Because friends don't let friends localhost.
Go to file
AJ ONeal ce39066bc8 add --expires-in to signjwt 2020-07-20 12:18:08 -06:00
cmd add --expires-in to signjwt 2020-07-20 12:18:08 -06:00
dbg consolidate ENVs for remote server, truncate debug output, add --verbose option 2020-07-17 23:28:12 -06:00
examples add --expires-in to signjwt 2020-07-20 12:18:08 -06:00
html/admin make Prettier 2020-04-28 00:58:26 -06:00
log squash refactor 2020-05-01 00:12:16 -06:00
mgmt add --expires-in to signjwt 2020-07-20 12:18:08 -06:00
mplexer remove old scripts 2020-07-20 09:31:28 -06:00
sni squash refactor 2020-05-01 01:06:14 -06:00
table consolidate ENVs for remote server, truncate debug output, add --verbose option 2020-07-17 23:28:12 -06:00
tools use vfsgen for sql file 2020-06-03 00:17:30 -06:00
tunnel cleanup old code and deps 2020-07-18 00:00:57 -06:00
vendor cleanup old code and deps 2020-07-18 00:00:57 -06:00
.gitignore update VENDOR_ID, fix examples/mgmt-*, update README 2020-07-20 09:27:31 -06:00
.ignore cleanup 2020-04-28 00:47:31 -06:00
.jshintrc make Prettier 2020-04-28 00:58:26 -06:00
.prettierrc make Prettier 2020-04-28 00:58:26 -06:00
LICENSE add LICENSE 2020-05-06 11:11:33 -06:00
README.md add --expires-in to signjwt 2020-07-20 12:18:08 -06:00
build-client.sh file reorganization 2020-06-03 01:47:06 -06:00
build-mgmt.sh file reorganization 2020-06-03 01:47:06 -06:00
build-relay.sh cleanup old code and deps 2020-07-18 00:00:57 -06:00
debug.sh minor fs denesting 2020-04-29 23:52:44 -06:00
go.mod cleanup old code and deps 2020-07-18 00:00:57 -06:00
go.sum cleanup old code and deps 2020-07-18 00:00:57 -06:00

README.md

Telebit

A secure, end-to-end Encrypted tunnel.

Because friends don't let friends localhost.

Install Go

Installs Go to ~/.local/opt/go for MacOS and Linux:

curl -fsS https://webinstall.dev/golang | bash

Windows 10:

curl.exe -fsSA "MS" https://webinstall.dev/golang | powershell

Note: The minimum required go version is shown in go.mod. DO NOT use with GOPATH!

Relay Server

All dependencies are included, at the correct version in the ./vendor directory.

go generate ./...

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -o telebit-relay-linux ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod vendor -o telebit-relay-macos ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -o telebit-relay-windows-debug.exe ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -ldflags "-H windowsgui" -o telebit-relay-windows.exe ./cmd/telebit/*.go

The binary can be built with VENDOR_ID and CLIENT_SECRET built into the binary. See examples/run-as-client.sh.

Configure

Command-line flags or .env may be used.

See ./telebit-relay --help for all options, and examples/relay.env for their corresponding ENVs.

Example

Copy examples/relay.env as .env in the working directory.

# For Tunnel Relay Server
API_HOSTNAME=devices.example.com
LISTEN=:80,:443
LOCALS=https:mgmt.devices.example.com:3010
VERBOSE=true

# For Device Management & Authentication
AUTH_URL=http://localhost:3010/api

# For Let's Encrypt / ACME registration
ACME_AGREE=true
ACME_EMAIL=letsencrypt@example.com

# For Let's Encrypt / ACME challenges
ACME_RELAY_URL=http://localhost:3010/api/dns
SECRET=xxxxxxxxxxxxxxxx
GODADDY_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GODADDY_API_SECRET=xxxxxxxxxxxxxxxxxxxxxx

Note: It is not necessary to specify the --flags when using the ENVs.

./telebit-relay \
    --api-hostname $API_HOSTNAME \
    --auth-url "$AUTH_URL" \
    --acme-agree "$ACME_AGREE" \
    --acme-email "$ACME_EMAIL" \
    --acme-relay-url "$ACME_RELAY_URL" \
    --secret "$SECRET" \
    --listen "$LISTEN"

Management Server

go generate ./...

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -o mgmt-server-linux ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod vendor -o mgmt-server-macos ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -o mgmt-server-windows-debug.exe ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -ldflags "-H windowsgui" -o mgmt-server-windows.exe ./cmd/mgmt/*.go

Example

./telebit-mgmt --domain devices.example.com --port 3010

Copy examples/mgmt.env as .env in the working directory.

Device Management API

Create a token with the same SECRET used with the mgmt server, and add a device by its subdomain.

To build signjwt:

go build -mod=vendor -ldflags "-s -w" -o signjwt cmd/signjwt/*.go

To generate an admin token:

VERDOR_ID="test-id"
SECRET="xxxxxxxxxxx"
TOKEN=$(./signjwt \
    --expires-in 15m \
    --vendor-id $VENDOR_ID \
    --secret $SECRET \
    --machine-ppid $SECRET
)

Authorize a device:

my_subdomain="xxxx"
my_mgmt_host=http://mgmt.example.com:3010
curl -X POST $my_mgmt_host/api/devices \
    -H "Authorization: Bearer ${TOKEN}" \
    -H "Content-Type: application/json" \
    -d '{ "slug": "'$my_subdomain'" }'
{ "shared_key": "ZZZZZZZZ" }

Show data of a single device

my_subdomain="xxxx"
curl -L http://mgmt.example.com:3010/api/devices/${my_subdomain} -H "Authorization: Bearer ${TOKEN}"
{ "subdomain": "sub1", "updated_at": "2020-05-20T12:00:01Z" }

Get a list of connected devices:

curl -L http://mgmt.example.com:3010/api/devices -H "Authorization: Bearer ${TOKEN}"
[{ "subdomain": "sub1", "updated_at": "2020-05-20T12:00:01Z" }]

Get a list of disconnected devices:

curl -L http://mgmt.example.com:3010/api/devices?inactive=true -H "Authorization: Bearer ${TOKEN}"

Deauthorize a device:

my_subdomain="xxxx"
curl -L -X DELETE http://mgmt.example.com:3010/api/devices/${my_subdomain} -H "Authorization: Bearer ${TOKEN}"

Relay Client

All dependencies are included, at the correct version in the ./vendor directory.

go generate ./...

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -o telebit-client-linux ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod vendor -o telebit-client-macos ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -o telebit-client-windows-debug.exe ./cmd/telebit/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -ldflags "-H windowsgui" -o telebit-client-windows.exe ./cmd/telebit/*.go

Configure

Command-line flags or .env may be used.

See ./telebit-client --help for all options, and examples/client.env for their corresponding ENVs.

Example

Copy examples/client.env as .env in the working directory.

# For Client
VENDOR_ID=test-id
CLIENT_SUBJECT=newieb
CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxx
AUTH_URL="https://mgmt.devices.example.com/api"
TUNNEL_RELAY_URL=wss://devices.example.com/ws
LOCALS=https:newbie.devices.example.com:3000,http:newbie.devices.example.com:3000
#PORT_FORWARDS=3443:3001,8443:3002

# For Debugging
VERBOSE=true
#VERBOSE_BYTES=true
#VERBOSE_RAW=true

# For Let's Encrypt / ACME registration
ACME_AGREE=true
ACME_EMAIL=letsencrypt@example.com

# For Let's Encrypt / ACME challenges
ACME_RELAY_URL="https://mgmt.devices.example.com/api/dns"
./telebit-client \
    --auth-url $AUTH_URL \
    --vendor-id "$VENDOR_ID" \
    --secret "$CLIENT_SECRET" \
    --tunnel-relay-url $TUNNEL_RELAY_URL \
    --listen "$LISTEN" \
    --locals "$LOCALS" \
    --acme-agree="$ACME_AGREE" \
    --acme-email "$ACME_EMAIL" \
    --acme-relay-url $ACME_RELAY_URL \
    --verbose=$VERBOSE

Local Web Application

Currently only raw TCP is tunneled.

This means that either the application must handle and terminate encrypted TLS connections, or use HTTP (instead of HTTPS). This will be available in the next release.

mkdir -p tmp-app
pushd tmp-app/

cat << EOF > index.html
Hello, World!
EOF

python3 -m http.server 3000

Glossary

--vendor-id         $VENDOR_ID          an arbitrary id used as part of authentication
--secret            $SECRET             the secret for creating JWTs
--auth-url          $AUTH_URL           the full url prefix of the server that will validate tokens
--tunnel-relay-url  $TUNNEL_RELAY_URL   the full url of the websocket tunnel server
--locals            $LOCALS             a list of `scheme:domainname:port`
                                        for forwarding incoming `domainname` to local `port`
--port-forwards     $PORT_FORWARDS      a list of `remote:local` tcp port-forwarding
--verbose           $VERBOSE            logs everything, including abbreviated data (as hex)
                    $VERBOSE_BYTES      logs full data (as hex)
                    $VERBOSE_RAW        logs full data (as string)
--acme-agree        $ACME_AGREE         agree to the ACME service agreement
--acme-email        $ACME_EMAIL         the webmaster email for ACME notices
--acme-relay-url    $ACME_RELAY_URL     the server that will relay ACME DNS-01 requests