Fix a bug and change option names for VPN client.

- your input for address is a domain, must be inserted domain not ip. (if you will insert ip and then it might fail when TLS handshake is processing)

.gitignore

@@ -3,3 +3,5 @@ tmp.txt
 *.test
 cmd/vpn-server/vpn-server
 cmd/vpn-client/vpn-client
+test-client.yaml
+test-server.yaml

README.md

@@ -296,7 +296,8 @@ client config(config.yaml)
 vpn:
   addr: "" # Required(vpn server addr)
   port: "" # Required(vpn server port)
-  tls_certification: "" # Required(vpn server tls cert)
+  insecure: true or false # Required (true is to disable tls, false is to enable tls)
+  self_signed_certification: "" # Optional(If you are using self-signed certification, you must insert it.)
 auth: # Optional
   google_openid: # Optional(if your vpn-server support to google openid connect authentication)
     client_id: ""
@@ -310,14 +311,16 @@ auth: # Optional
 # 1. Example Non Authentication
 vpn:
   addr: "localhost" 
-  port: "8080" 
-  tls_certification: "blahblah" 
+  port: "8080"
+  insecure: false 
+  self_signed_certification: ""   
 
 # 2. Example Google OpenId Connect (Reference https://developers.google.com/identity/protocols/oauth2/native-app)
 vpn:
   addr: "localhost" 
-  port: "8080" 
-  tls_certification: "blahblah"
+  port: "8080"
+  insecure: false
+  self_signed_certification: ""   
 auth: 
   google_openid: 
     client_id: "gogole client id"
@@ -326,8 +329,9 @@ auth:
 # 3. Example Aws IAM
 vpn:
   addr: "localhost" 
-  port: "8080" 
-  tls_certification: "blahblah"
+  port: "8080"
+  insecure: false
+  self_signed_certification: ""  
 auth: 
   aws_iam:  # Optional(if your vpn-server support to aws iam authentication)
     access_key: "aws access key"

client/client.go

@@ -14,6 +14,8 @@ import (
 	"time"
 	"unsafe"
 
+	"google.golang.org/grpc/credentials"
+
 	"github.com/sirupsen/logrus"
 
 	"google.golang.org/grpc/keepalive"
@@ -27,7 +29,6 @@ import (
 	"github.com/gjbae1212/grpc-vpn/internal"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	health_pb "google.golang.org/grpc/health/grpc_health_v1"
 
 	"github.com/cenkalti/backoff"
@@ -41,7 +42,7 @@ const (
 
 var (
 	defaultOptions = []Option{
-		WithTlsInsecure(true),
+		WithGRPCInsecure(false),
 	}
 )
 
@@ -287,7 +288,7 @@ func (vc *vpnClient) setGRPCConnection() error {
 	vc.connLock.Lock()
 	defer vc.connLock.Unlock()
 
-	conn, err := grpc.Dial(fmt.Sprintf("%s:%s", vc.originServerIP.String(), vc.cfg.serverPort), vc.dialOpts...)
+	conn, err := grpc.Dial(fmt.Sprintf("%s:%s", vc.cfg.serverAddr, vc.cfg.serverPort), vc.dialOpts...)
 	if err != nil {
 		return errors.Wrapf(err, "Method: Run")
 	}
@@ -497,15 +498,20 @@ func NewVpnClient(opts ...Option) (VpnClient, error) {
 		}),
 	}
 
-	if cfg.tlsCertification != "" {
-		roots := x509.NewCertPool()
-		if ok := roots.AppendCertsFromPEM([]byte(cfg.tlsCertification)); !ok {
-			return nil, errors.Wrapf(internal.ErrorInvalidParams, "TLS Certification Invalid Method: NewVpnClient")
-		}
-		dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
-			RootCAs: roots, InsecureSkipVerify: cfg.tlsInsecure})))
-	} else {
+	// apply to tls settings.
+	if cfg.grpcInsecure {
 		dialOpts = append(dialOpts, grpc.WithInsecure())
+	} else {
+		if cfg.selfSignedCertification != "" {
+			roots := x509.NewCertPool()
+			if ok := roots.AppendCertsFromPEM([]byte(cfg.selfSignedCertification)); !ok {
+				return nil, errors.Wrapf(internal.ErrorInvalidParams, "TLS Certification Invalid Method: NewVpnClient")
+			}
+			dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(
+				&tls.Config{RootCAs: roots, InsecureSkipVerify: false})))
+		} else {
+			dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: false})))
+		}
 	}
 
 	return &vpnClient{

client/option.go

@@ -10,11 +10,11 @@ type Option interface {
 }
 
 type config struct {
-	serverAddr       string
-	serverPort       string
-	tlsCertification string
-	tlsInsecure      bool
-	authMethod       auth.ClientAuthMethod
+	serverAddr              string
+	serverPort              string
+	grpcInsecure            bool
+	selfSignedCertification string
+	authMethod              auth.ClientAuthMethod
 }
 
 // OptionFunc is a function for Option interface.
@@ -36,23 +36,23 @@ func WithServerPort(port string) OptionFunc {
 	}
 }
 
-// WithTlsCertification returns OptionFunc for inserting tls certification.
-func WithTlsCertification(cert string) OptionFunc {
+// WithAuthMethod returns OptionFunc for inserting auth method.
+func WithAuthMethod(f auth.ClientAuthMethod) OptionFunc {
 	return func(c *config) {
-		c.tlsCertification = cert
+		c.authMethod = f
 	}
 }
 
-// WithAuthMethod returns OptionFunc for inserting auth method.
-func WithAuthMethod(f auth.ClientAuthMethod) OptionFunc {
+// WithGRPCInsecure returns OptionFunc for inserting grpc insecure.
+func WithGRPCInsecure(b bool) OptionFunc {
 	return func(c *config) {
-		c.authMethod = f
+		c.grpcInsecure = b
 	}
 }
 
-// WithTlsInsecure returns OptionFunc for inserting tls insecure.
-func WithTlsInsecure(b bool) OptionFunc {
+// WithSelfSignedCertification returns OptionFunc for inserting grpc custom certification
+func WithSelfSignedCertification(cert string) OptionFunc {
 	return func(c *config) {
-		c.tlsInsecure = b
+		c.selfSignedCertification = cert
 	}
 }

client/option_test.go

@@ -50,27 +50,6 @@ func TestWithServerPort(t *testing.T) {
 	}
 }
 
-func TestWithTlsCertification(t *testing.T) {
-	assert := assert.New(t)
-
-	tests := map[string]struct {
-		input  string
-		output string
-	}{
-		"success": {
-			input:  "allan",
-			output: "allan",
-		},
-	}
-
-	for _, t := range tests {
-		c := &config{}
-		f := WithTlsCertification(t.input)
-		f(c)
-		assert.Equal(t.output, c.tlsCertification)
-	}
-}
-
 func TestWithAuthMethod(t *testing.T) {
 	assert := assert.New(t)
 
@@ -99,7 +78,28 @@ func TestWithAuthMethod(t *testing.T) {
 	}
 }
 
-func TestWithTlsInsecure(t *testing.T) {
+func TestWithSelfSignedCertification(t *testing.T) {
+	assert := assert.New(t)
+
+	tests := map[string]struct {
+		input  string
+		output string
+	}{
+		"success": {
+			input:  "allan",
+			output: "allan",
+		},
+	}
+
+	for _, t := range tests {
+		c := &config{}
+		f := WithSelfSignedCertification(t.input)
+		f(c)
+		assert.Equal(t.output, c.selfSignedCertification)
+	}
+}
+
+func TestWithGRPCInsecure(t *testing.T) {
 	assert := assert.New(t)
 
 	tests := map[string]struct {
@@ -114,8 +114,8 @@ func TestWithTlsInsecure(t *testing.T) {
 
 	for _, t := range tests {
 		c := &config{}
-		f := WithTlsInsecure(t.input)
+		f := WithGRPCInsecure(t.input)
 		f(c)
-		assert.Equal(t.output, c.tlsInsecure)
+		assert.Equal(t.output, c.grpcInsecure)
 	}
 }

cmd/vpn-client/root.go

@@ -6,6 +6,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 
 	"github.com/gjbae1212/grpc-vpn/auth"
 	"github.com/gjbae1212/grpc-vpn/internal"
@@ -27,10 +28,11 @@ var (
 )
 
 type config struct {
-	Addr             string
-	Port             string
-	TlsCertification string
-	Auth             auth.Config
+	Addr                    string
+	Port                    string
+	SelfSignedCertification string
+	Insecure                bool
+	Auth                    auth.Config
 }
 
 type commandRun func(cmd *cobra.Command, args []string)
@@ -74,8 +76,11 @@ func setConfig(cfgPath string) error {
 					defaultConfig.Port = internal.InterfaceToString(v)
 				case "addr":
 					defaultConfig.Addr = internal.InterfaceToString(v)
-				case "tls_certification":
-					defaultConfig.TlsCertification = internal.InterfaceToString(v)
+				case "self_signed_certification":
+					defaultConfig.SelfSignedCertification = internal.InterfaceToString(v)
+				case "insecure":
+					insecure, _ := strconv.ParseBool(internal.InterfaceToString(v))
+					defaultConfig.Insecure = insecure
 				default:
 					return fmt.Errorf("[ERR] unknown config %s", k)
 				}

cmd/vpn-client/run.go

@@ -65,9 +65,10 @@ func startRun() commandRun {
 		if defaultConfig.Port != "" {
 			opts = append(opts, client.WithServerPort(defaultConfig.Port))
 		}
-		if defaultConfig.TlsCertification != "" {
-			opts = append(opts, client.WithTlsCertification(defaultConfig.TlsCertification))
+		if defaultConfig.SelfSignedCertification != "" {
+			opts = append(opts, client.WithSelfSignedCertification(defaultConfig.SelfSignedCertification))
 		}
+		opts = append(opts, client.WithGRPCInsecure(defaultConfig.Insecure))
 
 		// aws authentication
 		method1, ok1 := defaultConfig.Auth.ClientAuthForAwsIAM()

cmd/vpn-client/sample.yaml

@@ -1,7 +1,8 @@
 vpn:
   addr: ""
   port: ""
-  tls_certification: ""
+  insecure: false
+  self_signed_certification: ""
 auth:
   google_openid:
     client_id: ""