Главная Обзор Помощь
Вход
yosoyhendrix
/
psiphon-tunnel-core
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: e6ed2a9c19
Ветки Метки
psiphon-tunnel-...
/
psiphon
/
common
/
inproxy
/
doc.go

doc.go 6.7 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
  1. /*
    2. 

  2.  * Copyright (c) 2023, Psiphon Inc.
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * This program is free software: you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the GNU General Public License as published by
    7. 

  7.  * the Free Software Foundation, either version 3 of the License, or
    8. 

  8.  * (at your option) any later version.
    9. 

  9.  *
    10. 

  10.  * This program is distributed in the hope that it will be useful,
    11. 

  11.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.  * GNU General Public License for more details.
    14. 

  14.  *
    15. 

  15.  * You should have received a copy of the GNU General Public License
    16. 

  16.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17.  *
    18. 

  18.  */
    19. 

  19. 

  20. /*
    21. 

  21. Package inproxy enables 3rd party, ephemeral proxies to help Psiphon clients
    22. 

  22. connect to the Psiphon network.
    23. 

  23. 

  24. The in-proxy architecture is inspired by and similar to Tor's snowflake
    25. 

  25. pluggable transport, https://snowflake.torproject.org/.
    26. 

  26. 

  27. With in-proxy, Psiphon clients are matched with proxies by brokers run by the
    28. 

  28. Psiphon network.
    29. 

  29. 

  30. In addition to proxies in unblocked regions, proxies in blocked regions are
    31. 

  31. supported, to facilitate the use cases such as a local region hop from a
    32. 

  32. mobile ISP, where international traffic may be expensive and throttled, to a
    33. 

  33. home ISP, which may be less restricted.
    34. 

  34. 

  35. The proxy/server hop uses the full range of Psiphon tunnel protocols,
    36. 

  36. providing blocking circumvention on the 2nd hop.
    37. 

  37. 

  38. Proxies don't create Psiphon tunnels, they just relay either TCP or UDP flows
    39. 

  39. from the client to the server, where those flows are Psiphon tunnel
    40. 

  40. protocols. Proxies don't need to be upgraded in order to rely newer Psiphon
    41. 

  41. tunnel protocols or protocol variants.
    42. 

  42. 

  43. Proxies cannot see the client traffic within the relayed Psiphon tunnel.
    44. 

  44. Brokers verify that client destinations are valid Psiphon servers only, so
    45. 

  45. proxies cannot be misused for non-Psiphon relaying.
    46. 

  46. 

  47. To limit the set of Psiphon servers that proxies can observe and enumerate,
    48. 

  48. client destinations are limited to the set of servers specifically designated
    49. 

  49. with in-proxy capabilities. This is enforced by the broker.
    50. 

  50. 

  51. Proxies are compartmentalized in two ways; (1) personal proxies will use a
    52. 

  52. personal compartment ID to limit access to clients run by users with whom the
    53. 

  53. proxy operator has shared, out-of-band, a personal compartment ID, or access
    54. 

  54. token; (2) common proxies will be assigned a common compartment ID by the
    55. 

  55. Psiphon network to limit access to clients that have obtained the common
    56. 

  56. compartment ID, or access token, from Psiphon through channels such as
    57. 

  57. targeted tactics or embedded in OSLs.
    58. 

  58. 

  59. Proxies are expected to be run for longer periods, on desktop computers. The
    60. 

  60. in-proxy design does not currently support browser extension or website
    61. 

  61. widget proxies.
    62. 

  62. 

  63. The client/proxy hop uses WebRTC, with the broker playing the role of a WebRTC
    64. 

  64. signaling server in addition to matching clients and proxies. Clients and
    65. 

  65. proxies gather ICE candidates, including any host candidates, IPv4 or IPv6,
    66. 

  66. as well as STUN server reflexive candidates. In addition, any available port
    67. 

  67. mapping protocols -- UPnP-IGD, NAT-PMP, PCP -- are used to gather port
    68. 

  68. mapping candidates, which are injected into ICE SDPs as host candidates. TURN
    69. 

  69. candidates are not used.
    70. 

  70. 

  71. NAT topology discovery is performed and metrics sent to broker to optimize
    72. 

  72. utility and matching of proxies to clients. Mobile networks may be assumed to
    73. 

  73. be CGNAT in case NAT discovery fails or is skipped. And, for mobile networks,
    74. 

  74. there is an option to skip discovery and STUN for a faster dial.
    75. 

  75. 

  76. The client-proxy is a WebRTC data channel; on the wire, it is DTLS, preceded
    77. 

  77. by an ICE STUN packet. By default, WebRTC DTLS is configured to look like
    78. 

  78. common browsers. In addition, the DTLS ClientHello can be randomized. Proxy
    79. 

  79. endpoints are ephemeral, but if they were to be scanned or probed, the
    80. 

  80. response should look like common WebRTC stacks that receive packets from
    81. 

  81. invalid peers.
    82. 

  82. 

  83. Clients and proxies connect to brokers via a domain fronting transport; the
    84. 

  84. transport is abstracted and other channels may be provided. Within that
    85. 

  85. transport, a Noise protocol framework session is established between
    86. 

  86. clients/proxies and a broker, to ensure privacy, authentication, and replay
    87. 

  87. defense between the end points; not even a domain fronting CDN can observe
    88. 

  88. the transactions within a session. The session has an additional obfuscation
    89. 

  89. layer that renders the messages as fully random, which may be suitable for
    90. 

  90. encapsulating in plaintext transports;  adds random padding; and detects
    91. 

  91. replay of any message.
    92. 

  92. 

  93. For clients and proxies, all broker and WebRTC dial parameters, including
    94. 

  94. domain fronting, STUN server selection, NAT discovery behavior, timeouts, and
    95. 

  95. so on are remotely configurable via Psiphon tactics. Callbacks facilitate
    96. 

  96. replay of successful dial parameters for individual stages of a dial,
    97. 

  97. including a successful broker connection, or a working STUN server.
    98. 

  98. 

  99. For each proxied client tunnel, brokers use secure sessions to send the
    100. 

  100. destination Psiphon server a message indicating the proxy ID that's relaying
    101. 

  101. the client's traffic, the original client IP, and additional metrics to be
    102. 

  102. logged with the server_tunnel log for the tunnel. Neither a client nor a
    103. 

  103. proxy is trusted to report the original client IP or the proxy ID.
    104. 

  104. 

  105. Instead of having the broker connect out to Psiphon servers, and trying to
    106. 

  106. synchronize reliable arrival of these messages, the broker uses the client to
    107. 

  107. relay secure session packets -- the message and response, preceded by a
    108. 

  108. session handshake if required. These session packets piggyback on top of
    109. 

  109. client/broker and client/server round trips that happen anyway, including the
    110. 

  110. Psiphon API handshake.
    111. 

  111. 

  112. Psiphon servers with in-proxy capabilities should be configured, on in-proxy
    113. 

  113. listeners, to require receipt of this broker message before finalizing
    114. 

  114. traffic rules, issuing tactics, issuing OSL progress, or allowing traffic
    115. 

  115. tunneling. The original client IP reported by the broker should be used for
    116. 

  116. all client GeoIP policy decisions and logging.
    117. 

  117. 

  118. The proxy ID is the proxy's secure session public key; the proxy proves
    119. 

  119. possession of the corresponding private key in the session handshake. Proxy
    120. 

  120. IDs are not revealed to clients; only to brokers and Psiphon servers. A proxy
    121. 

  121. may maintain a long-term key pair and corresponding proxy ID, and that may be
    122. 

  122. used by Psiphon to assign reputation to well-performing proxies or to issue
    123. 

  123. rewards for proxies.
    124. 

  124. 

  125. The proxy is designed to be bundled with the tunnel-core client, run
    126. 

  126. optionally, and integrated with its tactics, data store, and logging. The
    127. 

  127. broker is designed to be bundled with the Psiphon server, psiphond, and, like
    128. 

  128. tactics requests, run under MeekServer; and use the tactics, psinet database,
    129. 

  129. GeoIP services, and logging services provided by psiphond.
    130. 

  130. */
    131. 

  131. package inproxy
    132.