ombrac 0.5.14

Safe, fast, small TCP tunnel using Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275

# Ombrac

**Ombrac** is a high-performance, Rust-based TCP tunneling solution designed for secure communication

## Features
- **High Performance**: Leverages QUIC's multiplexing capabilities with bidirectional streams for efficient and low-latency transmission.
- **Secure Communication**: Encryption is ensured by the built-in TLS layer of QUIC, providing robust security for your data.
- **Zero-RTT Support**: Optional 0-RTT or 0.5-RTT connections for faster handshakes (at the cost of slightly weakened security).

[![Apache 2.0 Licensed][license-badge]][license-url]
[![Build Status][ci-badge]][ci-url]
[![Build Status][release-badge]][release-url]

## Structure
The codebase is organized into focused crates

| Crate                  | Description                                                                 |
|------------------------|-----------------------------------------------------------------------------|
| `crates/ombrac`        | Core protocol implementation                                                |
| `crates/ombrac-client` | Client binary with HTTP/SOCKS proxy entry points                            |
| `crates/ombrac-server` | Server binary (wrapper around the core protocol)                            |
| `crates/ombrac-transport` | QUIC transport layer implementation                                      |


## Install
### Releases
Download the latest release from the [releases page](https://github.com/ombrac/ombrac/releases).



### Build
```shell
cargo build --bin ombrac-client --bin ombrac-server
```

**NOTE**: On linux systems, [`aws-lc-rs`](https://github.com/aws/aws-lc-rs) will be used for cryptographic operations. A C compiler and CMake may be required on these systems for installation.

### Crates
```shell
cargo install ombrac-client ombrac-server
```

### Homebrew
```shell
brew tap ombrac/tap && brew install ombrac
```

### Docker
#### Pull from GitHub Container Registry
```shell
docker pull ghcr.io/ombrac/ombrac/ombrac-server:latest
docker pull ghcr.io/ombrac/ombrac/ombrac-client:latest
```

## Usage
### Server
```shell
ombrac-server -l "[::]:443" -k "secret" --tls-cert "./cert.pem" --tls-key "./key.pem"
```
Starts the Ombrac server listening on port 443, using the provided TLS certificate and key for encrypted communication.

### Client
```shell
ombrac-client -s "example.com:443" -k "secret"
```
Will sets up a SOCKS5 server on 127.0.0.1:1080, forwarding traffic to example.com:443.

Alternatively, you can use the `--tls-mode insecure` option to skip TLS verification. **This is not recommended for production environments as it bypasses certificate validation, potentially exposing your communication to security risks.**


#### Run the container
```shell
docker run --name ombrac-server \
  --restart always \
  -p 2098:2098/udp \
  -dit ghcr.io/ombrac/ombrac/ombrac-server:latest \
  -l 0.0.0.0:2098 \
  -k secret \
  --tls-mode insecure
```

```shell
docker run --name ombrac-client \
  --restart always \
  -p 1080:1080/tcp \
  -dit ghcr.io/ombrac/ombrac/ombrac-client:latest \
  -s example.com:2098 \
  -k secret \
  --socks 0.0.0.0:1080 \
  --log-level INFO \
  --tls-mode insecure
```

## Full Options

### Server

```shell
Usage: ombrac-server [OPTIONS] --secret <STR> --listen <ADDR>

Options:
  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

Required:
  -k, --secret <STR>
          Protocol Secret

  -l, --listen <ADDR>
          The address to bind for transport

Transport (QUIC):
      --tls-mode <TLS_MODE>
          Set the TLS mode for the connection
          Possible values:
          - tls:      Standard TLS. The client verifies the server's certificate
          - m-tls:    Mutual TLS with client and server certificate verification
          - insecure: Generates a self-signed certificate on the fly with `SANs` set to `127.0.0.1` (for testing only)
          [default: tls]

      --ca-cert <FILE>
          Path to the Certificate Authority (CA) certificate file
          Used in 'TLS' and 'mTLS' modes

      --tls-cert <FILE>
          Path to the TLS certificate file

      --tls-key <FILE>
          Path to the TLS private key file

      --zero-rtt
          Enable 0-RTT for faster connection establishment (may reduce security)

      --congestion <ALGORITHM>
          Congestion control algorithm to use (e.g. bbr, cubic, newreno)
          [default: bbr]

      --cwnd-init <NUM>
          Initial congestion window size in bytes

      --idle-timeout <TIME>
          Maximum idle time (in milliseconds) before closing the connection
          30 second default recommended by RFC 9308
          [default: 30000]

      --keep-alive <TIME>
          Keep-alive interval (in milliseconds)
          [default: 8000]

      --max-streams <NUM>
          Maximum number of bidirectional streams that can be open simultaneously
          [default: 1000]

Logging:
      --log-level <LEVEL>
          Logging level (e.g., INFO, WARN, ERROR)
          [default: WARN]

      --log-dir <PATH>
          Path to the log directory

      --log-prefix <STR>
          Prefix for log file names (only used when log-dir is specified)
          [default: log]
```

### Client
```shell
Usage: ombrac-client [OPTIONS] --secret <STR> --server <ADDR>

Options:
  -h, --help
          Print help (see a summary with '-h')
  -V, --version
          Print version

Required:
  -k, --secret <STR>
          Protocol Secret
  -s, --server <ADDR>
          Address of the server to connect to

Endpoint:
      --http <ADDR>
          The address to bind for the HTTP/HTTPS server
      --socks <ADDR>
          The address to bind for the SOCKS server
          [default: 127.0.0.1:1080]

Transport (QUIC):
      --bind <ADDR>
          The address to bind for QUIC transport

      --server-name <STR>
          Name of the server to connect (derived from `server` if not provided)

      --tls-mode <TLS_MODE>
          Set the TLS mode for the connection
          Possible values:
          - tls:      Standard TLS with server certificate verification
          - m-tls:    Mutual TLS with client and server certificate verification
          - insecure: Skip server certificate verification (for testing only)
          [default: tls]

      --ca-cert <FILE>
          Path to the Certificate Authority (CA) certificate file
          Used in 'TLS' and 'mTLS' modes
          in 'TLS' mode, if not provided, the system's default root certificates are used

      --client-cert <FILE>
          Path to the client's TLS certificate for mTLS
          Required when tls-mode is 'mTLS'

      --client-key <FILE>
          Path to the client's TLS private key for mTLS
          Required when tls-mode is 'mTLS'

      --zero-rtt
          Enable 0-RTT for faster connection establishment (may reduce security)

      --no-multiplex
          Disable connection multiplexing (each stream uses a separate QUIC connection)
          This may be useful in special network environments where multiplexing causes issues

      --congestion <ALGORITHM>
          Congestion control algorithm to use (e.g. bbr, cubic, newreno)
          [default: bbr]

      --cwnd-init <NUM>
          Initial congestion window size in bytes

      --idle-timeout <TIME>
          Maximum idle time (in milliseconds) before closing the connection
          30 second default recommended by RFC 9308
          [default: 30000]

      --keep-alive <TIME>
          Keep-alive interval (in milliseconds)
          [default: 8000]

      --max-streams <NUM>
          Maximum number of bidirectional streams that can be open simultaneously
          [default: 100]

  -4, --prefer-ipv4
          Try to resolve domain name to IPv4 addresses first

  -6, --prefer-ipv6
          Try to resolve domain name to IPv6 addresses first

Logging:
      --log-level <LEVEL>
          Logging level (e.g., INFO, WARN, ERROR)
          [default: WARN]

      --log-dir <PATH>
          Path to the log directory

      --log-prefix <STR>
          Prefix for log file names (only used when log-dir is specified)
          [default: log]
```

## License
This project is licensed under the [Apache-2.0 License](./LICENSE).

[license-badge]: https://img.shields.io/badge/license-apache-blue.svg
[license-url]: https://github.com/ombrac/ombrac/blob/main/LICENSE
[ci-badge]: https://github.com/ombrac/ombrac/workflows/CI/badge.svg
[ci-url]: https://github.com/ombrac/ombrac/actions/workflows/ci.yml?query=branch%3Amain
[release-badge]: https://github.com/ombrac/ombrac/workflows/Release/badge.svg
[release-url]: https://github.com/ombrac/ombrac/actions/workflows/release.yml?query=branch%3Amain