问权限管理
- [x] 用户活动审计功能
- [x] IP 访问审计功能 - [x] IP 访问审计功能
- [x] 域名动态拆分隧道(域名路由功能) - [x] 域名动态拆分隧道(域名路由功能)
- [x] radius认证支持 - [x] radius认证支持
- [x] LDAP认证支持 - [x] LDAP认证支持
- [x] 空闲链接超时自动断开
- [x] 流量压缩功能
- [x] 出口 IP 自动放行
- [x] 支持多服务的配置区分
- [ ] 基于 ipvtap 设备的桥接访问模式 - [ ] 基于 ipvtap 设备的桥接访问模式
## Config ## Config

65
build.sh
View File

@ -1,74 +1,21 @@
#!/bin/bash #!/bin/bash
#github action release.sh
set -x
function RETVAL() {
rt=$1
if [ $rt != 0 ]; then
echo $rt
exit 1
fi
}
#当前目录 #当前目录
cpath=$(pwd) cpath=$(pwd)
ver=$(cat version) ver=$(cat version)
echo $ver echo $ver
echo "copy二进制文件" #前端编译 仅需要执行一次
bash ./build_web.sh
cd $cpath/server cd $cpath/server
# -tags osusergo,netgo,sqlite_omit_load_extension
flags="-trimpath"
ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
#github action
gopath=/go
dockercmd=$( go build -v -o anylink
cat <<EOF
sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
apk add gcc g++ musl musl-dev tzdata
export GOPROXY=https://goproxy.cn
go mod tidy
echo "build:"
export CGO_ENABLED=1
go build -v -o anylink_amd64 $flags -ldflags "$ldflags"
./anylink_amd64 -v
EOF
)
#使用 musl-dev 编译 ./anylink -v
docker run -q --rm -v $PWD:/app -v $gopath:/go -w /app --platform=linux/amd64 \
golang:1.20-alpine3.19 sh -c "$dockercmd"
exit 0
#arm64编译 echo "anylink 编译完成,目录: $cpath/server/anylink"
docker run -q --rm -v $PWD:/app -v $gopath:/go -w /app --platform=linux/arm64 \
golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
./anylink_arm64 -v
exit 0
cd $cpath
echo "整理部署文件"
deploy="anylink-deploy"
rm -rf $deploy ${deploy}.tar.gz
mkdir $deploy
mkdir $deploy/log
cp -r server/anylink $deploy
cp -r server/bridge-init.sh $deploy
cp -r server/conf $deploy
cp -r systemd $deploy
cp -r LICENSE $deploy
cp -r home $deploy
tar zcvf ${deploy}.tar.gz $deploy
#注意使用root权限运行
#cd anylink-deploy
#sudo ./anylink --conf="conf/server.toml"

72
build_test.sh Normal file
View File

@ -0,0 +1,72 @@
#!/bin/bash
#github action release.sh
set -x
function RETVAL() {
rt=$1
if [ $rt != 0 ]; then
echo $rt
exit 1
fi
}
#当前目录
cpath=$(pwd)
ver=$(cat version)
echo $ver
#前端编译 仅需要执行一次
#bash ./build_web.sh
echo "copy二进制文件"
# -tags osusergo,netgo,sqlite_omit_load_extension
flags="-trimpath"
ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
#github action
gopath=/go
dockercmd=$(
cat <<EOF
sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
apk add gcc g++ musl musl-dev tzdata
export GOPROXY=https://goproxy.cn
go mod tidy
echo "build:"
rm anylink
export CGO_ENABLED=1
go build -v -o anylink $flags -ldflags "$ldflags"
./anylink -v
EOF
)
#使用 musl-dev 编译
docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/amd64 \
golang:1.20-alpine3.19 sh -c "$dockercmd"
#arm64编译
#docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/arm64 \
# golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
#exit 0
#cd $cpath
echo "整理部署文件"
rm -rf anylink-deploy anylink-deploy.tar.gz
mkdir anylink-deploy
mkdir anylink-deploy/log
cp -r server/anylink anylink-deploy
cp -r server/conf anylink-deploy
cp -r index_template anylink-deploy
cp -r deploy anylink-deploy
cp -r LICENSE anylink-deploy
tar zcvf anylink-deploy.tar.gz anylink-deploy
#注意使用root权限运行
#cd anylink-deploy
#sudo ./anylink --conf="conf/server.toml"

4
server/base/config.go
View File

@ -22,7 +22,7 @@ type config struct {
var configs = []config{ var configs = []config{
{Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"}, {Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"},
{Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"}, {Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"},
{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同网站的配置)", ValStr: "anylink"}, {Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同服务端的配置)", ValStr: "anylink"},
{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"}, {Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false}, {Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"}, {Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
@ -59,7 +59,7 @@ var configs = []config{
{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 40}, {Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 40},
{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60}, {Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460}, {Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接0关闭此功能", ValInt: 1800}, {Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接0关闭此功能", ValInt: 0},
{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连0永不过期", ValInt: 3600}, {Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连0永不过期", ValInt: 3600},
// {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0}, // {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0},
{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600}, {Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600},

6
server/conf/server-sample.toml
View File

@ -11,7 +11,7 @@ cert_file = "./conf/vpn_cert.pem"
cert_key = "./conf/vpn_cert.key" cert_key = "./conf/vpn_cert.key"
files_path = "./conf/files" files_path = "./conf/files"
profile = "./conf/profile.xml" profile = "./conf/profile.xml"
#profile name(用于区分不同网站的配置) #profile name(用于区分不同服务端的配置)
#客户端存放位置 C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile #客户端存放位置 C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile
profile_name = "anylink" profile_name = "anylink"
#日志目录,为空写入标准输出 #日志目录,为空写入标准输出
@ -82,10 +82,10 @@ default_domain = "example.com"
#default_domain = "example.com abc.example.com" #default_domain = "example.com abc.example.com"
#空闲链接超时时间(秒)-超时后断开链接0关闭此功能 #空闲链接超时时间(秒)-超时后断开链接0关闭此功能
idle_timeout = 1800 idle_timeout = 0
#session过期时间用于断线重连0永不过期 #session过期时间用于断线重连0永不过期
session_timeout = 3600 session_timeout = 3600
auth_timeout = 0 #auth_timeout = 0
audit_interval = 600 audit_interval = 600
show_sql = false show_sql = false

5
server/handler/link_auth.go
View File

@ -46,10 +46,11 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
cr := ClientRequest{} cr := ClientRequest{}
err = xml.Unmarshal(body, &cr) err = xml.Unmarshal(body, &cr)
if err != nil { if err != nil {
base.Error(err)
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
return return
} }
// fmt.Printf("%+v \n", cr) base.Trace(fmt.Sprintf("%+v \n", cr))
// setCommonHeader(w) // setCommonHeader(w)
if cr.Type == "logout" { if cr.Type == "logout" {
// 退出删除session信息 // 退出删除session信息
@ -140,7 +141,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash} Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash}
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
tplRequest(tpl_complete, w, rd) tplRequest(tpl_complete, w, rd)
base.Debug("login", cr.Auth.Username, userAgent) base.Info("login", cr.Auth.Username, userAgent)
} }
const ( const (

8
server/handler/link_cstp.go
View File

@ -37,14 +37,14 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
// 设置超时限制 // 设置超时限制
err = conn.SetReadDeadline(utils.NowSec().Add(dead)) err = conn.SetReadDeadline(utils.NowSec().Add(dead))
if err != nil { if err != nil {
base.Error("SetDeadline: ", cSess.Username, err) base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
return return
} }
// hdata := make([]byte, BufferSize) // hdata := make([]byte, BufferSize)
pl := getPayload() pl := getPayload()
n, err = bufRW.Read(pl.Data) n, err = bufRW.Read(pl.Data)
if err != nil { if err != nil {
base.Error("read hdata: ", cSess.Username, err) base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
return return
} }
@ -69,7 +69,7 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
} }
case 0x05: // DISCONNECT case 0x05: // DISCONNECT
cSess.UserLogoutCode = dbdata.UserLogoutClient cSess.UserLogoutCode = dbdata.UserLogoutClient
base.Debug("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n])) base.Info("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n]))
sessdata.CloseSess(cSess.Sess.Token, dbdata.UserLogoutClient) sessdata.CloseSess(cSess.Sess.Token, dbdata.UserLogoutClient)
return return
case 0x03: // DPD-REQ case 0x03: // DPD-REQ
@ -176,7 +176,7 @@ func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessi
n, err = conn.Write(pl.Data) n, err = conn.Write(pl.Data)
if err != nil { if err != nil {
base.Error("write err", cSess.Username, err) base.Warn("write err", cSess.Username, cSess.IpAddr, err)
return return
} }

15
server/handler/link_dtls.go
View File

@ -36,14 +36,14 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
for { for {
err = conn.SetReadDeadline(utils.NowSec().Add(dead)) err = conn.SetReadDeadline(utils.NowSec().Add(dead))
if err != nil { if err != nil {
base.Error("SetDeadline: ", cSess.Username, err) base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
return return
} }
pl := getPayload() pl := getPayload()
n, err = conn.Read(pl.Data) n, err = conn.Read(pl.Data)
if err != nil { if err != nil {
base.Error("read hdata: ", cSess.Username, err) base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
return return
} }
@ -59,10 +59,10 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
base.Trace("recv LinkDtls Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr()) base.Trace("recv LinkDtls Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
case 0x05: // DISCONNECT case 0x05: // DISCONNECT
cSess.UserLogoutCode = dbdata.UserLogoutClient cSess.UserLogoutCode = dbdata.UserLogoutClient
base.Debug("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr()) base.Info("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
return return
case 0x03: // DPD-REQ case 0x03: // DPD-REQ
base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, pl.Data[:n]) base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n)
pl.PType = 0x04 pl.PType = 0x04
// 从零开始 可以直接赋值 // 从零开始 可以直接赋值
pl.Data = pl.Data[:n] pl.Data = pl.Data[:n]
@ -151,12 +151,15 @@ func dtlsWrite(conn net.Conn, dSess *sessdata.DtlsSession, cSess *sessdata.ConnS
} }
} else { } else {
// 设置头类型 // 设置头类型
// pl.Data = append(pl.Data[:0], pl.PType) if pl.PType == 0x04 {
pl.Data[0] = pl.PType pl.Data[0] = pl.PType
} else {
pl.Data = append(pl.Data[:0], pl.PType)
}
} }
n, err := conn.Write(pl.Data) n, err := conn.Write(pl.Data)
if err != nil { if err != nil {
base.Error("write err", cSess.Username, err) base.Warn("write err", cSess.Username, cSess.IpAddr, err)
return return
} }

1
server/handler/link_tun.go
View File

@ -46,6 +46,7 @@ func checkTun() {
// 修复 rockyos nat 不生效 // 修复 rockyos nat 不生效
base.CheckModOrLoad("iptable_filter") base.CheckModOrLoad("iptable_filter")
base.CheckModOrLoad("iptable_nat") base.CheckModOrLoad("iptable_nat")
// base.CheckModOrLoad("xt_comment")
// 添加注释 // 添加注释
natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-m", "comment", natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-m", "comment",

2
server/handler/link_tunnel.go
View File

@ -92,7 +92,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
dtlsPort = ss[1] dtlsPort = ss[1]
} }
base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile) base.Info(sess.Username, cSess.IpAddr, cSess.MacHw, cSess.Client, mobile)
// 检测密码套件 // 检测密码套件
dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite")) dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))