eBPF-based Linux high-performance transparent proxy solution.
Go to file
2023-02-13 03:41:59 +08:00
.github/workflows fix: try to fix single arm situation problem 2023-02-06 18:34:34 +08:00
cmd refactor: tag getter 2023-02-12 11:33:12 +08:00
common feat: reject packet sent to tproxy port directly for security 2023-02-13 03:41:59 +08:00
component feat: allow tcp_check_url and udp_check_dns are not double stack 2023-02-13 02:40:34 +08:00
config feat/fix: support allow_insecure and fix ws path with query 2023-02-12 17:17:51 +08:00
control feat: reject packet sent to tproxy port directly for security 2023-02-13 03:41:59 +08:00
install chore: dae service should be after docker.service 2023-02-08 23:35:30 +08:00
pkg feat: support to set log level in config file 2023-02-05 14:03:34 +08:00
.gitignore chore: bpf headers to submodule 2023-01-31 21:44:20 +08:00
.gitmodules chore: use submodule 2023-02-08 23:35:30 +08:00
example.dae feat: allow tcp_check_url and udp_check_dns are not double stack 2023-02-13 02:40:34 +08:00
go.mod feat/fix: support allow_insecure and fix ws path with query 2023-02-12 17:17:51 +08:00
go.sum feat/fix: support allow_insecure and fix ws path with query 2023-02-12 17:17:51 +08:00
insert.sh feat: reject packet sent to tproxy port directly for security 2023-02-13 03:41:59 +08:00
LICENSE init 2023-01-23 19:54:21 +08:00
logo.png init 2023-01-23 19:54:21 +08:00
main.go chore: update copyright 2023-01-28 13:56:06 +08:00
Makefile chore: adjust directory structure 2023-02-07 23:49:30 +08:00
README.md docs: add ip-forwarding guide (#15) 2023-02-12 23:26:27 +08:00
routing.md docs: README 2023-02-12 00:53:33 +08:00

dae

dae, means goose, is a lightweight and high-performance transparent proxy solution.

In order to improve the traffic split performance as much as possible, dae runs the transparent proxy and traffic split suite in the linux kernel by eBPF. Therefore, we have the opportunity to make the direct traffic bypass the forwarding by proxy application and achieve true direct traffic through. Under such a magic trick, there is almost no performance loss and additional resource consumption for direct traffic.

As a successor of v2rayA, dae abandoned v2ray-core to meet the needs of users more freely.

Features

  1. Implement Real direct traffic split (need ipforward on) to achieve high performance.
  2. Support to split traffic by process name in local host.
  3. Support to split traffic by MAC address in LAN.
  4. Support to split traffic with invert match rules.
  5. Support to automatically switch nodes according to policy. That is to say, support to automatically test independent TCP/UDP/IPv4/IPv6 latencies, and then use the best nodes for corresponding traffic according to user-defined policy.
  6. Support full-cone NAT for shadowsocks, vmess, socks5 and trojan(-go).

Linux Kernel Requirement

Kernel Version

Use uname -r to check the kernel version on your machine.

Bind to LAN: >= 5.8

You need bind dae to LAN interface, if you want to provide network service for LAN as an intermediate device.

This feature requires the kernel version of machine on which dae install >= 5.8.

Note that if you bind dae to LAN only, dae only provide network service for traffic from LAN, and not impact local programs.

Bind to WAN: >= 5.8

You need bind dae to WAN interface, if you want dae to provide network service for local programs.

This feature requires kernel version of the machine >= 5.8.

Note that if you bind dae to WAN only, dae only provide network service for local programs and not impact traffic coming in from other interfaces.

Kernel Configuration Item

Usually, mainstream desktop distributions have these items turned on. But in order to reduce kernel size, some items are turned off by default on embedded device distributions like OpenWRT, Armbian, etc.

Use following command to show kernel configuration items on your machine.

zcat /proc/config.gz || cat /boot/{config,config-$(uname -r)}

Bind to LAN

CONFIG_DEBUG_INFO_BTF

Bind to WAN:

CONFIG_DEBUG_INFO_BTF

Check them using command like:

(zcat /proc/config.gz || cat /boot/{config,config-$(uname -r)}) | grep 'CONFIG_DEBUG_INFO_BTF='

Enable IP Forwarding

By default, any latest Linux distributions will have IP Forwarding disabled. In the case where we need to up a Linux router/gateway or a VPN server or simply a plain dial-in server, then we must need to enable forwarding. Do the followings to have ip-forwarding feature enabled:

sudo tee /etc/sysctl.d/dae.conf<<EOF
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF
sudo sysctl --system

Usage

Build

Make Dependencies

clang >= 10
llvm >= 10
golang >= 1.18
make

Build

git clone https://github.com/v2rayA/dae.git
cd dae
git submodule update --init
# Minimal dependency build:
make GOFLAGS="-buildvcs=false" CC=clang
# Or normal build:
# make

Run

Runtime Dependencies

Download geoip.dat and geosite.dat to /usr/local/share/dae/.

mkdir -p /usr/local/share/dae/
pushd /usr/local/share/dae/
curl -L -o geoip.dat https://github.com/v2ray/geoip/releases/latest/download/geoip.dat
curl -L -o geosite.dat https://github.com/v2ray/domain-list-community/releases/latest/download/dlc.dat
popd

Run

./dae run -c example.dae

See example.dae.

TODO

  1. Check dns upstream and source loop (whether upstream is also a client of us) and remind the user to add sip rule.
  2. Domain routing performance optimization.
  3. WAN L4Checksum problem. If the NIC checksumming offload is enabled, the Linux network stack will make a simple checksum a packet when it is sent out from local. When NIC discovers that the source IP of the packet is the local IP of the NIC, it will checksum it complete this checksum. But the problem is, after the Linux network stack, before entering the network card, we modify the source IP of this packet, causing the Linux network stack to only make a simple checksum, and the NIC also assumes that this packet is not sent from local, so no further checksum completing.
  4. MACv2 extension extraction.
  5. Log to userspace.
  6. ...