feat(client): support linux masq and snat for local ciders

Author: ICKelin

src/client/main.rs

@@ -1,5 +1,5 @@
 use clap::Parser;
-use std::sync::Arc;
+use std::sync::{Arc};
 use std::time::Duration;
 use tokio::time::interval;
 use crate::client::{Args, P2P_HOLE_PUNCH_PORT, P2P_UDP_PORT};
@@ -73,8 +73,25 @@ pub async fn run_client() {
         None
     };
 
+    // Check iptables availability if masq is enabled (Linux only)
+    #[cfg(target_os = "linux")]
+    {
+        if args.masq {
+            if let Err(e) = crate::utils::sys_route::SysRoute::check_iptables_available() {
+                eprintln!("❌ Error: {}", e);
+                eprintln!("\nPlease install iptables or run without --masq option.");
+                std::process::exit(1);
+            }
+        }
+    }
+
     // initialize TUN device
-    let mut dev = match init_device(&device_config).await {
+    #[cfg(target_os = "linux")]
+    let enable_masq = args.masq;
+    #[cfg(not(target_os = "linux"))]
+    let enable_masq = false;
+    
+    let mut dev = match init_device(&device_config, enable_masq).await {
         Ok(d) => d,
         Err(e) => {
             tracing::error!("Failed to initialize device: {}", e);
@@ -95,10 +112,10 @@ pub async fn run_client() {
     run_event_loop(&mut relay_handler, &mut p2p_handler, &mut dev).await;
 }
 
-async fn init_device(device_config: &HandshakeReplyFrame) -> crate::Result<DeviceHandler> {
+async fn init_device(device_config: &HandshakeReplyFrame, enable_masq: bool) -> crate::Result<DeviceHandler> {
     tracing::info!("Initializing device with config: {:?}", device_config);
     let mut dev = DeviceHandler::new();
-    let tun_index = dev.run(device_config).await?;
+    let tun_index = dev.run(device_config, enable_masq).await?;
 
     // Log TUN index (Windows only)
     if let Some(idx) = tun_index {

src/client/mod.rs

@@ -45,4 +45,10 @@ pub struct Args {
     /// HTTP status server port (disabled if not specified)
     #[arg(long)]
     pub http_port: Option<u16>,
+
+    /// Enable MASQUERADE (NAT) for VPN traffic (Linux only)
+    /// This enables iptables MASQUERADE rule to allow VPN clients to access external networks
+    #[cfg(target_os = "linux")]
+    #[arg(long)]
+    pub masq: bool,
 }

src/crypto/aes256.rs

@@ -123,3 +123,18 @@ impl Block for Aes256Block {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    fn test_aes_256_gcm() {
+        let block = Aes256Block::from_string("rustun");
+        let msg = String::from("hello");
+        let mut msg_bytes = msg.as_bytes().to_vec();
+        block.encrypt(&mut msg_bytes).unwrap();
+        println!("msg_bytes = {:?}", msg_bytes);
+        block.decrypt(&mut msg_bytes).unwrap();
+        println!("msg_bytes = {:?}", msg_bytes);
+    }
+}

src/utils/device.rs

@@ -5,6 +5,8 @@ use tun::AbstractDevice;
 use crate::codec::frame::{HandshakeReplyFrame, PeerDetail};
 use crate::utils::sys_route::SysRoute;
 use std::collections::HashSet;
+#[allow(unused_imports)]
+use crate::utils::sys_route::{ip_to_network, mask_to_prefix_length};
 
 const DEFAULT_MTU: u16 = 1430;
 
@@ -41,7 +43,7 @@ impl Device {
         }
     }
 
-    pub async fn run(&mut self, ready: oneshot::Sender<Option<i32>>) -> crate::Result<()> {
+    pub async fn run(&mut self, ready: oneshot::Sender<Option<i32>>, name: oneshot::Sender<Option<String>>) -> crate::Result<()> {
         let mut config = tun::Configuration::default();
         config
             .address(self.ip.clone())
@@ -69,6 +71,16 @@ impl Device {
         #[cfg(not(target_os = "windows"))]
         let tun_index: Option<i32> = None;
 
+        // Get interface name (Linux only, for MASQUERADE)
+        #[cfg(target_os = "linux")]
+        {
+            let interface_name = dev.tun_name().ok();
+            let _ = name.send(interface_name);
+        }
+        
+        #[cfg(not(target_os = "linux"))]
+        let _ = name.send(None);
+
         let _ = ready.send(tun_index);
         let mut buf = vec![0; 2048];
         loop {
@@ -102,7 +114,10 @@ impl Device {
 pub struct DeviceHandler {
     peer_details: Vec<PeerDetail>,
     private_ip: String,
+    mask: String,
+    local_ciders: Vec<String>,
     tun_index: Option<i32>,
+    interface_name: Option<String>,
     inbound_rx: Option<mpsc::Receiver<Vec<u8>>>,
     outbound_tx: Option<mpsc::Sender<Vec<u8>>>,
     pub rx_bytes: usize,
@@ -114,28 +129,34 @@ impl DeviceHandler {
         Self {
             peer_details: vec![],
             private_ip: String::new(),
+            mask: String::new(),
+            local_ciders: vec![],
             tun_index: None,
+            interface_name: None,
             inbound_rx: None,
             outbound_tx: None,
             rx_bytes: 0,
             tx_bytes: 0,
         }
     }
 
-    pub async fn run(&mut self, cfg: &HandshakeReplyFrame) -> crate::Result<Option<i32>> {
+    pub async fn run(&mut self, cfg: &HandshakeReplyFrame, enable_masq: bool) -> crate::Result<Option<i32>> {
         let (inbound_tx, inbound_rx) = mpsc::channel(1000);
         let (outbound_tx, outbound_rx) = mpsc::channel(1000);
         self.inbound_rx = Some(inbound_rx);
         self.outbound_tx = Some(outbound_tx);
         self.private_ip = cfg.private_ip.clone();
+        self.mask = cfg.mask.clone();
+        self.local_ciders = cfg.ciders.clone();
 
         let mut dev = Device::new(cfg.private_ip.clone(),
                                   cfg.mask.clone(),
                                   DEFAULT_MTU,
                                   inbound_tx, outbound_rx);
         let (ready_tx, ready_rx) = oneshot::channel();
+        let (name_tx, name_rx) = oneshot::channel();
         tokio::spawn(async move {
-            let res = dev.run(ready_tx).await;
+            let res = dev.run(ready_tx, name_tx).await;
             match res {
                 Ok(_) => (),
                 Err(e) => tracing::error!("device handler fail: {:?}", e),
@@ -144,6 +165,21 @@ impl DeviceHandler {
 
         let tun_index = ready_rx.await.unwrap_or(None);
         self.tun_index = tun_index;
+
+        if let Ok(Some(name)) = name_rx.await {
+            self.interface_name = Some(name);
+        }
+
+
+        if enable_masq {
+            if let Err(e) = self.enable_masquerade() {
+                tracing::error!("Failed to enable MASQUERADE: {:?}", e);
+            }
+            if let Err(e) = self.enable_snat() {
+                tracing::warn!("Failed to enable SNAT: {:?}", e);
+            }
+        }
+
         Ok(tun_index)
     }
 
@@ -227,9 +263,58 @@ impl DeviceHandler {
 
         // Update stored routes
         self.peer_details = new_routes;
-        
+
         tracing::info!("Route reload complete");
     }
+
+    /// Enable MASQUERADE (NAT) for VPN interface (Linux only)
+    /// Uses source network address instead of interface name for better reliability
+    pub fn enable_masquerade(&mut self) -> crate::Result<()> {
+        let cidr = self.ip_mask_to_cidr(&self.private_ip, &self.mask)?;
+        
+        let sys_route = SysRoute::new();
+        sys_route.enable_masquerade_by_source(&cidr)?;
+        Ok(())
+    }
+
+    /// Disable MASQUERADE (NAT) for VPN interface (Linux only)
+    pub fn disable_masquerade(&mut self) -> crate::Result<()> {
+        let cidr = self.ip_mask_to_cidr(&self.private_ip, &self.mask)?;
+        
+        let sys_route = SysRoute::new();
+        sys_route.disable_masquerade_by_source(&cidr)?;
+        Ok(())
+    }
+
+    /// Convert IP address and subnet mask to CIDR notation
+    fn ip_mask_to_cidr(&self, ip: &str, mask: &str) -> crate::Result<String> {
+        // Parse subnet mask to prefix length
+        let prefix_len = mask_to_prefix_length(mask)?;
+        let network = ip_to_network(ip, mask)?;
+        Ok(format!("{}/{}", network, prefix_len))
+    }
+
+    /// Enable SNAT for local network segments to use virtual IP (Linux only)
+    /// This makes packets from local ciders appear as coming from virtual IP
+    pub fn enable_snat(&mut self) -> crate::Result<()> {
+        let sys_route = SysRoute::new();
+        
+        for cidr in &self.local_ciders {
+            sys_route.enable_snat_for_local_network(cidr, "", &self.private_ip)?;
+            tracing::info!("Enabled SNAT for local network {} -> {}", cidr, self.private_ip);
+        }
+        Ok(())
+    }
+
+    /// Disable SNAT for local network segments (Linux only)
+    pub fn disable_snat(&mut self) -> crate::Result<()> {
+        let sys_route = SysRoute::new();
+        
+        for cidr in &self.local_ciders {
+            sys_route.disable_snat_for_local_network(cidr, "", &self.private_ip)?;
+        }
+        Ok(())
+    }
 }
 
 impl Default for DeviceHandler {