luscis / openlan Goto Github PK

View Code? Open in Web Editor NEW

49.0 1.0 21.0 3.81 MB

Cloudify VPN Written in Golang, Simple deployment via Compose or Kubernetes

Home Page: http://vpn.luscis.cn

License: GNU General Public License v3.0

Makefile 1.35% Go 96.75% HTML 1.74% Dockerfile 0.13% Shell 0.02%

sdwan ipsec openvpn vxlan openlan vpn sdp

openlan's Introduction

English | 简体中文

What's OpenLAN?

OpenLAN provides a realization of the transmission of LAN data packets in the WAN, and can establish a virtual Ethernet network in multiple user spaces.

Why is OpenLAN?

If you have more flexible VPN business needs and need to use VPN to access the enterprise, or use public network cloud hosts for network proxy and network penetration, you can try OpenLAN, which can make deployment easier.

What is the function of OpenLAN?

Users can use OpenLAN to divide multiple network spaces to provide logical network isolation for different services;
Multiple Central Switchs can use the OpenLAN protocol to communicate on the ethernet layer, and SNAT routes can be added to the second layer network to easily access the internal network of the enterprise;
Users can use OpenVPN to access the User Network, OpenVPN supports multiple platforms such as Android/MacOS/Windows, etc;
IPSec tunnel network can also be used between multiple Central Switchs, and it supports further division of VxLAN/STT tenant networks on this network;
Use a simple username and password as the access authentication method, and you can set a pre-shared key to encrypt data packets;
The OpenLAN protocol can work on various transmission protocols such as TCP/TLS/UDP/KCP/WS/WSS, TCP has high performance, and TLS/WSS can provide better encryption security;
OpenLAN also provides simple HTTP/HTTPS/SOCKS5 and other HTTP forward proxy technology, users can flexibly configure proxy for network penetration according to needs;

Working scenario of OpenLAN?

Branch central access

                          Central Switch - 10.16.1.10/24
                                  ^
                                  |
                               Wifi(DNAT)
                                  |
                                  |
         ----------------------Internet-------------------------
         ^                        ^                           ^
         |                        |                           |
       Branch1                  Branch2                     Branch3     
         |                        |                           |
     OpenLAN                  OpenLAN                      OpenLAN
  10.16.1.11/24             10.16.1.12/24                10.16.1.13/24

Multi-region interconnection

 192.168.1.20/24                                                  192.168.1.21/24
        |                                                                |
    OpenLAN -- Hotel Wifi --> Central Switch(NanJing) <--- Other Wifi --- OpenLAN
                                     |
                                     |
                                   Internet
                                     |
                                     |
                             Central Switch(Shanghai) - 192.168.1.10/24
                                     |
                                     |
            ------------------------------------------------------
            ^                        ^                           ^
            |                        |                           |
         Office Wifi              Home Wifi                 Hotel Wifi     
            |                        |                           |
        OpenLAN                  OpenLAN                     OpenLAN
    192.168.1.11/24           192.168.1.12/24             192.168.1.13/24

Data Center Full Internet

Underlay for VxLAN over Internet by IPSec.

                       47.example.com
                              |
                              |
                              |
                          +-------+
                          | vps-47|  -- 100.65.0.117
                          +-------+
                            /   \
                          /       \
   SPI-117118           /           \         SPI-117119
                      /               \
                    /                   \
              +-------+                +-------+
              | vps-92| -------------- | vps-12|
              +-------+                +-------+
              /   |                       |  \ 
             /    |    SPI-118119         |   \
100.65.0.118      |                       |    100.65.0.119
                  |                       |
            92.example.com          12.example.com

DCI Subnet: 192.168.x.x over IPSec Network: 100.65.0.x.

                            100.65.0.117
                                  |
                 eth1.200 ---     |    --- eth1.100
                               \  |  /
                              +--------+
                              | vps-47 |
                              +--------+
                                /   \
                              /       \                   
                            /           \                 
                          /               \
  enp2s4.100 ---        /                   \        --- eth4.30
                 \    /                       \     /
                 +--------+                 +--------+
                 | vps-92 | --------------- | vps-12 |
                 +--------+                 +--------+
                  /    |                      |   \
  enp2s4.101 ---       |                      |     --- eth4.200
                       |                      |
                100.65.0.118            100.65.0.119
 
 VNI-1023 192.168.30.0/24 [vps-47_eth1.100, vps-92_enp2s4.100, vps-12_eth4.30]
 VNI-1024 192.168.40.0/24 [vps-47_eth1.200, vps-92_enp2s4.101, vps-12_eth4.200]

Help documents

openlan's People

Contributors

Stargazers

Watchers

openlan's Issues

When restart switch, lease list cann‘t see dynamic ip address.

support to split network from host

root@daniel-book:~# iptables -t nat -S XTT_pos-example
-N XTT_pos-example
-A XTT_pos-example -d 169.254.222.0/24 -m set --match-set xtt_example_r src -m comment --comment "To VPN" -j MASQUERADE
-A XTT_pos-example -s 172.66.99.0/24 -m set --match-set xtt_example_r dst -m comment --comment "To Masq" -j MASQUERADE
-A XTT_pos-example -s 169.254.222.0/24 -m mark --mark 0xa -m set --match-set xtt_example_v dst -m comment --comment "From VPN" -j MASQUERADE
root@daniel-book:~#

root@daniel-book:~# iptables -S -t raw -L XTT_pre-example
-A XTT_pre-example -i tun1025 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i br-example -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i tun1025 -j CT --zone mark
-A XTT_pre-example -i br-example -j CT --zone mark
-A XTT_pre-example -i b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# iptables -t raw -S XTT_out-example
-N XTT_out-example
-A XTT_out-example -o b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_out-example -o b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# conntrack -L | grep icmp
conntrack v1.4.5 (conntrack-tools): 31 flow entries have been shown.
icmp     1 18 src=172.66.99.10 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=20752 mark=0 zone=10 use=1
icmp     1 18 src=169.254.222.6 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=55967 mark=0 zone=10 use=1
root@daniel-book:~#

When network has not subnet to new lease for a new point, switch will crach

2024-01-16T13:56:09Z INFO|jphc.luscis.cn|Switch.ReadTap: vir2
2024-01-16T13:56:09Z INFO|218.94.118.90:39058|Request.onIpAddr: {"name":"hongkong","ifAddr":"","ipStart":"","ipEnd":"","netmask":"255.255.255.255","routes":null}
2024-01-16T13:56:09Z FATAL|root|Go.func|PANIC >>> runtime error: invalid memory address or nil pointer dereference <<<
2024-01-16T13:56:09Z FATAL|root|Go.func|STACK >>> goroutine 281 [running]:
runtime/debug.Stack(0x127dee0, 0x63, 0xc00046c690)
	/usr/local/go/src/runtime/debug/stack.go:24 +0x9f
github.com/luscis/openlan/pkg/libol.Catch(0xc11152, 0x7)
	/root/daniel/openlan/pkg/libol/logger.go:148 +0x18a
panic(0xb3d300, 0x127a090)
	/usr/local/go/src/runtime/panic.go:965 +0x1b9
github.com/luscis/openlan/pkg/app.findLease(0x0, 0x0, 0xc00024c900, 0xc00024c900)
	/root/daniel/openlan/pkg/app/request.go:77 +0xd1
github.com/luscis/openlan/pkg/app.(*Request).onIpAddr(0xc0002e0c70, 0xd03ad8, 0xc0002e0010, 0xc000210010, 0x61, 0x31ff0)
	/root/daniel/openlan/pkg/app/request.go:126 +0x42d
github.com/luscis/openlan/pkg/app.(*Request).OnFrame(0xc0002e0c70, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x0, 0x0)
	/root/daniel/openlan/pkg/app/request.go:38 +0x216
github.com/luscis/openlan/pkg/switch.(*Switch).onFrame(0xc00024c0c0, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x2, 0xc00041feac)
	/root/daniel/openlan/pkg/switch/switch.go:292 +0xab
github.com/luscis/openlan/pkg/switch.(*Switch).ReadClient(0xc00024c0c0, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x0, 0x0)
	/root/daniel/openlan/pkg/switch/switch.go:348 +0xc7
github.com/luscis/openlan/pkg/libol.(*SocketServerImpl).Read.func1()
	/root/daniel/openlan/pkg/libol/socket.go:537 +0x11d
github.com/luscis/openlan/pkg/libol.Go.func1(0xc0004a0390, 0xd66df0, 0x24)
	/root/daniel/openlan/pkg/libol/go.go:36 +0x187
created by github.com/luscis/openlan/pkg/libol.Go

Support single client on for http proxy.

has carsh when get routes from confd

switch_1        | panic: runtime error: invalid memory address or nil pointer dereference
switch_1        | [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xa451e6]
switch_1        | goroutine 305 [running]:
switch_1        | github.com/luscis/openlan/pkg/database.(*OvSDB).WhereList(0x0, 0xb0c140, 0xc000200198, 0xadd420, 0xc000200120, 0x2, 0x2)
switch_1        | 	/root/daniel/openlan/pkg/database/client.go:60 +0x26
switch_1        | github.com/luscis/openlan/pkg/switch.GetRoutes(0xc000200120, 0xc0002e7498, 0x6, 0x8, 0xc000770638)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:107 +0x198
switch_1        | github.com/luscis/openlan/pkg/switch.(*MemberLink).Add(0xc000677c88, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:318 +0x439
switch_1        | github.com/luscis/openlan/pkg/switch.(*ConfD).AddLink(0xc000240040, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:135 +0x1fa
switch_1        | github.com/luscis/openlan/pkg/switch.(*ConfD).Add(0xc000240040, 0xc09a1f, 0xc, 0xb38d80, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:57 +0x5cd
switch_1        | github.com/ovn-org/libovsdb/cache.(*EventHandlerFuncs).OnAdd(0xc0002000d8, 0xc09a1f, 0xc, 0xb38d80, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:434 +0x62
switch_1        | github.com/ovn-org/libovsdb/cache.(*eventProcessor).Run(0xc000a019b0, 0xc0000ba120)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:844 +0x215
switch_1        | github.com/ovn-org/libovsdb/cache.(*TableCache).Run.func1(0xc000443410, 0xc0002f0480, 0xc0000ba120)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:734 +0x65
switch_1        | created by github.com/ovn-org/libovsdb/cache.(*TableCache).Run
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:732 +0x85
switch_1        | + /usr/bin/env find /var/openlan/point -type f -delete
switch_1        | + /usr/bin/env find /var/openlan/openvpn -name '*.status' -delete
switch_1        | + '[' '!' -e /etc/openlan/switch/switch.json ']'
switch_1        | + '[' '!' -e /etc/openlan/switch/network/example.json ']'
switch_1        | + exec /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20
ovs-vswitchd_1  | 2023-04-05T01:08:08Z|00004|bfd(monitor34)|INFO|vx-10064086: BFD state change: up->down "Control Detection Time Expired"->"Control Detection Time Expired".
ovs-vswitchd_1  |   Forwarding: true
ovs-vswitchd_1  |   Detect Multiplier: 3```

ip_forward 内核不能修改

容器里面的内核无法修改，默认已经是1

add output

No local restapi added

修改默认10000、10002端口后 openvpn 存在连接问题

多区域互联配置，openlan-point接入openlan，会多一个网桥地址

{
"name": "private",
"bridge": {
"name": "br-em2",
"address": "192.168.1.88/24"
},
"subnet": {
"end": "192.168.1.150",
"netmask": "255.255.255.0",
"start": "192.168.1.100"
},
"openvpn": {
"listen": "0.0.0.0:1188",
"subnet": "172.32.88.0/24"
},
"links": [
{
"connection": "xxxxx",
"password": "xxxxx",
"username": "access1@private",
"crypt": {
"algo": "aes-128",
"secret": "xxxxx"
}
}
]
}

$ ip r
192.168.1.0/24 dev bi-k3iu61j9 proto kernel scope link src 192.168.1.88
192.168.1.0/24 dev br-me2 proto kernel scope link src 192.168.1.88

invalid network default

Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z INFO|183.14.132.108:58752|Access.handleLogin: success
Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z INFO|183.14.132.108:58752|Access.onAuth
Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z ERROR|ops-testus|Switch.NewTap: bridge default notFound
Jan 15 03:00:56 ops-testus switch.sh[1716]: 2024-01-15T03:00:56Z INFO|183.14.132.108:58752|Request.onIpAddr: {"name":"","ifAddr":"192.168.200.2","ipStart":"","ipEnd":"","netmask":>
Jan 15 03:00:56 ops-testus switch.sh[1716]: 2024-01-15T03:00:56Z ERROR|183.14.132.108:58752|Request.onIpAddr: invalid network default.

proxy start failed with Server closed.

support add output for openlan provider

Add a vlxan type output:

openlan output add --network example --remote 1.1.1.2 --segment 100 --protocol vxlan

Add a gre type output:

openlan output add --network example --remote 1.1.1.2 --segment 100 --protocol gre

Add a vxlan type output:

openlan output add --network example --remote enp2s3 --segment 23

Remove a vxlan type output:

openlan output rm --network example --device vxn100

Display all outputs

openlan output list --network example

Add a openlan type output:

openlan output add --network example --protocol tcp --connection 1.1.1.1 --secret aes-128:key --auth user:password

自动管理point端路由

我连上vpn后，还需要手动执行ip r add,
不能自动管理路由吗？

Support IPv6

add a ipv6 vxlan tunnel:

[root@node-236 ~]# ip link add v6-100 type vxlan id 100 remote 2001:1::ff
[root@node-236 ~]# ip -d link show v6-100
1473: v6-100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 66:0c:1c:fe:c6:c4 brd ff:ff:ff:ff:ff:ff promiscuity 0
    vxlan id 100 remote 2001:1::ff srcport 0 0 dstport 8472 ageing 300 noudpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
[root@node-236 ~]#

openlan route add --network example --prefix 192.168.11.0/24 --nexthop 192.168.1.10

Remove a route from network:

openlan route rm --network example --prefix 192.168.11.0/24 --nexthop 192.168.1.10

Display all routes:

openlan route list --network example

2024-04-09T01:42:58Z WARN|[email protected]|Qos.Del In Rule: iptables failed: iptables --wait -t mangle -D Qos_easystack.cn-in -s 100.68.0.6 -m comment --comment Qos Jump -j Qos_easystack.cn-in-lo5buk7: iptables: No chain/target/match by that name.
 (exit status 1)

"nextgroup": {
    "ng1": {
        "check": "ping",
        "ping": {
         "count": 5,
         "loss": 2
       },
        "mode": "load-balance", ## "active-backup"
        "nexthop": [
            "192.168.33.11",
            "192.168.33.10"
        ],
    }
}

And using this group: ng1 for a route nexthop:

{
    "routes": [
      {
          "prefix": "0.0.0.0/0",
          "nextgroup": "ng1"
      }
    ]
}

Encrypt control message by SSL

Now, using AES to encrypt control and ethernet frame is not good, with a shared key. we need to support SSL for control message, and ethernet frame as before.