{"id":17099830,"url":"https://github.com/cppcoffee/netguard","last_synced_at":"2025-04-12T23:53:07.223Z","repository":{"id":214960303,"uuid":"737777956","full_name":"cppcoffee/netguard","owner":"cppcoffee","description":"Layer 4 Single Packet Authentication utilizing Netfilter Queue and libnetfilter.","archived":false,"fork":false,"pushed_at":"2024-10-12T10:20:15.000Z","size":294,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-12T23:52:50.131Z","etag":null,"topics":["conntrack","knock","libnetfilter-queue","single-packet-authorization","spa","zerotrust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cppcoffee.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2024-01-01T13:16:28.000Z","updated_at":"2024-10-12T10:20:16.000Z","dependencies_parsed_at":"2024-01-15T16:17:50.717Z","dependency_job_id":"a4dbaad1-3825-4338-a955-0decb88602da","html_url":"https://github.com/cppcoffee/netguard","commit_stats":null,"previous_names":["cppcoffee/netguard"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cppcoffee%2Fnetguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cppcoffee%2Fnetguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cppcoffee%2Fnetguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cppcoffee%2Fnetguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cppcoffee","download_url":"https://codeload.github.com/cppcoffee/netguard/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248647240,"owners_count":21139082,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["conntrack","knock","libnetfilter-queue","single-packet-authorization","spa","zerotrust"],"created_at":"2024-10-14T15:11:32.534Z","updated_at":"2025-04-12T23:53:07.194Z","avatar_url":"https://github.com/cppcoffee.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NetGuard\n\n## Introduction\n\nA layer 4 Single Packet Authentication (SPA) Server, used to conceal TCP/UDP ports on public facing machines and add an extra layer of security.\n\n## Project structure\n\n`netguard-server`: SPA service program responsible for authenticating knock packets and connection tracking.\n\n`netguard-tool`: generate signing certificates, generate and send knock packets.\n\n### Source code directory\n\n```\n.\n├── Makefile        # convenient compilation\n├── crypto          # encryption and decryption crate\n│   ├── Cargo.toml\n│   └── src\n├── server          # netguard-server implement\n│   ├── Cargo.toml\n│   ├── config      # config file used for running netguard-server\n│   └── src\n└── tool            # netguard-tool implement\n    ├── Cargo.toml\n    └── src\n```\n\n## Basic Usage\n\n### Run server protection ports\n\nRun `netguard-server` on the server side to hide tcp port 10022:\n\n```shell\n$ netguard-server -c ./netguard.toml\n```\n\n### Run knock tool\n\nOn client site, Using `netguard-tool` to send TCP port knock packets.\n\nThe following command sends a knock packet to unlock TCP port 10022:\n\n```shell\n$ sudo ./netguard-tool auth --server 45.76.195.141 --protocol=tcp --unlock 10022 --key=./rsa_key\n```\n\nIf want to unlock a UDP port, use `--protocol=udp`。\n\n### Example\n\nTwo devices, one listening on port 10022 and then taken over by `netguard-server`:\n\n![image](https://github.com/cppcoffee/netguard/blob/main/img/example.png?raw=true)\n\n\n### Generating an Key Pair Manually\n\nGenerating an RSA Key Pair with Default Options:\n\n```shell\n$ netguard-tool keygen\n```\n\nThe parameters for the default option are equivalent to: `netguard-tool keygen -a rsa -b 4096 -o .netguard/rsa`\n\nMore parameter help:\n\n```shell\n$ netguard-tool keygen --help\n```\n\n\n### Reload config\n\nReload `netguard-server` config file:\n\n```shell\n$ pkill -HUP netguard-server\n```\n\n\n## Build\n\nBuild release version.\n\n```shell\n$ make release\n```\n\nor\n\n```shell\n$ cargo build --release\n```\n\n## Notice\n\nThe `nfqueue` function is provided by `iptables`, before starting `netguard-server`, you need to make sure that `iptables` is started.\n\n## TODO\n\n- Add query and reject connection Interfaces\n- More certificate signing algorithms\n- Hot update bin executable program\n- Audit log\n- Knock SDK APIs\n\n## Reference\n\n- [https://www.netfilter.org/](https://www.netfilter.org/)\n- [https://github.com/landhb/DrawBridge](https://github.com/landhb/DrawBridge)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcppcoffee%2Fnetguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcppcoffee%2Fnetguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcppcoffee%2Fnetguard/lists"}