KidVPN : KidVPN server and client module
This module provides KidVPN server and client functions, and developers can use this module to quickly build a VPN (Virtual Private Network) network.
KidVPN is an implementation of VPN, the open source C language implementation can refer to KidVPN. Developers can under the premise of obtaining national permission, develop servers and clients to establish related virtual networks with EdgerOS for remote office, game acceleration, etc.
KidVPN is only responsible for the underlying virtual network communication, and developers can design VPN business management programs by themselves, such as how to distribute connection parameters, how to change cipher IV, how to manage connection relationships, etc.
This module is provided in EdgerOS 1.9.6 and later, and apps need to have vpn
permission to use this module. For details, please refer to permission.
At present, according to the relevant provisions of national laws and regulations, this permission is not yet open.
This module is the asynchronous mode of the KidVPN
module. User can use the following code to import the KidVPN
module.
var KidVPN = require('async/kidvpn');
Support
The following shows KidVPN
module APIs available for each permissions.
User Mode | Privilege Mode | |
---|---|---|
KidVPN | ● | ● |
kidvpn.id | ● | ● |
KidVPN.ca | ● | |
KidVPN.certificate | ● | |
kidvpn.ifname | ● | ● |
kidvpn.request | ● | ● |
kidvpn.release | ● | ● |
kidvpn.start | ● | ● |
kidvpn.stop | ● | ● |
kidvpn.update | ● | ● |
kidvpn.setAddr | ● | ● |
kidvpn.setAddr6 | ● | ● |
kidvpn.delAddr6 | ● | ● |
kidvpn.addRoute | ● | ● |
kidvpn.delRoute | ● | ● |
kidvpn.addMap | ● | ● |
kidvpn.delMap | ● | ● |
kidvpn.netMode | ● | ● |
KidVPN Class
new KidVPN(mode)
mode
{String} Network mode'server'
or'client'
.- Returns: {KidVPN} KidVPN object.
Create a KidVPN object with the specified mode. The mode
argument can only be 'server'
or 'client'
.
async KidVPN.ca()
- Returns: {String} EdgerOS root CA.
Privileged App to get EdgerOS KidVPN root CA certificate.
async KidVPN.certificate()
- Returns: {Object} EdgerOS KidVPN server rcertificate.
Privileged App to get EdgerOS KidVPN server certificate.
KidVPN Object
kidvpn.id
- {Integer}
VPN network ID, Each VPN channel has an independent ID.
kidvpn.ifname
- {String}
VPN virtual network interface name, It can cooperate with the NetIf module to obtain all the parameters and working conditions of the virtual network interface.
async kidvpn.request()
- Returns: {String} VPN network interface name.
Request to use a VPN network channel. Before doing anything with VPN, you must first request VPN network channel.
Example
kidvpn.request().then(ifname => {
console.log('VPN request ok:', ifname);
}).catch(error => console.error(error));
The network interface defaults to disabled NAT mode, which can be enable NAT mode using kidvpn.natMode()
.
async kidvpn.release()
Release the VPN network channel, the VPN will stop working after release. The current kidvpn object can call request to use VPN again. After the VPN is released, the previously added routes and NAT port mappings will be deleted at the same time.
async kidvpn.start(conf, passwd)
conf
{Object} VPN config.passwd
{String} VPN password.
Start VPN networking, conf
object can have the following members:
Server mode:
key
{Buffer | String} Cipher key, binary length must be16
,24
,32
bytes.iv
{String} Cipher IV string.mtu
{Integer} Virtual network interface MTU1280
~1472
Typical:1464
.port
{Integer} VPN port1
~65535
.
Client mode:
key
{Buffer | String} Server cipher key, binary length must be16
,24
,32
bytes.iv
{String} Server cipher IV string.mtu
{Integer} Virtual network interface MTU1280
~1472
Typical:1464
.port
{Integer} VPN server port1
~65535
.server
{String} VPN server hostname or IP address.hpunching
{Boolean} Whether to enable Hole Punching feature. Optional.
If the key
is of String
type, it must be a hex
string.
Hole Punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). For details, please refer to Hole Punching. Using this technology can reduce the pressure of server data forwarding, but at the same time it will bring certain unreliability.
Example
var servconf = {
key: Buffer.alloc(16).fill(1),
iv: 'test iv',
mtu: 1464,
port: 4321
};
// VPN start server.
kidvpn.start(servconf, 'test passwd').then(() => {
console.log('VPN server start!');
}).catch(error => console.error(error));
var cliconf = {
key: Buffer.alloc(16).fill(1),
iv: 'test iv',
mtu: 1464,
port: 4321,
server: 'www.vpntest.com',
};
// VPN start client.
kidvpn.start(cliconf, 'test passwd').then(() => {
console.log('VPN client start!');
}).catch(error => console.error(error));
async kidvpn.stop()
Stop the VPN network. After stopping the VPN, the channel can still be started again.
async kidvpn.update(iv)
Update network cipher IV, this parameter can be updated regularly to ensure VPN network security. When the VPN management app is deleting the specified client, other clients and the server update the IV at the same time, so that the deleted client can no longer connect to the server.
async kidvpn.setAddr(ifaddr)
ifaddr
{Object} Network interface address.
Set the VPN virtual network interface IP address.
The ifaddr
must includes following elements:
ipaddr
{String} IP address of this network interface.netmask
{String} Net mask of this network interface.gateway
{String} Default gateway of this network interface.
Example
kidvpn.setAddr({
ipaddr: '192.168.111.123', netmask: '255.255.255.0'
}).then(() => {
console.log('VPN set addr ok!');
}).catch(error => console.error(error));
async kidvpn.setAddr6(ifaddr6)
ifaddr6
{Object} Network interface address.
Set the VPN virtual network interface IPv6 address.
The ifaddr6
must includes following elements:
ip6addr
{String} IP address of this network interface.prefix
{Integer} Net mask prefix.
Example
kidvpn.setAddr6({
ip6addr: 'fec0::02', prefix: 64
}).then(() => {
console.log('VPN set IPv6 addr ok!');
}).catch(error => console.error(error));
async kidvpn.delAddr6([ifaddr6])
ifaddr6
{Object} Network interface address. default: delete all IPv6 address except linklocal scope.
Delete VPN virtual network interface IPv6 address.
async kidvpn.addRoute(rule)
rule
{Object} Routing rules that need to be added.
Add a route entry. This route entry can be a host route or a network route. When this application exits, all previously added routing rules will be invalidated automatically, and the VPN connection will be automatically disconnected at the same time.
rule
contains the following information:
dest
{String} Destination address.genmask
{String} Netmask.gateway
{String} Gateway address. default:0.0.0.0
or::
host
{Boolean}true
for host routing,false
for subnet routing. default:false
After successfully starting the VPN, the route sent to the VPN subnet has been automatically added, developers do not need to add this route entry, routing rules to other hosts or subnets (not in the VPN network interface subnet) need to be added manually.
If the gateway
is not specified, or the gateway
is 0.0.0.0
or ::
, the default gateway of the VPN virtual network interface will be used.
async kidvpn.delRoute([rule])
rule
{Object} Routing rules that need to be added. default: delete all
Delete the previously added routing rules. When the VPN is released, the system will automatically clear all previously added routing rules.
async kidvpn.addMap(local, wan, proto)
local
{Integer} Local port.wan
{Integer} WAN port.proto
{String}'tcp'
or'udp'
.- Returns: {Integer} Map index.
When EdgerOS includes router services, If a VPN server needs to provide services to the EdgerOS WAN port, you need to add a specified mapping rules. For example, you can use VSOA (TCP) as the VPN network management, KidVPN (UDP) as the data channel, you need to map the VSOA server and KidVPN server port is to WAN interface. If the return value is a negative number, it means that the current VPN is released when the mapping rule is added.
Example
kidvpn.addMap(10088, 10088, 'udp').then(index => {
console.log('VPN add map ok!', index);
}).catch(error => console.error(error));
async kidvpn.delMap(index)
index
{Integer} Map rule index.
Delete the previously added mapping rules. When the VPN is released, the system will automatically clear all previously added mapping rules.
async kidvpn.netMode([enable])
enable
{Boolean} Whether to enable the NAT mode of this network.- Returns: {Boolean} Current NAT mode for this network.
Get or set the current NAT mode of this network.
Example
// Get current NAT mode of this network.
kidvpn.netMode().then(enable => {
console.log(enable);
}).catch(error => console.error(error));
// Enable the current network NAT mode.
kidvpn.netMode(true).then(enable => {
console.log(enable);
}).catch(error => console.error(error));
KidVPN Object Events
The KidVPN Object inherits from the EventEmitter
class. The following events are thrown in some specific situations.
start
Current VPN is up and working.
stop
info
{String} Stop working for any reason.
Current VPN has stopped working.
add
cli
{Object} Remote client information.remote
{String} Remote client IP address.mac
{String} Remote client MAC address in virtual network.
When the current VPN is in server mode, there are clients connected.
lost
cli
{Object} Remote client information.remote
{String} Remote client IP address.mac
{String} Remote client MAC address in virtual network.
When the current VPN is in server mode, there are clients lost.
connect
When the current VPN is in client mode that already connected to the server.
disconnect
When the current VPN is in client mode that disconnected from server.
The current VPN object is in client mode. After startup, the KidVPN client will keep trying to connect to the server. Developers can set a custom timeout in the application. If no connect
event is received after this time, the kidvpn.stop
interface will be called stop the connection. After disconnecting from the server, if the KidVPN client is not stopped, the client will also keep trying to reconnect to the server.
certificate
info
{Object} Expires information.
When the server certificate expires, this event will be received, and the server needs to reload a new certificate. This event can only be received by privileged apps.