Skip to content

Latest commit

 

History

History
154 lines (110 loc) · 5.11 KB

README.md

File metadata and controls

154 lines (110 loc) · 5.11 KB

qTunnel

qTunnel - a simpler and (possibily) faster tunnel program

qtunnel is a network tunneling software working as an encryption wrapper between clients and servers (remote/local). It can work as a Stunnel/stud replacement.

qtunnel has been serving over 10 millions connections on Qu Jing each day for the past few months.

Why Another Wrapper

Stunnel/stud is great in SSL/TLS based environments, but what we want is a lighter and faster solution that only does one job: transfer encrypted data between servers and clients. We don't need to deal with certification settings and we want the transfer is as fast as possible. So we made qTunnel. Basically, it's a Stunnel/stud without certification settings and SSL handshakes, and it's written in Go.

Requirements

qtunnel is writen in golang 1.3.1, after building it can run on almost every OS.

Build

go build -o qtunnel .

Usage

    $ [root@data-backup qtunnel]# ./qtunnel  -h
Usage of ./qtunnel:
  -backend string
        host:port of the backend (default "127.0.0.1:6400")
  -buffer uint
        tunnel buffer size (default 4096)
  -clientmode
        if running at client mode
  -conf string
        read connection setup from config file:
            eg:
               [compress] 
               faddr = 10.3.246.149:1316  # from local
               baddr = 10.3.246.150:1316  # trans to remote
               cryptoMethod = rc4         # only support rc4 .... 
               secret = 1xtneltgt1gdraa.6 # encryption key  
               clientmode = true   # when in server side  clientmode=false
               switchmode=true     # when switch=true ,trans data no need secret and cryptoMethod encrypt any more !
               compress=1          # when switchmode=true  clientmode is set and  compress=true ,use lz4 compress net flow
               timeout=180         # conn be idle 180min disconnect
               speed=5             # transmission speed rate MBps, here example meas limit 5MBps 
             
  -crypto string
        encryption method (default "rc4")
  -daemon
        running in daemon mode
  -listen string
        host:port qtunnel listen on (default ":9001")
  -logto string
        stdout or syslog (default "stdout")
  -secret string
        password used to encrypt the data
  -speed int
        transmission speed rate MBps
  -switchmode
        wether runing at switchMode,redirect port without secret
  -tag string
        only setup the tag in config file
  -timeout int
        close connection after it stay idle $timeout  minutes   (default 30)

qtunnel supports two encryption methods: rc4 and aes256cfb. Both servers and clients should use the same crypto and same secret.

Example

Let's say, you have a redis server on host-a, you want to connect to it from host-b, normally, just use:

$ redis-cli -h host-a -p 6379

will do the job. The topology is:

redis-cli (host-b) <------> (host-a) redis-server

If the host-b is in some insecure network environment, i.e. another data center or another region, the clear-text based redis porocol is not good enough, you can use qtunnel as a secure wrapper

On host-b:

$ qtunnel -listen=127.1:6379 -backend=host-a:6378 -clientmode=true -secret=secret -crypto=rc4

On host-a:

$ qtunnel -listen=:6378 -backend=127.1:6379 -secret=secret -crypto=rc4

Then connect on host-b as:

$ redis-cli -h 127.1 -p 6379

This will establish a secure tunnel between your redis-cli and redis server, the topology is:

redis-cli (host-b) <--> qtunnel (client,host-b) <--> qtunnel (host-a) <--> redis-server

After this, you can communicate over a encrypted wrapper rather than clear text.

Credits

Special thanks to Paul for reviewing the code.

Contributing

We encourage you to contribute to qtunnel! Please feel free to submit a bug report, fork the repo or create a pull request.

Configure

Support multi connection from read configure file, and running in daemon mode. config file like :

[server1]
faddr = 10.0.21.5:16380
baddr = 10.0.21.7:6380
cryptoMethod = rc4
secret = 6380_secypt
clientmode = false

[conn1]
faddr = 10.0.21.5:26380
baddr = 10.0.21.5:16380
cryptoMethod = rc4
secret = 6380_secypt
clientmode = true

[conn1]
faddr = 10.0.21.5:26380
baddr = 10.0.21.5:16380
cryptoMethod = rc4
secret = 6380_secypt
clientmode = true

[speed_limit]
faddr = 10.3.3.18:3333 
baddr = 10.3.3.19:3333 
cryptoMethod = rc4 
secret = 6380_secypt 
speed = 2
clientmode = true 

[port_switch_speed_limit_without_secret]
faddr = 10.3.2.18:3333 
baddr = 10.3.2.19:22
speed = 2
switchmode=true

now, we can run it by:

   ./bin/qtunnel -daemon -conf=/etc/conn.conf -logto=syslog -tag speed_limit

License

qtunnel is released under the Apache License 2.0.