A layer 4 Single Packet Authentication (SPA) Server, used to conceal TCP/UDP ports on public facing machines and add an extra layer of security.
netguard-server: SPA service program responsible for authenticating knock packets and connection tracking.
netguard-tool: generate signing certificates, generate and send knock packets.
.
βββ Makefile # convenient compilation
βββ crypto # encryption and decryption crate
βΒ Β βββ Cargo.toml
βΒ Β βββ src
βββ server # netguard-server implement
βΒ Β βββ Cargo.toml
βΒ Β βββ config # config file used for running netguard-server
βΒ Β βββ src
βββ tool # netguard-tool implement
βββ Cargo.toml
βββ src
Run netguard-server on the server side to hide tcp port 10022:
$ netguard-server -c ./netguard.tomlOn client site, Using netguard-tool to send TCP port knock packets.
The following command sends a knock packet to unlock TCP port 10022:
$ sudo ./netguard-tool auth --server 45.76.195.141 --protocol=tcp --unlock 10022 --key=./rsa_keyIf want to unlock a UDP port, use --protocol=udpγ
Two devices, one listening on port 10022 and then taken over by netguard-server:
Generating an RSA Key Pair with Default Options:
$ netguard-tool keygenThe parameters for the default option are equivalent to: netguard-tool keygen -a rsa -b 4096 -o .netguard/rsa
More parameter help:
$ netguard-tool keygen --helpReload netguard-server config file:
$ pkill -HUP netguard-serverBuild release version.
$ make releaseor
$ cargo build --releaseThe nfqueue function is provided by iptables, before starting netguard-server, you need to make sure that iptables is started.
- Add query and reject connection Interfaces
- More certificate signing algorithms
- Hot update bin executable program
- Audit log
- Knock SDK APIs
