threefoldtech
diff --git a/‎README.md
Lines changed: 54 additions & 17 deletions b/‎README.md
Lines changed: 54 additions & 17 deletions
diff --git a/‎client.go
Lines changed: 133 additions & 40 deletions b/‎client.go
Lines changed: 133 additions & 40 deletions
@@ -2,51 +2,50 @@
 
 A down to earth tcp router based on traefik tcp streaming and supports multiple backends using [valkyrie](https://github.com/abronan/valkeyrie)
 
-
 ## Build
 
 ```
-git clone https://github.com/xmonader/tcprouter 
-make all
+git clone https://github.com/threefoldtech/tcprouter
+make
 ```
+
 This will generate two binaries in bin dir
 
 - `trs`: tcp router server
 - `trc`: tcp router client
 
-
 ## Running
 
-configfile: router.toml
+Example configuration file
+
 ```toml
 [server]
-addr = "0.0.0.0"
-port = 443
-httpport = 80
+addr = "0.0.0.0" # listening address for all entrypoints (http, https, tcp router client)
+port = 443 # TLS listening port
+httpport = 80 # HTTP listening port
 
-[server.dbbackend]
+[server.dbbackend] # configuration for the redis backend
 type 	 = "redis"
 addr     = "127.0.0.1"
 port     = 6379
-refresh  = 10
+refresh  = 10 # make the tcp router poll for new configuration every 10 seconds
+
 
 [server.services]
-    [server.services."www.google.com"]
+    [server.services."mydomain.com"]
         addr = "172.217.19.46"
         tlsport = 443
         httpport = 80
 ```
-then 
-`./tcprouter router.toml`
 
+then `trs -config router.toml`
 
 Please notice if you are using low numbered port like 80 or 443 you can use sudo or setcap before running the binary.
-- `sudo ./tcprouter router.toml`
-- setcap: `sudo setcap CAP_NET_BIND_SERVICE=+eip PATH_TO_TCPROUTER`
+- `sudo setcap CAP_NET_BIND_SERVICE=+eip trs`
 
 ### router.toml
 
-We have two toml sections so far
+We have two 3 sections so far
 
 #### [server]
 
@@ -71,6 +70,19 @@ refresh = 10
 
 in `server.dbbackend` we define the backend kv store and its connection information `addr,port` and how often we want to reload the data from the kv store using `refresh` key in seconds.
 
+#### [server.services]
+
+```toml
+[server.services]
+    [server.services."mydomain.com"]
+        addr = "172.217.19.46"
+        tlsport = 443
+        httpport = 80
+```
+
+Services are static configuration that are hardcoded in the configuration file instead of coming from the database backend.  
+In this example the request for domain `mydomain.com` will be forwarded to the backend server at `172.217.19.46:443` for TLS traffic and `172.217.19.46:80` for non TLS traffic.
+
 ## Data representation in KV
 
 ```shell
@@ -159,7 +171,7 @@ func main() {
 
 ### Python
 
-```python3
+```python
 import base64
 import json
 import redis
@@ -195,3 +207,28 @@ So your browser go to your `127.0.0.1:443` on requesting google or bing.
 to add a global `catch all` service
 
 `python3 create_service.py CATCH_ALL 'CATCH_ALL' '127.0.0.1:9092'`
+
+## Reverse tunneling
+
+TCP router also support to forward connection to a server that is hidden behind NAT. The way it works is on the hidden client side, 
+a small client runs and opens a connection to the tcp router server. The client sends a secret during an handshake with the server to authenticate the connection.
+
+The server then keeps the connection opens and is able to forward incoming public traffic to the open connection.  This is specially useful if there is no way for the tcp router server to open a connection to the backend. Usually because of NAT.
+
+![reverse_tunnel](reverse_tunnel.png)
+
+### example
+
+Fist create the configuration on the server side. The only required field in the configuration is the secret for the client connection:
+
+```toml
+[server.services]
+    [server.services."mydomain.com"]
+        clientsecret = "TB2pbZ5FR8GQZp9W2z97jBjxSgWgQKaQTxEgrZNBa4pEFzv3PJcRVEtG2a5BU9qd"
+```
+
+Second starts the tcp router client and make it opens a connection to the tcp router server:
+The following command will connect the the server located at `tcprouter-1.com`, forward traffic for `mydomain.com` to the local application running at `localhost:8080` and send the response back.
+
+
+`trc -local localhost:8080 -remote tcprouter-1.com -secret TB2pbZ5FR8GQZp9W2z97jBjxSgWgQKaQTxEgrZNBa4pEFzv3PJcRVEtG2a5BU9qd`
@@ -1,97 +1,190 @@
 package tcprouter
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net"
 
+	"github.com/libp2p/go-yamux"
 	"github.com/rs/zerolog/log"
 )
 
 type Client struct {
-	// connection to the tcp router server
-	RemoteConn net.Conn
-	// connection to the local application
-	LocalConn net.Conn
-
+	localAddr  string
+	remoteAddr string
 	// secret used to identify the connection in the tcp router server
 	secret []byte
+
+	// connection to the tcp router server
+	remoteSession *yamux.Session
 }
 
 // NewClient creates a new TCP router client
-func NewClient(secret string) *Client {
+func NewClient(secret, local, remote string) *Client {
 	return &Client{
-		secret: []byte(secret),
+		localAddr:  local,
+		remoteAddr: remote,
+		secret:     []byte(secret),
+	}
+}
+
+// Start starts the client by opening a connection to the router server, doing the handshake
+// then start listening for incoming steam from the router server
+func (c Client) Start(ctx context.Context) error {
+	if err := c.connectRemote(c.remoteAddr); err != nil {
+		return fmt.Errorf("failed to connect to TCP router server: %w", err)
 	}
+
+	log.Info().Msg("start handshake")
+	if err := c.handshake(); err != nil {
+		return fmt.Errorf("failed to handshake with TCP router server: %w", err)
+	}
+	log.Info().Msg("handshake done")
+
+	return c.listen(ctx)
 }
 
-func (c *Client) ConnectRemote(addr string) error {
+func (c *Client) connectRemote(addr string) error {
 	if len(c.secret) == 0 {
 		return fmt.Errorf("no secret configured")
 	}
 
-	conn, err := net.Dial("tcp", addr)
+	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
 	if err != nil {
 		return err
 	}
 
-	c.RemoteConn = conn
+	conn, err := net.DialTCP("tcp", nil, tcpAddr)
+	if err != nil {
+		return err
+	}
+
+	// Setup client side of yamux
+	session, err := yamux.Client(conn, nil)
+	if err != nil {
+		panic(err)
+	}
+
+	c.remoteSession = session
 
 	return nil
 }
 
-func (c *Client) ConnectLocal(addr string) error {
-	conn, err := net.Dial("tcp", addr)
+func (c *Client) connectLocal(addr string) (WriteCloser, error) {
+	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	c.LocalConn = conn
+	conn, err := net.DialTCP("tcp", nil, tcpAddr)
+	if err != nil {
+		return nil, err
+	}
 
-	return nil
+	return conn, nil
 }
 
-func (c *Client) Handshake() error {
-	if c.RemoteConn == nil {
+func (c *Client) handshake() error {
+	if c.remoteSession == nil {
 		return fmt.Errorf("not connected")
 	}
 
 	h := Handshake{
 		MagicNr: MagicNr,
 		Secret:  []byte(c.secret),
 	}
-	// at this point if the server refuse the hanshake it will
+	// at this point if the server refuse the handshake it will
 	// just close the connection which should return an error
-	return h.Write(c.RemoteConn)
+	stream, err := c.remoteSession.OpenStream()
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+
+	return h.Write(stream)
 }
 
-func (c *Client) Forward() {
+func (c *Client) listen(ctx context.Context) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
 
+	cCon := make(chan WriteCloser)
 	cErr := make(chan error)
-	defer func() {
-		c.RemoteConn.Close()
-		c.LocalConn.Close()
-	}()
-
-	go forward(c.LocalConn, c.RemoteConn, cErr)
-	go forward(c.RemoteConn, c.LocalConn, cErr)
-
-	err := <-cErr
-	if err != nil {
-		log.Error().Err(err).Msg("Error during connection")
+	go func(ctx context.Context, cCon chan<- WriteCloser, cErr chan<- error) {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				conn, err := c.remoteSession.AcceptStream()
+				if err != nil {
+					cErr <- err
+					return
+				}
+				cCon <- WrapConn(conn)
+			}
+		}
+	}(ctx, cCon, cErr)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case err := <-cErr:
+			return fmt.Errorf("accept connection failed: %w", err)
+		case remote := <-cCon:
+			log.Info().
+				Str("remote add", remote.RemoteAddr().String()).
+				Msg("incoming stream, connect to local application")
+
+			local, err := c.connectLocal(c.localAddr)
+			if err != nil {
+				return fmt.Errorf("failed to connect to local application: %w", err)
+			}
+
+			go func(remote, local WriteCloser) {
+				log.Info().Msg("start forwarding")
+
+				cErr := make(chan error)
+				go forward(local, remote, cErr)
+				go forward(remote, local, cErr)
+
+				err = <-cErr
+				if err != nil {
+					log.Error().Err(err).Msg("Error during forwarding: %w")
+				}
+
+				<-cErr
+
+				if err := remote.Close(); err != nil {
+					log.Error().Err(err).Msg("Error while terminating connection")
+				}
+				if err := local.Close(); err != nil {
+					log.Error().Err(err).Msg("Error while terminating connection")
+				}
+			}(remote, local)
+		}
 	}
-
-	<-cErr
 }
 
-func forward(dst, src net.Conn, cErr chan<- error) {
+func forward(dst, src WriteCloser, cErr chan<- error) {
 	_, err := io.Copy(dst, src)
 	cErr <- err
-
-	tcpConn, ok := dst.(*net.TCPConn)
-	if ok {
-		if err := tcpConn.CloseWrite(); err != nil {
-			log.Error().Err(err).Msg("Error while terminating connection")
-		}
+	if err := dst.CloseWrite(); err != nil {
+		log.Error().Err(err).Msgf("error closing %s", dst.RemoteAddr().String())
 	}
 }
+
+type wrappedCon struct {
+	*yamux.Stream
+}
+
+// WrapConn wraps a stream into a wrappedCon so it implements the WriteCloser interface
+func WrapConn(conn *yamux.Stream) WriteCloser {
+	return wrappedCon{conn}
+}
+
+func (c wrappedCon) CloseWrite() error {
+	return c.Stream.Close()
+}