Skip to content

feat: Support for Websh based TCP-tunneling #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jisung-02 merged 25 commits into from
Dec 26, 2025
Merged

feat: Support for Websh based TCP-tunneling #156

jisung-02 merged 25 commits into from
Dec 26, 2025

Conversation

@jisung-02
Copy link
Contributor

@jisung-02 jisung-02 commented Dec 19, 2025

Summary

  • Implements TCP tunneling functionality between Alpacon console and local services.
  • Multiple TCP connections are multiplexed into a single WebSocket connection through WebSocket-based smux multiplexing, and tunnel workers run as the nobody user for enhanced security.

Key Change

  1. New Features
    • Added opentunnel / closetunnel commands - Support remote tunnel creation/termination from Alpacon console
    • Implemented WebSocket-based TCP stream multiplexing through smux library
    • Tunnel session management (activeTunnels map) and prevention of duplicate sessions
  2. Security Enhancements
    • Run tunnel worker process as nobody user (privilege degradation)
    • Restrict connections to localhost only (allow 127.0.0.1 and localhost only)
      • Tunneling is only possible for services on machines where the agent is installed.
    • Prevent DoS attacks with stream metadata size limit (1KB)
    • Port range validation (1-65535)
  3. Performance Optimization
    • Reduced memory allocation/GC overhead with sync.Pool-based buffer pooling
    • Optimized smux configuration (KeepAlive 10s, MaxFrameSize 32KB, MaxReceiveBuffer 4MB)
    • Improved connection stability with TCP KeepAlive and NoDelay settings

@jisung-02
Add smux dependancy
3b7fe86
@jisung-02
Add WebSocket adapter and buffer pool for smux
c04d717
@jisung-02
Implement TCP tunnel with opentunnel/closetunnel commands
e2e8a09
@jisung-02
Simplify opentunnel command by removing unused fields
b69c489
@jisung-02
Add user credential demotion to tunnel connections for security
8927b9f 
  - Add username/groupname fields to opentunnel command
  - Implement tunnel-worker subprocess with demoted credentials
  - Add platform-specific credential handling (Linux/macOS)
  - Spawn separate process for TCP connections to enforce user permissions
@jisung-02
Merge branch 'main' into 145-tunneling
75b1648
@jisung-02
Remove unused codes in conn.go and pool.go
c7c75c4
@jisung-02
Minor fix
c21f8e6
@jisung-02
Add strict security validations to tunnel functionality
22bcafa 
  - Validate targetAddr is localhost-only (127.0.0.1 or localhost) in tunnel_worker.go
    to prevent connections to arbitrary external hosts
  - Add TargetPort range validation (1-65535) in command.go opentunnel handler
  - Implement metadata size limit (1KB) with LimitedReader in tunnel_client.go
    to prevent DoS attacks from malicious servers
  - Add error logging for tunnel worker process Kill failures
@jisung-02
Modify to run tunnel worker as nobody user instead of specified user
df6ce04
@jisung-02
Unify duplicate tunnel_id to session_id
d6d0869
@jisung-02
Merge branch 'main' into 145-tunneling
a554688
@jisung-02
Minor fix
4ed0c6f
@jisung-02 jisung-02 changed the title feat: Websh based TCP-tunneling feat: Support for Websh based TCP-tunneling Dec 19, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 19, 2025
View reviewed changes
@jisung-02 jisung-02 self-assigned this Dec 19, 2025
@eunyoung14 eunyoung14 requested a review from mingyu-00 December 19, 2025 05:52
geunwoonoh
geunwoonoh reviewed Dec 22, 2025
View reviewed changes
@jisung-02 jisung-02 marked this pull request as draft December 22, 2025 08:23
geunwoonoh
geunwoonoh reviewed Dec 22, 2025
View reviewed changes
@jisung-02 jisung-02 marked this pull request as ready for review December 22, 2025 13:38
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 23, 2025
View reviewed changes
@jisung-02 jisung-02 marked this pull request as draft December 23, 2025 01:55
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 23, 2025
View reviewed changes
@jisung-02 jisung-02 marked this pull request as ready for review December 23, 2025 01:59
@jisung-02 jisung-02 merged commit ab2f56d into main Dec 26, 2025
5 checks passed
@jisung-02 jisung-02 deleted the 145-tunneling branch December 26, 2025 06:45
This was referenced Dec 29, 2025
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geunwoonoh geunwoonoh geunwoonoh approved these changes

@eunyoung14 eunyoung14 Awaiting requested review from eunyoung14

@mingyu-00 mingyu-00 Awaiting requested review from mingyu-00

Assignees

@jisung-02 jisung-02

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jisung-02 @geunwoonoh