使用 rust 实现的 飞连 客户端,支持 Linux/Windows10/MacOS
下载 release 中的安装包,并安装
pacman -U corplink-rs-4.1-1-x86_64.pkg.tar.zst欢迎贡献其它包管理器的打包脚本
git clone https://github.com/PinkD/corplink-rs --depth 1
cd corplink-rs
# build libwg
cd libwg
./build.sh
# if you are using Windows, you can clone and build libwg maunally
# ref: wireguard-go/Makefile:libwg
cargo build --release
# install corplink-rs to your PATH
mv target/release/corplink-rs /usr/bin/前提: 需要 Go (≥1.22)、GCC (MinGW-w64)、make、Rust (GNU 工具链)。
安装工具链后,在 PowerShell 中执行:
# 1. 构建 libwg(生成 libwg.a + libwg.h)
cd libwg
.\build.ps1
# 2. 构建 Rust 项目
cd ..
rustup toolchain install stable-gnu
rustup default stable-x86_64-pc-windows-gnu
cargo build --release编译的
build.ps1会调用make libwg,该目标会以CGO_ENABLED=1编译 Go 代码。 MinGW GCC 需要在 PATH 中,且 make 需要支持 bash 风格环境变量语法。 也可在 MSYS2 UCRT64 环境中执行./build.sh(同样需要 Go + GCC)。
该程序需要 root 权限来启动
wg-go(windows 上需要管理员权限)
# direct
corplink-rs config.json
# systemd
# config is /etc/corplink/config.json
systemctl start corplink-rs.service
# auto start
systemctl enable corplink-rs.service
# systemd with custom config
# config is /etc/corplink/test.json
# NOTE: cookies.json is reserved by cookie storage
systemctl start corplink-rs@test.service- 从 Releases 下载
corplink-rs-*-windows.zip - 解压到任意目录
- 运行
setup.ps1自动获取wintun.dll:
powershell -ExecutionPolicy Bypass -File setup.ps1- 编辑
config.json,填入公司代码和登录信息(见下方配置文件实例) - 以管理员身份打开 PowerShell,运行:
.\corplink-rs.exe config.json
# 调试模式
$env:RUST_LOG="debug"; .\corplink-rs.exe config.jsoncorplink-rs 依赖 Wintun 虚拟网卡驱动来创建 WireGuard 隧道。由于 Wintun 的许可证要求用户从官网直接获取,我们无法在 release 包中附带该文件。
setup.ps1 脚本会自动从 wintun.net 下载并解压 amd64 版本的 wintun.dll 到当前目录。
手动获取:访问 wintun.net,下载 zip 包,将 bin/amd64/wintun.dll 复制到 corplink-rs.exe 所在目录。
程序需要管理员权限,原因:
wg-go需要创建 TUN 虚拟网卡- 配置系统路由表(自动添加 VPN 路由)
如果运行时提示 please run as administrator,右键 PowerShell 选择"以管理员身份运行"。
- wintun.dll 找不到:运行
setup.ps1或手动下载放入同目录 - 配置文件 JSON 不支持注释:示例中的
// comment需要删除 - 路由未生效:检查是否以管理员运行,关闭其他 VPN 软件避免路由冲突
macos 要求 tun 设备的名称满足正则表达式 utun[0-9]* ,因此需要将配置文件中的 interface_name 改为符合正则的名字,例如 utun12345
另外, utun 后的数字类型应该是 int16 ,如果大于 32767 会报错 Failed to create TUN device: invalid argument 。具体参考 #46
本项目使用 env_logger 作为 log 库,修改 log level 需要使用环境变量,示例:
RUST_LOG=debug ./corplink-rs config.json最小配置
{
"company_name": "company code name",
"username": "your_name"
}推荐配置(自用配置)
{
"company_name": "company code name",
"username": "your_name",
"password": "your_pass",
"platform": "ldap"
}完整配置
{
"company_name": "company code name",
"username": "your_name",
// support sha256sum hashed pass if you don't use ldap, will ask email for code if not provided
"password": "your_pass",
// default is feilian, can be feilian/ldap/lark(aka feishu)/OIDC
// dingtalk/aad/weixin is not supported yet
"platform": "ldap",
"code": "totp code",
// default is DollarOS(not CentOS)
"device_name": "any string to describe your device",
"device_id": "md5 of device_name or any string with same format",
"public_key": "wg public key, can be generated from private key",
"private_key": "wg private key",
"server": "server link",
// enable wg-go log to debug uapi problems
"debug_wg": true,
// will use corplink as interface name
"interface_name": "corplink",
// will use the specified server to connect, for example 'HK-1'
// name from server list
"vpn_server_name": "hk",
// latency/default
// latency: choose the server with the lowest latency
// default: choose the first available server
"vpn_select_strategy": "latency",
// use vpn dns (macOS: networksetup; Linux: rename /etc/resolv.conf aside
// and write a new one with the VPN-provided nameserver)
// NOTE: if process doesn't exit gracefully, your dns may not be restored
"use_vpn_dns": false,
// optional: filename for the Linux backup of /etc/resolv.conf.
// Default "resolv.conf.corplink", always placed next to /etc/resolv.conf.
// macOS ignores this field.
"dns_backup_filename": null,
// automatically setup system routes (default: true)
// set to false if you want to manually configure routes
"auto_setup_routes": true,
// route mode: "split" (default) or "full"
// - split: use intranet routes from server (same as official split mode)
// - full: use full-tunnel routes from server
// often combined with "auto_setup_routes": false in container/gateway setups
"route_mode": "split",
// optional: list of CIDRs to carve out of AllowedIPs (and system routes).
// applied as CIDR subtraction: each entry is subtracted from every route
// returned by the server, so listing a smaller range like "10.68.0.0/16"
// still punches a hole even when the server returns a supernet like
// "0.0.0.0/0" (full-tunnel). useful for keeping local LAN traffic off the
// VPN, and for excluding the VPN peer endpoint IP to avoid a routing loop
// that would otherwise black-hole all traffic.
"vpn_disallowed_routes": ["192.168.1.0/24"]
}魔改了配置的方式,加了鉴权
猜测是:
- 动态管理 peer
- 客户端通过验证后,使用 public key 来请求连接,然后服务端就将客户端的 key 加到 peer 库里,然后将配置返回给客户端,等待客户端连接
- wg 是支持同一个接口上连多个 peer ,所以这样是 OK 的
- 定时将不活跃的客户端清理,释放分配的 IP
- ...
因此,我们只需要生成 wg 的 key ,然后去找服务端拿配置,然后写到 wg 配置里,启动 wg ,就能连上服务端了
2.0.9 版本(或者更早)新增了 protocol_version 字段,需要使用魔改后的 wg-corplink 才能连接
graph TD;
A[Password Login];
B[Request Email Code];
C[Email Login];
D[Verify 2-FA];
E[List VPN];
F[Ping VPN];
G[Connect VPN];
A-->D;
B-->C-->D;
D-->E-->F-->G;
graph TD;
A[Password Login];
B[Request Email Code];
C[Email Login];
D[List VPN];
E[Ping VPN];
F[Connect VPN With 2-FA Code];
A-->D;
B-->C;
C-->D-->E-->F;
飞连的 otp 是使用的标准的 totp ,在 ua 为 Android 时,会在登录时返回 totp 的 token ,然后使用 totp 算法就能生成出当前时间的验证码了,然后在获取连接信息时传输该验证码,就不需要单独验证验证码了
- 使用 Tauri 实现界面(
或许大概可能永远不会有) - 实现 TCP 版的 wg 协议
- 为不同配置生成不同的
cookies.json - windows/mac 实现
- 自动使用从服务器返回的请求中的时间戳同步时间
- 自动生成 wg key
- 修复服务端异常断开连接后客户端不会退出的问题
- 0.5.4
- fix memory leak in unsafe code
- refactor error handling with
anyhow - fix default log level
- add ci for push event(@yanyongyu)
- 0.5.3
- remove keep-alive api call
- 0.5.2
- add ipv6 support(@hexchain @ManiaciaChao)
- 0.5.1
- support using dns from server for macos(@fanwenlin)
- fix high cpu usage
- 0.5.0
- add tcp support for wg-go
- 0.4.4
- add macos release(by @overvenus)
- fix single ip route(by @simpleapples)
- add qr code suuport for feishu login(@simpleapples)
- 0.4.3
- support corplink 2.2.x(by @jixiuf)
- 0.4.2
- add OIDC platform support(by @Jinxuyang)
- 0.4.1
- fix Windows device up
- fix undefined behavior for c str
- 0.4.0
- embed wg-go with cgo
- 0.3.6
- fix wg-corplink not exit(by @LionheartLann)
- fix session is expired(by @XYenon)
- 0.3.5
- fix empty login method list
- fix write long data to uapi(by @nolouch)
- add vpn server name option(by @nolouch)
- 0.3.4
- fix cookie out of date
- 0.3.3
- add feishu tps login support
- upgrade dependency
- 0.3.2
- separate
cookies.json - add debug flag for wg-go
- separate
- 0.3.1
- fix mac support(on wg-corplink)
- 0.3.0
- add windows/mac support
- 0.2.3
- fix empty
protocol_version - add privilege check
- fix empty
- 0.2.2
- fix wg-corplink not exit if corplink-rs exit accidently
- 0.2.1
- use modified wireguard-go
- don't generate config anymore
- remove
conf_name/conf_dirand addinterface_name/wg_binaryin config
- use modified wireguard-go
- 0.1.4
- get company name from company code automatically
- support ldap
- check and skip tcp wg server
- optimize config
- 0.1.3
- disconnect if wireguard handshake timeout
- 0.1.2
- support time correction for totp
- 0.1.1
- support generate wg key
- 0.1.0
- first version
Copyright (C) 2023 PinkD, ShuNing, LionheartLann, XYenon, Verge, jixiuf,
simpleapples, overvenus, fanwenlin, hexchain, ManiaciaChao, yanyongyu
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.