frpc: support nathole discover (#3381)

2025-07-27 07:35:07 +00:00 · 2023-03-30 20:28:15 +08:00
parent 9800b4cfcf
commit a22d6c9504
13 changed files with 521 additions and 17 deletions
--- a/pkg/config/client.go
+++ b/pkg/config/client.go
@@ -41,6 +41,11 @@ type ClientCommonConf struct {
 	// ServerPort specifies the port to connect to the server on. By default,
 	// this value is 7000.
 	ServerPort int `ini:"server_port" json:"server_port"`
+	// ServerUDPPort specifies the server port to help penetrate NAT hole. By default, this value is 0.
+	// This parameter is only used when executing "nathole discover" in the command line.
+	ServerUDPPort int `ini:"server_udp_port" json:"server_udp_port"`
+	// STUN server to help penetrate NAT hole.
+	NatHoleSTUNServer string `ini:"nat_hole_stun_server" json:"nat_hole_stun_server"`
 	// The maximum amount of time a dial to server will wait for a connect to complete.
 	DialServerTimeout int64 `ini:"dial_server_timeout" json:"dial_server_timeout"`
 	// DialServerKeepAlive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
@@ -172,6 +177,7 @@ func GetDefaultClientConf() ClientCommonConf {
 		ClientConfig:            auth.GetDefaultClientConf(),
 		ServerAddr:              "0.0.0.0",
 		ServerPort:              7000,
+		NatHoleSTUNServer:       "stun.easyvoip.com:3478",
 		DialServerTimeout:       10,
 		DialServerKeepAlive:     7200,
 		HTTPProxy:               os.Getenv("http_proxy"),
--- a/pkg/config/client_test.go
+++ b/pkg/config/client_test.go
@@ -260,6 +260,7 @@ func Test_LoadClientCommonConf(t *testing.T) {
 		},
 		ServerAddr:              "0.0.0.9",
 		ServerPort:              7009,
+		NatHoleSTUNServer:       "stun.easyvoip.com:3478",
 		DialServerTimeout:       10,
 		DialServerKeepAlive:     7200,
 		HTTPProxy:               "http://user:passwd@192.168.1.128:8080",
--- a/pkg/msg/ctl.go
+++ b/pkg/msg/ctl.go
@@ -42,3 +42,7 @@ func ReadMsgInto(c io.Reader, msg Message) (err error) {
 func WriteMsg(c io.Writer, msg interface{}) (err error) {
 	return msgCtl.WriteMsg(c, msg)
 }
+
+func Pack(msg interface{}) (data []byte, err error) {
+	return msgCtl.Pack(msg)
+}
--- a/pkg/msg/msg.go
+++ b/pkg/msg/msg.go
@@ -37,6 +37,8 @@ const (
 	TypeNatHoleResp           = 'm'
 	TypeNatHoleClientDetectOK = 'd'
 	TypeNatHoleSid            = '5'
+	TypeNatHoleBinding        = 'b'
+	TypeNatHoleBindingResp    = '6'
 )

 var msgTypeMap = map[byte]interface{}{
@@ -58,6 +60,8 @@ var msgTypeMap = map[byte]interface{}{
 	TypeNatHoleResp:           NatHoleResp{},
 	TypeNatHoleClientDetectOK: NatHoleClientDetectOK{},
 	TypeNatHoleSid:            NatHoleSid{},
+	TypeNatHoleBinding:        NatHoleBinding{},
+	TypeNatHoleBindingResp:    NatHoleBindingResp{},
 }

 // When frpc start, client send this message to login to server.
@@ -193,3 +197,13 @@ type NatHoleClientDetectOK struct{}
 type NatHoleSid struct {
 	Sid string `json:"sid,omitempty"`
 }
+
+type NatHoleBinding struct {
+	TransactionID string `json:"transaction_id,omitempty"`
+}
+
+type NatHoleBindingResp struct {
+	TransactionID string `json:"transaction_id,omitempty"`
+	Address       string `json:"address,omitempty"`
+	Error         string `json:"error,omitempty"`
+}
--- a/pkg/nathole/classify.go
+++ b/pkg/nathole/classify.go
@@ -0,0 +1,74 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nathole
+
+import (
+	"fmt"
+	"net"
+)
+
+const (
+	EasyNAT = "EasyNAT"
+	HardNAT = "HardNAT"
+
+	BehaviorNoChange    = "BehaviorNoChange"
+	BehaviorIPChanged   = "BehaviorIPChanged"
+	BehaviorPortChanged = "BehaviorPortChanged"
+	BehaviorBothChanged = "BehaviorBothChanged"
+)
+
+// ClassifyNATType classify NAT type by given addresses.
+func ClassifyNATType(addresses []string) (string, string, error) {
+	if len(addresses) <= 1 {
+		return "", "", fmt.Errorf("not enough addresses")
+	}
+	ipChanged := false
+	portChanged := false
+
+	var baseIP, basePort string
+	for _, addr := range addresses {
+		ip, port, err := net.SplitHostPort(addr)
+		if err != nil {
+			return "", "", err
+		}
+		if baseIP == "" {
+			baseIP = ip
+			basePort = port
+			continue
+		}
+
+		if baseIP != ip {
+			ipChanged = true
+		}
+		if basePort != port {
+			portChanged = true
+		}
+
+		if ipChanged && portChanged {
+			break
+		}
+	}
+
+	switch {
+	case ipChanged && portChanged:
+		return HardNAT, BehaviorBothChanged, nil
+	case ipChanged:
+		return HardNAT, BehaviorIPChanged, nil
+	case portChanged:
+		return HardNAT, BehaviorPortChanged, nil
+	default:
+		return EasyNAT, BehaviorNoChange, nil
+	}
+}
--- a/pkg/nathole/discovery.go
+++ b/pkg/nathole/discovery.go
@@ -0,0 +1,192 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nathole
+
+import (
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/pion/stun"
+
+	"github.com/fatedier/frp/pkg/msg"
+)
+
+var responseTimeout = 3 * time.Second
+
+type Address struct {
+	IP   string
+	Port int
+}
+
+type Message struct {
+	Body []byte
+	Addr string
+}
+
+func Discover(serverAddress string, stunServers []string, key []byte) ([]string, error) {
+	// parse address to net.Address
+	stunAddresses := make([]net.Addr, 0, len(stunServers))
+	for _, stunServer := range stunServers {
+		addr, err := net.ResolveUDPAddr("udp4", stunServer)
+		if err != nil {
+			return nil, err
+		}
+		stunAddresses = append(stunAddresses, addr)
+	}
+	serverAddr, err := net.ResolveUDPAddr("udp4", serverAddress)
+	if err != nil {
+		return nil, err
+	}
+
+	// create a discoverConn and get response from messageChan
+	discoverConn, err := listen()
+	if err != nil {
+		return nil, err
+	}
+	defer discoverConn.Close()
+
+	go discoverConn.readLoop()
+
+	addresses := make([]string, 0, len(stunServers)+1)
+	// get external address from frp server
+	externalAddr, err := discoverFromServer(discoverConn, serverAddr, key)
+	if err != nil {
+		return nil, err
+	}
+	addresses = append(addresses, externalAddr)
+
+	for _, stunAddr := range stunAddresses {
+		// get external address from stun server
+		externalAddr, err = discoverFromStunServer(discoverConn, stunAddr)
+		if err != nil {
+			return nil, err
+		}
+		addresses = append(addresses, externalAddr)
+	}
+	return addresses, nil
+}
+
+func discoverFromServer(c *discoverConn, addr net.Addr, key []byte) (string, error) {
+	m := &msg.NatHoleBinding{
+		TransactionID: NewTransactionID(),
+	}
+
+	buf, err := EncodeMessage(m, key)
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := c.conn.WriteTo(buf, addr); err != nil {
+		return "", err
+	}
+
+	var respMsg msg.NatHoleBindingResp
+	select {
+	case rawMsg := <-c.messageChan:
+		if err := DecodeMessageInto(rawMsg.Body, key, &respMsg); err != nil {
+			return "", err
+		}
+	case <-time.After(responseTimeout):
+		return "", fmt.Errorf("wait response from frp server timeout")
+	}
+
+	if respMsg.TransactionID == "" {
+		return "", fmt.Errorf("error format: no transaction id found")
+	}
+	if respMsg.Error != "" {
+		return "", fmt.Errorf("get externalAddr from frp server error: %s", respMsg.Error)
+	}
+	return respMsg.Address, nil
+}
+
+func discoverFromStunServer(c *discoverConn, addr net.Addr) (string, error) {
+	request, err := stun.Build(stun.TransactionID, stun.BindingRequest)
+	if err != nil {
+		return "", err
+	}
+
+	if err = request.NewTransactionID(); err != nil {
+		return "", err
+	}
+	if _, err := c.conn.WriteTo(request.Raw, addr); err != nil {
+		return "", err
+	}
+
+	var m stun.Message
+	select {
+	case msg := <-c.messageChan:
+		m.Raw = msg.Body
+		if err := m.Decode(); err != nil {
+			return "", err
+		}
+	case <-time.After(responseTimeout):
+		return "", fmt.Errorf("wait response from stun server timeout")
+	}
+
+	xorAddr := &stun.XORMappedAddress{}
+	mappedAddr := &stun.MappedAddress{}
+	if err := xorAddr.GetFrom(&m); err == nil {
+		return xorAddr.String(), nil
+	}
+	if err := mappedAddr.GetFrom(&m); err == nil {
+		return mappedAddr.String(), nil
+	}
+	return "", fmt.Errorf("no address found")
+}
+
+type discoverConn struct {
+	conn *net.UDPConn
+
+	localAddr   net.Addr
+	messageChan chan *Message
+}
+
+func listen() (*discoverConn, error) {
+	conn, err := net.ListenUDP("udp4", nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return &discoverConn{
+		conn:        conn,
+		localAddr:   conn.LocalAddr(),
+		messageChan: make(chan *Message, 10),
+	}, nil
+}
+
+func (c *discoverConn) Close() error {
+	if c.messageChan != nil {
+		close(c.messageChan)
+		c.messageChan = nil
+	}
+	return c.conn.Close()
+}
+
+func (c *discoverConn) readLoop() {
+	for {
+		buf := make([]byte, 1024)
+		n, addr, err := c.conn.ReadFromUDP(buf)
+		if err != nil {
+			return
+		}
+		buf = buf[:n]
+
+		c.messageChan <- &Message{
+			Body: buf,
+			Addr: addr.String(),
+		}
+	}
+}
--- a/pkg/nathole/nathole.go
+++ b/pkg/nathole/nathole.go
@@ -1,3 +1,17 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package nathole

 import (
@@ -7,6 +21,7 @@ import (
 	"sync"
 	"time"

+	"github.com/fatedier/golib/crypto"
 	"github.com/fatedier/golib/errors"
 	"github.com/fatedier/golib/pool"

@@ -18,6 +33,11 @@ import (
 // NatHoleTimeout seconds.
 var NatHoleTimeout int64 = 10

+func NewTransactionID() string {
+	id, _ := util.RandID()
+	return fmt.Sprintf("%d%s", time.Now().Unix(), id)
+}
+
 type SidRequest struct {
 	Sid      string
 	NotifyCh chan struct{}
@@ -29,10 +49,11 @@ type Controller struct {
 	clientCfgs map[string]*ClientCfg
 	sessions   map[string]*Session

-	mu sync.RWMutex
+	encryptionKey []byte
+	mu            sync.RWMutex
 }

-func NewController(udpBindAddr string) (nc *Controller, err error) {
+func NewController(udpBindAddr string, encryptionKey []byte) (nc *Controller, err error) {
 	addr, err := net.ResolveUDPAddr("udp", udpBindAddr)
 	if err != nil {
 		return nil, err
@@ -42,9 +63,10 @@ func NewController(udpBindAddr string) (nc *Controller, err error) {
 		return nil, err
 	}
 	nc = &Controller{
-		listener:   lconn,
-		clientCfgs: make(map[string]*ClientCfg),
-		sessions:   make(map[string]*Session),
+		listener:      lconn,
+		clientCfgs:    make(map[string]*ClientCfg),
+		sessions:      make(map[string]*Session),
+		encryptionKey: encryptionKey,
 	}
 	return nc, nil
 }
@@ -72,24 +94,30 @@ func (nc *Controller) Run() {
 		buf := pool.GetBuf(1024)
 		n, raddr, err := nc.listener.ReadFromUDP(buf)
 		if err != nil {
-			log.Trace("nat hole listener read from udp error: %v", err)
+			log.Warn("nat hole listener read from udp error: %v", err)
 			return
 		}
-
-		rd := bytes.NewReader(buf[:n])
-		rawMsg, err := msg.ReadMsg(rd)
+		plain, err := crypto.Decode(buf[:n], nc.encryptionKey)
 		if err != nil {
-			log.Trace("read nat hole message error: %v", err)
+			log.Warn("nathole listener decode from %s error: %v", raddr.String(), err)
+			continue
+		}
+
+		rawMsg, err := msg.ReadMsg(bytes.NewReader(plain))
+		if err != nil {
+			log.Warn("read nat hole message error: %v", err)
 			continue
 		}

 		switch m := rawMsg.(type) {
+		case *msg.NatHoleBinding:
+			go nc.HandleBinding(m, raddr)
 		case *msg.NatHoleVisitor:
 			go nc.HandleVisitor(m, raddr)
 		case *msg.NatHoleClient:
 			go nc.HandleClient(m, raddr)
 		default:
-			log.Trace("error nat hole message type")
+			log.Trace("unknown nat hole message type")
 			continue
 		}
 		pool.PutBuf(buf)
@@ -102,6 +130,29 @@ func (nc *Controller) GenSid() string {
 	return fmt.Sprintf("%d%s", t, id)
 }

+func (nc *Controller) HandleBinding(m *msg.NatHoleBinding, raddr *net.UDPAddr) {
+	log.Trace("handle binding message from %s", raddr.String())
+	resp := &msg.NatHoleBindingResp{
+		TransactionID: m.TransactionID,
+		Address:       raddr.String(),
+	}
+	plain, err := msg.Pack(resp)
+	if err != nil {
+		log.Error("pack nat hole binding response error: %v", err)
+		return
+	}
+	buf, err := crypto.Encode(plain, nc.encryptionKey)
+	if err != nil {
+		log.Error("encode nat hole binding response error: %v", err)
+		return
+	}
+	_, err = nc.listener.WriteToUDP(buf, raddr)
+	if err != nil {
+		log.Error("write nat hole binding response to %s error: %v", raddr.String(), err)
+		return
+	}
+}
+
 func (nc *Controller) HandleVisitor(m *msg.NatHoleVisitor, raddr *net.UDPAddr) {
 	sid := nc.GenSid()
 	session := &Session{
--- a/pkg/nathole/utils.go
+++ b/pkg/nathole/utils.go
@@ -0,0 +1,48 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nathole
+
+import (
+	"bytes"
+
+	"github.com/fatedier/golib/crypto"
+
+	"github.com/fatedier/frp/pkg/msg"
+)
+
+func EncodeMessage(m msg.Message, key []byte) ([]byte, error) {
+	buffer := bytes.NewBuffer(nil)
+	if err := msg.WriteMsg(buffer, m); err != nil {
+		return nil, err
+	}
+
+	buf, err := crypto.Encode(buffer.Bytes(), key)
+	if err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+func DecodeMessageInto(data, key []byte, m msg.Message) error {
+	buf, err := crypto.Decode(data, key)
+	if err != nil {
+		return err
+	}
+
+	if err := msg.ReadMsgInto(bytes.NewReader(buf), m); err != nil {
+		return err
+	}
+	return nil
+}