Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/krrr/wstan
Tunneling TCP in WebSocket (ssh -D alternative)
https://github.com/krrr/wstan
proxy socks-proxy tunnel websockets
Last synced: 2 months ago
JSON representation
Tunneling TCP in WebSocket (ssh -D alternative)
- Host: GitHub
- URL: https://github.com/krrr/wstan
- Owner: krrr
- License: mit
- Created: 2015-10-21T01:59:19.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2020-10-15T15:44:55.000Z (over 4 years ago)
- Last Synced: 2024-04-24T13:19:32.639Z (9 months ago)
- Topics: proxy, socks-proxy, tunnel, websockets
- Language: Python
- Homepage:
- Size: 212 KB
- Stars: 39
- Watchers: 3
- Forks: 11
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-network-stuff - **21**星 - D alternative) (<a id="01e6651181d405ecdcd92a452989e7e0"></a>工具 / <a id="9d6789f22a280f5bb6491d1353b02384"></a>隧道&&穿透)
README
# wstan
[](https://pypi.python.org/pypi/wstan)
[](https://pypi.python.org/pypi/wstan)
Tunneling TCP connections in WebSocket to circumvent firewall.
It's light and can run on some PaaS (SSL supported).
`User-Agent(SOCKS5/HTTP) <--> (wstan)Client <-- Internet --> (wstan)Server <--> Target`
## Features
* Encryption
* Proxy support (using HTTP CONNECT; [test yours](http://www.websocket.org/echo.html))
* Display error message in browser (plain HTTP only)
* SOCKS5 and HTTP (slower) in the same port
WARN: Do not rely it on security when not using SSL
## Usage
```
wstan [-h] [-g] [-c | -s] [-d] [-z] [-p PORT] [-t TUN_ADDR]
[-r TUN_PORT]
[uri] [key]
positional arguments:
uri URI of server
key base64 encoded 16-byte key
optional arguments:
-h, --help show this help message and exit
-g, --gen-key generate a key and exit
-c, --client run as client (default, also act as SOCKS5/HTTP(S)
server)
-s, --server run as server
-d, --debug
-z, --compatible useful when server is behind WS proxy
-i INI, --ini INI load config file
-y PROXY, --proxy PROXY
let client use a HTTPS proxy (host:port)
-p PORT, --port PORT listen port of SOCKS5/HTTP(S) server at localhost
(defaults 1080)
-t TUN_ADDR, --tun-addr TUN_ADDR
listen address of server, overrides URI
-r TUN_PORT, --tun-port TUN_PORT
listen port of server, overrides URI
--x-forward Use X-Forwarded-For as client IP address when behind
proxy
```
#### Setup:
```sh
# generate a key using "wstan -g"
wstan ws://yourserver.com KEY -s # server
wstan ws://yourserver.com KEY # client
# a proxy server is listening at localhost:1080 now (at client side)
```
#### Setup for OpenShift v3:
1. [Generate a key](http://rextester.com/TZXL63621)
2. Pull [Docker image](https://hub.docker.com/r/krrr/wstan/) and set environment variable `KEY`
3. Add default route
4. `http://xxx.openshiftapps.com` will return 200 if everything goes right; Run client `wstan ws://xxx.openshiftapps.com KEY`
## It's a reinvented wheel
* [chisel](https://github.com/jpillora/chisel)
* https://github.com/mhzed/wstunnel
* https://github.com/ffalcinelli/wstunnel
* shadowsocks-dotcloud
* [multitun](https://github.com/covertcodes/multitun) (VPN)
* etherws (VPN)
* websockify (not for circumventing FW)
* [gost](https://github.com/ginuerzh/gost/)
* [v2ray](https://www.v2ray.com)
## Details
Original Goal: make active probing against server side more difficult while
still keeping low latency of connection establishment and being stateless (inspired by shadowsocks).
Weakness: can't prevent MITM attack; client can't detect fake server (may receive garbage data);
replay attack detection may fail
Tech Detail:
* request frame has HMAC and timestamp (data frame has nothing), and all frames are encrypted using AES-128-CTR
* server will save encryption nonce and timestamp when receiving valid request (to detect replay attack)
* the first request frame will be encoded into URI of WS handshake (to achieve low latency)
* it has a connection pool