The ntunnel program is designed to tunnel Unix domain sockets over TCP, using the Noise Protocol. The goal is to be secure and simple to use and setup. Due to the flexibility, it can forward any standard stream socket to another stream socket, including TCP sockets.
ntunnel also supports using QUIC instead of Noise. The advantage of QUIC is that you it operates over UDP and allows setting congestion control parameters. The disadvantage is that it using TLS 1.3 like handshake (instead of the stronger Noise), and channel binding is not available.
python3 -m venv p
. ./p/bin/activate
pip install git+https://www.funkthat.com/gitea/jmg/ntunnel.git
and if you want to install the QUIC variant:
pip install 'ntunnel [quic] @ git+https://www.funkthat.com/gitea/jmg/ntunnel.git'
Note: If you have installed the package, there is also the program
ntunnel
that can be used instead of python -m ntunnel
.
Generate the keys:
ntunnel genkey serverkey
ntunnel genkey clientkey
Create the target for the pass through:
nc -lU finalsock
Start the server and client:
ntunnel server serverkey --clientkey clientkey.pub unix:$(pwd)/servsock unix:$(pwd)/finalsock
ntunnel client clientkey serverkey.pub unix:$(pwd)/clientsock unix:$(pwd)/servsock
Attach to the client:
nc -U clientsock
Now when you type text into either of the nc windows, you should see the same text come out the other side.
Generate a self-signed server key:
tmp=$(mktemp)
cat > "$tmp" << EOF
[req]
distinguished_name=req
[san]
subjectAltName=DNS:localhost,server.example.com
EOF
openssl req -x509 -newkey rsa:4096 -sha256 -days 3560 -nodes \
-keyout example.key -out example.crt \
-subj '/CN=ntunnel example cert' -config "$tmp"
rm "$tmp"
Note: as QUIC uses standard TLS certificates, instead of a self-signed certificate as generated above, a certificate signed by a CA may be used instead. This allows the client to not need the server certificate and uses the normal CA root store.
Run the server:
ntunnel quic_serv -k example.key -c example.crt udp:192.0.2.5:12322 tcp:127.0.0.1:22
Run client:
ntunnel quic_client --ca-certs funkthat.crt tcp:127.0.0.1:42720 udp:192.0.2.5:12322
Currently ntunnel requires Python 3.7 or later. If the default virtualenv is not 3.7 or later, you can set the VIRTUALENV variable to specify which one to use, such as:
make env VIRTUALENV=virtualenv-3.7
If you want to use an alternate version of python, you can specify VIRTUALENVARGS, such as:
make env VIRTUALENV=virtualenv-3.7 VIRTUALENVARGS="-p $(which pypy3)"
Once you have the environment setup, you can source the development environment:
. ./p/bin/activate
and then run the tests:
make test-noentr
If you have the program entr (used for watching files, and running a command) installed, you can use the command:
make test
to run the tests, and whenever ntunnel/init.py gets modified, the tests will automatically run. This is useful for running in another window (such a tmux), and being able to quickly see the results of your tests.
Note that I have not been able to test this w/ pypy3, as when compiling the cryptography libraries, it would pick the wrong ones, despite setting CFLAGS and LDFLAGS.