linux下有tun/tap,可以虛擬出來一張網卡.
以下爲個人理解:
比如你的網卡ip爲192.169.8.138,當你的程序在監聽192.169.8.138:55555端口時,流量就會從這個網卡經過.
經過是什麼意思呢,tcp會有三次握手,那麼握手的包便是走在這個網卡上,當你使用tcpdump -i tun111 -vvv -e -X 這個命令去抓tun111網卡的時候,就可以看到三次顯示.這三次顯示實際上是IP包,IP包內是TCP協議.
而linux把所有設備都當成是一個文件,也就是說可以把這個網卡當成一個文件來讀寫,可以取得它的fd,類似的,socket也可以取得fd讀寫.當把一個IP包直接寫入到網卡的fd時,網卡會認爲這是一個新收到的報文,和通過網線進來的報文一樣.
那麼要構造一個vpn,實際上要做的工作就是:把虛擬出來的網卡上的流量,轉發(寫入)到另一臺機器的網卡上.
於是,可以通過一個通道,將網絡兩端的機器:
我們通過select監控本端的網卡的fd和連接兩臺機器的tcp socket的net_fd(連接建立後兩端都會各自有這個fd,至於爲什麼是tcp?其實tcp over tcp並不好)
假設A端的虛擬網卡的ip上,我們新建一個tcp socket連接B,要發出握手的報文,那麼在此時A的網卡上會被系統寫入一個IP包,
通過select我們獲取到這個信息,將它讀取出來,通過net_fd發到對端B的socket上,B收到後再將它轉而寫入B自己的網卡,
那麼在B的虛擬網卡上listen的socket就會獲得這次握手. (注意分清連接兩臺機器的socket和我們測試握手的socket哦)
關於tun/tap的使用可以參考:
https://backreference.org/2010/03/26/tuntap-interface-tutorial/
那麼,下面是實現.
步驟1.虛擬網卡: A端作爲主機,設置一張虛擬網卡和ip,運行程序(看後面代碼)
ip tuntap add tun111 mode tun
ip addr add 192.168.8.138/24 dev tun111
ip link set dev tun111 up
./simple_ip -i tun111 -s -d
B端,作爲客戶端
ip tuntap add tun111 mode tun
ip addr add 192.168.8.139/24 dev tun111
ip link set dev tun111 up
./simple_ip -i tun111 -c 35.240.237.210(對端的ip)
此時,A端會收到連接請求
那麼,可以測試一下,在A端搭個服務器python -m SimpleHTTPServer 8000
B端訪問192.168.138:8000即可下載其中文件
代碼:在原文代碼上做了修改,直接通過ip包頭記錄的報文長度讀取整個報文.可以考慮加入多機的支持,需要增加對ip目的地址是否需要轉發的判斷
編譯:g++ simple_ip.cc -o simple_ip
/**************************************************************************
* simpletun.c *
* *
* A simplistic, simple-minded, naive tunnelling program using tun/tap *
* interfaces and TCP. DO NOT USE THIS PROGRAM FOR SERIOUS PURPOSES. *
* *
* You have been warned. *
* *
* (C) 2010 Davide Brini. *
* *
* DISCLAIMER AND WARNING: this is all work in progress. The code is *
* ugly, the algorithms are naive, error checking and input validation *
* are very basic, and of course there can be bugs. If that's not enough, *
* the program has not been thoroughly tested, so it might even fail at *
* the few simple things it should be supposed to do right. *
* Needless to say, I take no responsibility whatsoever for what the *
* program might do. The program has been written mostly for learning *
* purposes, and can be used in the hope that is useful, but everything *
* is to be taken "as is" and without any kind of warranty, implicit or *
* explicit. See the file LICENSE for further details. *
*************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <net/if.h>
#include <linux/if_tun.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <arpa/inet.h>
#include <sys/select.h>
#include <sys/time.h>
#include <errno.h>
#include <stdarg.h>
#include <iostream>
/* buffer for reading from tun/tap interface, must be >= 1500 */
#define BUFSIZE 2000
#define CLIENT 0
#define SERVER 1
#define PORT 55559
typedef unsigned char BYTE;
typedef unsigned short WORD;
typedef unsigned long DWORD;
using namespace std;
typedef struct tIPPackHead
{
BYTE ver_hlen; //IP協議版本和IP首部長度。高4位爲版本,低4位爲首部的長度(單位爲4bytes)
BYTE byTOS; //服務類型
WORD wPacketLen; //IP包總長度。包括首部,單位爲byte。[Big endian]
WORD wSequence; //標識,一般每個IP包的序號遞增。[Big endian]
union
{
WORD Flags; //標誌
WORD FragOf;//分段偏移
};
BYTE byTTL; //生存時間
BYTE byProtocolType; //協議類型,見PROTOCOL_TYPE定義
WORD wHeadCheckSum; //IP首部校驗和[Big endian]
DWORD dwIPSrc; //源地址
DWORD dwIPDes; //目的地址
//BYTE Options; //選項
} IP_HEAD;
int debug;
char *progname;
int cnt;
int DecodeIP(char *buf, int len)
{
int n = len;
if (n >= sizeof(IP_HEAD))
{
IP_HEAD iphead;
iphead = *(IP_HEAD*)buf;
cout << "第 "<<cnt++<<" 個IP數據包信息:" << endl;
cout << "協議版本:" <<(iphead.ver_hlen >> 4) << endl;
cout << "首部長度:" << ((iphead.ver_hlen & 0x0F) << 2) << endl;//單位爲4字節
cout << "服務類型:Priority: " << (iphead.byTOS >> 5) << ",Service: " << ((iphead.byTOS >> 1) & 0x0f) << endl;
cout << "IP包總長度:" << ntohs(iphead.wPacketLen) << endl; //網絡字節序轉爲主機字節序
cout << "標識:" << ntohs(iphead.wSequence) << endl;
cout << "標誌位:" << "DF=" << ((iphead.Flags >> 14) & 0x01) << ",MF=" << ((iphead.Flags >> 13) & 0x01) << endl;
cout << "片偏移:" << (iphead.FragOf & 0x1fff) << endl;
cout << "生存週期:" << (int)iphead.byTTL << endl;
cout << "協議類型:" << int(iphead.byProtocolType) << endl;
cout << "首部校驗和:" << ntohs(iphead.wHeadCheckSum) << endl;
cout << "源地址:" << inet_ntoa(*(in_addr*)&iphead.dwIPSrc) << endl;
cout << "目的地址:" << inet_ntoa(*(in_addr*)&iphead.dwIPDes) << endl;
cout << "==============================================================" << endl << endl;
}else{
cout << "***包長不足:" << n << " < " << sizeof(IP_HEAD) << endl;
}
return 0;
}
/**************************************************************************
* tun_alloc: allocates or reconnects to a tun/tap device. The caller *
* must reserve enough space in *dev. *
**************************************************************************/
int tun_alloc(char *dev, int flags) {
struct ifreq ifr;
int fd, err;
char *clonedev = "/dev/net/tun";
if( (fd = open(clonedev , O_RDWR)) < 0 ) {
perror("Opening /dev/net/tun");
return fd;
}
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_flags = flags;
if (*dev) {
strncpy(ifr.ifr_name, dev, IFNAMSIZ);
}
if( (err = ioctl(fd, TUNSETIFF, (void *)&ifr)) < 0 ) {
perror("ioctl(TUNSETIFF)");
close(fd);
return err;
}
strcpy(dev, ifr.ifr_name);
return fd;
}
/**************************************************************************
* cread: read routine that checks for errors and exits if an error is *
* returned. *
**************************************************************************/
int cread(int fd, char *buf, int n){
int nread;
if((nread=read(fd, buf, n)) < 0){
perror("Reading data");
exit(1);
}
//DecodeIP(buf, nread);
printf("read len:%d -> ", nread);
for(int i = 0;i < nread;i++){
printf("%x",buf[i]);
}
printf("\n");
return nread;
}
/**************************************************************************
* cwrite: write routine that checks for errors and exits if an error is *
* returned. *
**************************************************************************/
int cwrite(int fd, char *buf, int n){
int nwrite;
if((nwrite=write(fd, buf, n)) < 0){
perror("Writing data");
exit(1);
}
printf("write: ");
for(int i = 0;i < n;i++){
printf("%x",buf[i]);
}
printf("\n");
return nwrite;
}
/**************************************************************************
* read_n: ensures we read exactly n bytes, and puts them into "buf". *
* (unless EOF, of course) *
**************************************************************************/
int read_n(int fd, char *buf, int n) {
int nread, left = n;
while(left > 0) {
if ((nread = cread(fd, buf, left)) == 0){
return 0 ;
}else {
left -= nread;
buf += nread;
}
}
return n;
}
// 讀取ipv4包頭,獲得需要繼續讀的長度
int read_ipv4_len_left(int fd ,char *buf){
cout << "==read_ipv4_len_left==" << endl;
int nread;
nread = read_n(fd, buf, sizeof(IP_HEAD));
cout << "==read_ipv4_len_left== -> read_n" << nread << endl;
if (nread = 0){
cout << "read_ipv4_len_left get 0." << endl;
return 0;
}
IP_HEAD iphead;
iphead = *(IP_HEAD*)buf;
DecodeIP(buf, nread);
int len_to_read = ntohs(iphead.wPacketLen) - sizeof(IP_HEAD);
cout << "此IP包總長度: " << ntohs(iphead.wPacketLen) << endl;
cout << "剩餘要讀取的長度:" << len_to_read << endl;
return len_to_read;
}
/**************************************************************************
* do_debug: prints debugging stuff (doh!) *
**************************************************************************/
void do_debug(char *msg, ...){
va_list argp;
if(debug) {
va_start(argp, msg);
vfprintf(stderr, msg, argp);
va_end(argp);
}
}
/**************************************************************************
* my_err: prints custom error messages on stderr. *
**************************************************************************/
void my_err(char *msg, ...) {
va_list argp;
va_start(argp, msg);
vfprintf(stderr, msg, argp);
va_end(argp);
}
/**************************************************************************
* usage: prints usage and exits. *
**************************************************************************/
void usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "%s -i <ifacename> [-s|-c <serverIP>] [-p <port>] [-u|-a] [-d]\n", progname);
fprintf(stderr, "%s -h\n", progname);
fprintf(stderr, "\n");
fprintf(stderr, "-i <ifacename>: Name of interface to use (mandatory)\n");
fprintf(stderr, "-s|-c <serverIP>: run in server mode (-s), or specify server address (-c <serverIP>) (mandatory)\n");
fprintf(stderr, "-p <port>: port to listen on (if run in server mode) or to connect to (in client mode), default 55555\n");
fprintf(stderr, "-u|-a: use TUN (-u, default) or TAP (-a)\n");
fprintf(stderr, "-d: outputs debug information while running\n");
fprintf(stderr, "-h: prints this help text\n");
exit(1);
}
int main(int argc, char *argv[]) {
cout << "ip 包頭:" << sizeof(IP_HEAD) << endl;
int tap_fd, option;
int flags = IFF_TUN;
char if_name[IFNAMSIZ] = "";
int maxfd;
uint16_t nread, nwrite, plength;
char buffer[BUFSIZE];
struct sockaddr_in local, remote;
char remote_ip[16] = ""; /* dotted quad IP string */
unsigned short int port = PORT;
int sock_fd, net_fd, optval = 1;
socklen_t remotelen;
int cliserv = -1; /* must be specified on cmd line */
unsigned long int tap2net = 0, net2tap = 0;
progname = argv[0];
/* Check command line options */
while((option = getopt(argc, argv, "i:sc:p:uahd")) > 0) {
switch(option) {
case 'd':
debug = 1;
break;
case 'h':
usage();
break;
case 'i':
strncpy(if_name,optarg, IFNAMSIZ-1);
break;
case 's':
cliserv = SERVER;
break;
case 'c':
cliserv = CLIENT;
strncpy(remote_ip,optarg,15);
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
flags = IFF_TUN;
break;
case 'a':
flags = IFF_TAP;
break;
default:
my_err("Unknown option %c\n", option);
usage();
}
}
argv += optind;
argc -= optind;
if(argc > 0) {
my_err("Too many options!\n");
usage();
}
if(*if_name == '\0') {
my_err("Must specify interface name!\n");
usage();
} else if(cliserv < 0) {
my_err("Must specify client or server mode!\n");
usage();
} else if((cliserv == CLIENT)&&(*remote_ip == '\0')) {
my_err("Must specify server address!\n");
usage();
}
/* initialize tun/tap interface */
if ( (tap_fd = tun_alloc(if_name, flags | IFF_NO_PI)) < 0 ) {
my_err("Error connecting to tun/tap interface %s!\n", if_name);
exit(1);
}
do_debug("Successfully connected to interface %s\n", if_name);
if ( (sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket()");
exit(1);
}
if(cliserv == CLIENT) {
/* Client, try to connect to server */
/* assign the destination address */
memset(&remote, 0, sizeof(remote));
remote.sin_family = AF_INET;
remote.sin_addr.s_addr = inet_addr(remote_ip);
remote.sin_port = htons(port);
/* connection request */
if (connect(sock_fd, (struct sockaddr*) &remote, sizeof(remote)) < 0) {
perror("connect()");
exit(1);
}
net_fd = sock_fd;
do_debug("CLIENT: Connected to server %s\n", inet_ntoa(remote.sin_addr));
} else {
/* Server, wait for connections */
/* avoid EADDRINUSE error on bind() */
if(setsockopt(sock_fd, SOL_SOCKET, SO_REUSEADDR, (char *)&optval, sizeof(optval)) < 0) {
perror("setsockopt()");
exit(1);
}
memset(&local, 0, sizeof(local));
local.sin_family = AF_INET;
local.sin_addr.s_addr = htonl(INADDR_ANY);
local.sin_port = htons(port);
if (bind(sock_fd, (struct sockaddr*) &local, sizeof(local)) < 0) {
perror("bind()");
exit(1);
}
if (listen(sock_fd, 5) < 0) {
perror("listen()");
exit(1);
}
/* wait for connection request */
remotelen = sizeof(remote);
memset(&remote, 0, remotelen);
if ((net_fd = accept(sock_fd, (struct sockaddr*)&remote, &remotelen)) < 0) {
perror("accept()");
exit(1);
}
do_debug("SERVER: Client connected from %s\n", inet_ntoa(remote.sin_addr));
}
/* use select() to handle two descriptors at once */
maxfd = (tap_fd > net_fd)?tap_fd:net_fd;
while(1) {
int ret;
fd_set rd_set;
FD_ZERO(&rd_set);
FD_SET(tap_fd, &rd_set); FD_SET(net_fd, &rd_set);
ret = select(maxfd + 1, &rd_set, NULL, NULL, NULL);
if (ret < 0 && errno == EINTR){
continue;
}
if (ret < 0) {
perror("select()");
exit(1);
}
if(FD_ISSET(tap_fd, &rd_set)) {
/* data from tun/tap: just read it and write it to the network */
nread = cread(tap_fd, buffer, BUFSIZE); // BUFSIZE 2000,一般不會超過ip包最長長度
printf("tap recv ip packet ver:%x", (char)(*buffer));
if((char)(*buffer) == 0x45){
tap2net++;
do_debug("TAP2NET %lu: Read %d bytes from the tap interface\n", tap2net, nread);
nwrite = cwrite(net_fd, buffer, nread);
do_debug("TAP2NET %lu: Written %d bytes to the network\n", tap2net, nwrite);
}else{
printf("Not ipv4 packet, drop this.");
}
}
if(FD_ISSET(net_fd, &rd_set)) {
/* data from the network: read it, and write it to the tun/tap interface.
* We need to read the length first, and then the packet */
/* Read length */
nread = read_ipv4_len_left(net_fd, (char *)buffer);
if(nread == 0) {
/* ctrl-c at the other end */
cout << "get nread==0, break." << endl;
break;
}else{
}
net2tap++;
char *whole_packet = (char *) malloc(sizeof(IP_HEAD) + nread);
memcpy(whole_packet, buffer, sizeof(IP_HEAD));
/* read packet */
nread = read_n(net_fd, buffer, nread);
memcpy(whole_packet + sizeof(IP_HEAD), buffer, nread);
do_debug("NET2TAP %lu: Read %d bytes from the network\n", net2tap, nread);
/* now buffer[] contains a full packet or frame, write it into the tun/tap interface */
nwrite = cwrite(tap_fd, (char*)whole_packet, sizeof(IP_HEAD) + nread);
do_debug("NET2TAP %lu: Written %d bytes to the tap interface\n", net2tap, nwrite);
}
}
return(0);
}