Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gjbae1212/grpc-vpn

:mushroom: VPN supporting authentication such as Google OpenID Connect or AWS IAM ..., over GRPC. :shipit:
https://github.com/gjbae1212/grpc-vpn

aws-iam go golang google google-openid-connect grpc grpc-vpn vpn

Last synced: 6 days ago
JSON representation

:mushroom: VPN supporting authentication such as Google OpenID Connect or AWS IAM ..., over GRPC. :shipit:

Host: GitHub
URL: https://github.com/gjbae1212/grpc-vpn
Owner: gjbae1212
License: mit
Created: 2020-04-17T01:44:46.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-06-06T03:40:06.000Z (over 4 years ago)
Last Synced: 2024-06-20T09:20:35.733Z (5 months ago)
Topics: aws-iam, go, golang, google, google-openid-connect, grpc, grpc-vpn, vpn
Language: Go
Homepage:
Size: 55.1 MB
Stars: 59
Watchers: 7
Forks: 5
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# grpc-vpn

**GRPC-VPN** is the **VPN** server and client which supports authentications such as Google OpenId Connect or AWS IAM, using GRPC.

Other authentications(LDAP, ...) will be to apply it, if you will implement custom [ServerAuthMethod](https://github.com/gjbae1212/grpc-vpn/tree/master/auth) for VPN server and [ClientAuthMethod](https://github.com/gjbae1212/grpc-vpn/tree/master/auth) for VPN client.

**Motivation**
Of course, the well-made VPN is already around us.

But many VPN aren't to support multiple authentications. (Generally support to LDAP, configuration file having shared key)

I want to apply multiple authentications by circumstances, so protocol for authentication should organize the plugin which implements it.

**GRPC-VPN**
- It's composed of server and client.
- It's implemented using **Golang**.
- Communicates via **GRPC**.
- Use Tun device.
- Server on VPN can only run on **Linux**, and Client on VPN can run on **Linux** or **Mac**.
- Supports to inject **custom authentication function**.
- Issued JWT is expired after 1.day. (later it will support to change mannually.)

## Why GRPC?
For multiple authentications will support, authentication flow and connection flow should definitely distinguish.

Authentication flow needs to a little unification protocol for applying various case.

Connection flow should have the unitary policy regardless of authentications.
So I was to use JWT authentication and GRPC.

Using GRPC can implement the unification authentication flow, also using JWT and GRPC stream can connect VPN regardless of authentications.

## Getting Started
- It's possible to be used both a third-party library and standalone application.
- **Server on VPN can only run on Linux, and Client on VPN can run on Linux or Mac.**
- It **must run** with **sudo**, becausue it's included network setting that can change on kernel mode.

### 1. Be used Third-Party Library.
> You can write code and run, if you utilize it on circumstances.

**1. Non Authentication**
```go
# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/server"
)

s, _ = server.NewVpnServer(
server.WithVpnSubNet("ex) 192.168.0.100/24"),
server.WithGrpcPort("ex) 443"),
server.WithVpnJwtSalt("ex) jwt salt"),
server.WithVpnJwtExpiration(24*time.Hour),
server.WithGrpcTlsCertification("ex) tls cert"),
server.WithGrpcTlsPem("ex) tls pem"),
)
s.Run()

# -------------------------------------------------
# CLIENT
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/client"
"github.com/gjbae1212/grpc-vpn/auth"
)

c, _ := client.NewVpnClient(
client.WithServerAddr("ex) server addr"),
client.WithServerPort("ex) server port"),
client.WithSelfSignedCertification("ex) server tls cert"),
)
c.Run()
```

**2. Authentication [Google OpenID Connect](https://developers.google.com/identity/protocols/oauth2/native-app)**
```go
# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/server"
"github.com/gjbae1212/grpc-vpn/auth"
)

authGoogle, _ := auth.NewServerManagerForGoogleOpenID(
"ex) google openid connect client_id",
"ex) google openid connect client_secret",
"ex) if your GSUITE is using, it's domain name to allow",
[]string{"[email protected]", "blahblah"},
)
authMethod, _ := authGoogle.ServerAuth()

s, _ := server.NewVpnServer(
server.WithVpnSubNet("ex) 192.168.0.100/24"),
server.WithGrpcPort("ex) 443"),
server.WithVpnJwtSalt("ex) jwt salt"),
server.WithVpnJwtExpiration(24*time.Hour),
server.WithGrpcTlsCertification("ex) tls cert"),
server.WithGrpcTlsPem("ex) tls pem"),
server.WithAuthMethods([]auth.ServerAuthMethod{authMethod}), // authentication
)
s.Run()

# -------------------------------------------------
# CLIENT
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/client"
"github.com/gjbae1212/grpc-vpn/auth"
)

authGoogle, _ := auth.NewClientManagerForGoogleOpenID(
"ex) google openid connect client_id",
"ex) google openid connect client_secret",
)

authMethod, _ := authGoogle.ClientAuth()
c, _ := client.NewVpnClient(
client.WithServerAddr("ex) server addr"),
client.WithServerPort("ex) server port"),
client.WithSelfSignedCertification("ex) server tls cert"),
client.WithAuthMethod(authMethod), // authentication
)
c.Run()

```

**3. Authentication(AWS IAM)**
```go
# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/server"
"github.com/gjbae1212/grpc-vpn/auth"
)

authAws, _ := auth.NewServerManagerForAwsIAM(
"ex) allow aws account id",
[]string{"[email protected]", "blahblah"},
)
authMethod, _ := authAws.ServerAuth()

# -------------------------------------------------
# CLIENT
# -------------------------------------------------

import (
"github.com/gjbae1212/grpc-vpn/client"
"github.com/gjbae1212/grpc-vpn/auth"
)

authAws, _ := auth.NewClientManagerForAwsIAM(
"ex) aws key",
"ex) aws secret access key",
)
authMethod, _ := authAws.ClientAuth()

c, _ := client.NewVpnClient(
client.WithServerAddr("ex) server addr"),
client.WithServerPort("ex) server port"),
client.WithSelfSignedCertification("ex) server tls cert"),
client.WithAuthMethod(authMethod), // authentication
)
c.Run()
```

### 2. Be used Standalone Application.
> You can run an application which already built.

**1. Download or build**
```bash
$ git clone https://github.com/gjbae1212/grpc-vpn.git
$ cd grpc-vpn
$ bash script/make.sh build_vpn_server # make an application to dist directory.
$ bash script/make.sh build_vpn_client # make an application to dist directory.
```

**2. Run Server**
server config(config.yaml)
```yaml
# Template
vpn:
port: "" # Required(vpn port)
subnet: "" # Required(vpn subnet(private ip range), ex) 192.168.0.100/24)
log_path: "" # Required(log path)
jwt_salt: "" # Required(random string)
jwt_expiration: "" # Required(expire-time in JWT), ex) 100ms, 10m, 2h30m, ...
tls_certification: "" # Required(tls cert)
tls_pem: "" # Required(tls pem)

auth: # Optional
google_openid: # Optional(if you want to google openid connect authentication)
client_id: "" # Google client id
client_secret: "" # Google client secret
hd: "" # If you are using GSuite, domain name for allowing.
allow_emails: # Allow emails
- ""
aws_iam: # Optional(if you want to aws iam authentication)
account_id: "" # Allow AWS Account ID
allow_users: # Allow users
- ""

----------------------------------------------------------------------

# 1. Example Non Authentication
vpn:
port: "8080"
subnet: "192.168.0.100/24"
log_path: ""
jwt_salt: "hello-world"
jwt_expiration: "2h10m"
tls_certification: "blahblah"
tls_pem: "blahblah"

# 2. Example Google OpenId Connect (Reference https://developers.google.com/identity/protocols/oauth2/native-app)
vpn:
port: "8080"
subnet: "192.168.0.100/24"
log_path: ""
jwt_salt: "hello-world"
jwt_expiration: "1h10m"
tls_certification: "blahblah"
tls_pem: "blahblah"
auth:
google_openid:
client_id: "google client id"
client_secret: "google client secret"
hd: ""
allow_emails:
- "[email protected]"

# 3. Example Aws IAM
vpn:
port: "8080"
subnet: "192.168.0.100/24"
log_path: ""
jwt_salt: "hello-world"
jwt_expiration: "3h"
tls_certification: "blahblah"
tls_pem: "blahblah"
auth:
aws_iam:
account_id: "aws accoount id"
allow_users:
- "blahblah"

```
Run
```bash
$ cd grpc-vpn/dist
$ sudo vpn-server-linux run -c "config.yaml path"
```

**3. Run Client**
client config(config.yaml)
```yaml
# Template
vpn:
addr: "" # Required(vpn server addr)
port: "" # Required(vpn server port)
insecure: true or false # Required (true is to disable tls, false is to enable tls)
self_signed_certification: "" # Optional(If you are using self-signed certification, you must insert it.)
auth: # Optional
google_openid: # Optional(if your vpn-server support to google openid connect authentication)
client_id: ""
client_secret: ""
aws_iam: # Optional(if your vpn-server support to aws iam authentication)
access_key: ""
secret_access_key: ""

---------------------------------------------------------------

# 1. Example Non Authentication
vpn:
addr: "localhost"
port: "8080"
insecure: false
self_signed_certification: ""

# 2. Example Google OpenId Connect (Reference https://developers.google.com/identity/protocols/oauth2/native-app)
vpn:
addr: "localhost"
port: "8080"
insecure: false
self_signed_certification: ""
auth:
google_openid:
client_id: "gogole client id"
client_secret: "google client secret"

# 3. Example Aws IAM
vpn:
addr: "localhost"
port: "8080"
insecure: false
self_signed_certification: ""
auth:
aws_iam: # Optional(if your vpn-server support to aws iam authentication)
access_key: "aws access key"
secret_access_key: "aws secret key"
Run
```bash
$ cd grpc-vpn/dist

# MAC
$ sudo vpn-client-darwin run -c "config.yaml path"

# LINUX
$ sudo vpn-client-linux run -c "config.yaml path"
```

## License
This project is following The MIT.