psiphon-tunnel-core

Psiphon client and server components implemented in Go. These components provides core tunnel functionality, handling all aspects of evading blocking and relaying traffic through Psiphon.

Psiphon 3 Tunnel Core README

Overview

Psiphon client and server components implemented in Go. These components provides core tunnel functionality, handling all aspects of evading blocking and relaying traffic through Psiphon. In the client, local proxies provide an interface for routing traffic through the tunnel.

The client component does not include a UI and does not handle capturing or routing local traffic. These major aspects are handled by other parts of Psiphon client applications.

Status

This project is in production and used as the tunneling engine in our Windows and Android clients, which are available at our Psiphon 3 repository.

Client Setup

Build

• Go 1.8 (or higher) is required.
• This project builds and runs on recent versions of Windows, Linux, and Mac OS X.
• Note that the psiphon package is imported using the absolute path github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon; without further local configuration, go will use this version of the code and not the local copy in the repository.
• In this repository, run go build in ConsoleClient to make the ConsoleClient binary, a console Psiphon client application.
  • Build versioning info may be configured as follows, and passed to go build in the -ldflags argument:

    BUILDDATE=$(date --iso-8601=seconds)
    BUILDREPO=$(git config --get remote.origin.url)
    BUILDREV=$(git rev-parse --short HEAD)
    GOVERSION=$(go version | perl -ne '/go version (.*?) / && print $1')
    DEPENDENCIES=$(echo -n "{" && go list -f '{{range $dep := .Deps}}{{printf "%s\n" $dep}}{{end}}' | xargs go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | xargs -I pkg bash -c 'cd $GOPATH/src/pkg && echo -n "\"pkg\":\"$(git rev-parse --short HEAD)\","' | sed 's/,$/}/')
    
    LDFLAGS="\
    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common.buildDate=$BUILDDATE \
    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common.buildRepo=$BUILDREPO \
    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common.buildRev=$BUILDREV \
    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common.goVersion=$GOVERSION \
    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common.dependencies=$DEPENDENCIES \
    "
    

Platform-specific instructions

macOS

Building without OpenSSL support (that is, without indistinguishable TLS support) requires no extra steps. To compile with OpenSSL support, follow these steps:

1. You must have Homebrew installed.
2. brew install openssl pkg-config
3. Find out where Homebrew put the pkgconfig files for OpenSSL -- the location depends on your Homebrew installation. Run this command:

   $ brew info openssl
   

   Make note of the "build variable" path for PKG_CONFIG_PATH.
4. Set PKG_CONFIG_PATH=<path discovered above> when building, and provide the -tags OPENSSL flag. This can be easily done on the build command line like so:

   $ PKG_CONFIG_PATH=<path discovered above> go build -tags OPENSSL
   

Configure

• Configuration files are standard text files containing a valid JSON object. Example:

{
    "PropagationChannelId" : "<placeholder>",
    "SponsorId" : "<placeholder>",
    "LocalHttpProxyPort" : 8080,
    "LocalSocksProxyPort" : 1080
}

Note: The lines <!--BEGIN-SAMPLE-CONFIG--> and <--END-SAMPLE-CONFIG--> (visible in the raw Markdown) are used by the config test. Do not remove them.

• All config file parameters are documented here.
• Replace each <placeholder> with a value from your Psiphon server. The Psiphon server-side stack is open source and can be found in our Psiphon 3 repository.

Run

• Run ./ConsoleClient --config psiphon.config where psiphon.config is created as described in the Configuresection above

Other Platforms

• The project builds and runs on Android. See the Android Library README for more information about building the Go component, and the Android Sample App README for a sample Android app that uses it.

Acknowledgements

Psiphon Tunnel Core uses:

• Go
• boltdb/bolt
• patrickmn/go-cache
• miekg/dns
• ThomsonReutersEikon/go-ntlm
• Yawning/goptlib
• zach-klippenstein/goregen
• creack/goselect
• Sirupsen/logrus
• grafov/m3u8
• oschwald/maxminddb-golang
• goarista/monotime
• spacemonkeygo/openssl
• kardianos/osext
• mitchellh/panicwrap
• juju/ratelimit
• codahale/sss

from https://github.com/Psiphon-Labs/psiphon-tunnel-core

------

Psiphon is an Internet censorship circumvention system.

Psiphon Tunnel Core README

Overview

Psiphon is an Internet censorship circumvention system.

The tunnel core project includes a tunneling client and server, which together implement key aspects of evading blocking and relaying client traffic through Psiphon and beyond censorship.

All Psiphon open source projects, including the complete open source code for Android, iOS, and Windows clients may be found at www.github.com/Psiphon-Inc/psiphon.

For more information about Psiphon Inc., please visit our web site at www.psiphon.ca.

psiphon-tunnel-core
  └── ClientLibrary  General client libraries
  └── ConsoleClient  CLI client program
  └── MobileLibrary  Android/iOS client libraries
  └── Server         Server program
  └── psiphon        Client code package
    └── common\...   Common code packages
    └── server       Server code package

Technical Summary

Psiphon tunnels Internet traffic through a network of proxy servers with the goal of circumventing Internet censorship.

Users run a client program which connects to a proxy server and routes client host Internet traffic through a tunnel established to the proxy. Traffic egresses from the proxy, which is located beyond the entity censoring the user's Internet.

Traffic Routing

Psiphon has multiple routing modes:

• Port forward mode: the client runs localhost SOCKS and HTTPS proxies and the client host or individual apps are configured to use these local proxies; each connection to a local proxy is related through the tunnel to the server.
• Packet tunnel mode: the client relays IP packets between a host "tun" device and the server.

Traffic Security

At the core of all tunnels is an SSH connection which protects the confidentiality and integrity of client traffic between the client host and the proxy server. Clients authenticate the SSH server using pre-shared public keys, ensuring clients connect only to authentic Psiphon servers.

Server Entries

Server connection information, including SSH public keys, addresses, and obfuscation parameters are distributed to clients in the form of a list of "server entries". Each server entry fully describes one Psiphon server.

Clients binaries may be built with embedded server lists. Clients may also "discover" new server entries when they successfully connect to a server.

Psiphon also uses out-of-band server list delivery mechanisms, including fetching server lists from drops which are configured in the clients. All out-of-band mechanisms perform additional server list verification using public keys configured in the clients.

All delivery mechanisms use partitioning to prevent trivial enumeration of all server entries.

Some out-of-band server server lists, called "obfuscated server lists", are encrypted and only clients that have been granted sufficient required keys can access the included servers.

Traffic Obfuscation

The core SSH protocol is wrapped in optional obfuscation layers which transform traffic in order to evade blocking of Psiphon servers. Mitigated attacks include endpoint blocking, keyword-based blocking, DPI-based blocking, and more.

Obfuscation techniques include:

• Making traffic on the wire look fully random.
• Making traffic on the wire look like popular implementations of popular protocols.
• Performing traffic shaping to obscure the size and timing properties of encapsulated traffic.
• Connecting to proxy servers indirectly, via intermediaries.

Circumvention Optimizations

To minimize connection time, Psiphon makes multiple concurrent connection attempts to different servers using different obfuscation techniques. This process generally selects the fastest working obfuscation technique and server. This process is how Psiphon load balances clients across its network of servers without using a centralized load balancing mechanism.

A successful connection may be subject to further quality tests before selection. The Psiphon client remembers which servers and which obfuscation techniques and parameters are successful and prioritizes using the same on subsequent connections.

Psiphon uses a mechanism called "tactics" to remotely deliver targeted, optimized configuration and obfuscation parameters to clients.

Running Psiphon

Get the programs

Official binaries are avaiable at:

• https://github.com/Psiphon-Labs/psiphon-tunnel-core-binaries
• https://github.com/Psiphon-Labs/psiphon-tunnel-core/releases, for libraries

For these instructions, use:

• psiphond
• ConsoleClient

Generate configuration data

Run the "generate" mode of psiphond to generate configs, setting the IP address as appropriate; this is the address the client will use to connect to the server.

$ ./psiphond -ipaddress 127.0.0.1 -protocol OSSH:9999 generate

$ ls
psiphond
psiphond.config
psiphond-osl.config
psiphond-tactics.config
psiphond-traffic-rules.config
server-entry.dat

Create a client config file, copying the contents of server-entry.dat to the TargetServerEntry field.

$ cat server-entry.dat 
3132372e302e302e31202020207b22746167223a22222c2269[...]

$ cat client.config
{
    "LocalHttpProxyPort" : 8080,
    "LocalSocksProxyPort" : 1080,

    "PropagationChannelId" : "24BCA4EE20BEB92C",
    "SponsorId" : "721AE60D76700F5A",

    "TargetServerEntry" : "3132372e302e302e31202020207b22746167223a22222c2269[...]"
}

Run psiphond

$ ./psiphond run
{"localAddress":"127.0.0.1:9999","msg":"listening","tunnelProtocol":"OSSH",[...]}
{"localAddress":"127.0.0.1:9999","msg":"running","tunnelProtocol":"OSSH",[...]}
[...]

Run the console client

$ ./ConsoleClient -config ./client.config
{"data":{"port":1080},"noticeType":"ListeningSocksProxyPort",[...]}
{"data":{"port":8080},"noticeType":"ListeningHttpProxyPort",[...]}
[...]
{"data":{"count":1},"noticeType":"Tunnels",[...]}

Tunnel traffic through Psiphon

Use the local SOCKS proxy (port 1080) or HTTP proxy (port 8080) to tunnel traffic.

Using Psiphon with Go modules

The github.com/Psiphon-Labs/psiphon-tunnel-core Go module may be imported into other Go programs. Due to legacy release tags predating use of Go modules in this repository, neither go get ...@latest nor go get ...@tag are supported at this time. To use the psiphon-tunnel-core Go module and its dependencies, reference a specific commit, or reference the staging-client branch, which is the client-side, production-ready branch:

% go get github.com/Psiphon-Labs/psiphon-tunnel-core@staging-client
go: added github.com/Psiphon-Labs/psiphon-tunnel-core v1.0.11-0.20240424194431-3612a5a6fb4c

Acknowledgements

Psiphon Tunnel Core uses:

• Go
• agl/ed25519
• AndreasBriese/bbloom
• aristanetworks/goarista/monotime
• armon/go-proxyproto
• armon/go-socks
• bifurcation/mint
• boltdb/bolt
• cheekybits/genny/generic
• codahale/sss
• cognusion/go-cache-lru
• creack/goselect
• davecgh/go-spew/spew
• deckarep/golang-set
• dgraph-io/badger
• dgryski/go-farm
• elazarl/goproxy
• florianl/go-nfqueue
• gobwas/glob
• golang/protobuf
• google/gopacket
• grafov/m3u8
• hashicorp/golang-lru
• juju/ratelimit
• kardianos/osext
• groupcache/lru
• lucas-clemente/quic-go
• marusama/semaphore
• mdlayher/netlink)
• miekg/dns
• mitchellh/panicwrap
• oschwald/maxminddb-golang
• patrickmn/go-cache
• pkg/errors
• pmezard/go-difflib
• refraction-networking/gotapdance
• refraction-networking/utls
• ryanuber/go-glob
• sergeyfrolov/bsbuffer
• sirupsen/logrus
• stretchr/testify
• syndtr/gocapability/capability
• ThomsonReutersEikon/go-ntlm
• wader/filtertransport
• Yawning/chacha20
• Yawning/goptlib
• yawning/obfs4
• zach-klippenstein/goregen
• zap

from https://github.com/Psiphon-Labs/psiphon-tunnel-core (复制于2024-6-11)