Gordafarid is a simple encrypted proxy server/client implementation in Go. Designed primarily for educational purposes, this project demonstrates how to build a basic proxy system with encryption, leveraging AEAD ciphers for secure communication.
-
Educational: Designed as a learning tool to demonstrate proxy server/client implementation with encryption in Go.
-
Gordafarid Protocol: Implemented a proxy protocol named Gordafarid, inspired by SOCKS5, for secure client-server communication.
-
Secure Communication: All data exchanged between client and server is encrypted. The
Initial Greeting
is encrypted using AES/GCM, and the rest is encrypted using an AEAD cipher. -
AEAD algorithm support: Supports ChaCha20-Poly1305/AES-256-GCM/AES-192-GCM/AES-128-GCM cryptographic algorithms for secure application data communication(After the
Initial Greeting
). -
Reply attacks: Implements a mechanism to prevent replay attacks by checking for nonce reusage in encrypted communications.
-
User management: Supports multiple users with different credentials, allowing for fine-grained access control.
-
Authentication: Implements SOCKS5 username/password authentication on the client-side for local applications.
-
Flexible Configuration: Easily customizable through TOML configuration files, allowing for versatile deployment scenarios.
-
Code Documentation: the code is well-documented, so you can easily understand the code.
- UDP support is not yet implemented. Contributions to add this feature are welcome.
- Technically speaking, the Gordafarid protocol doesn't disguise itself from DPI, so its traffic detection is not difficult.
-
- Please read GORDAFARID_SPECIFICATION.md
- Also, the code has been written in a way that you can easily understand the concepts, there are lots of comments to help you understand the code.
-
-
Overview:
- Local Application ⇄ Client Proxy ⇄ (Encrypted Data) ⇄ Server Proxy ⇄ Target Server.
-
Client-Side Flow:
- Local Application initiates SOCKS5 request to Client proxy.
- Client performs SOCKS5 handshake and authentication using the SOCKS5 authentication mechanism if
socks5Credentials
is not empty. - Client extracts target address from SOCKS5 handshake.
- Client establishes connection to the Proxy Server using Gordafarid protocol.
- Client sends encrypted Gordafarid
Initial Greeting
to Proxy Server using the AES/GCM algorithm and the pre-shared key specified in theinitPassword
field of the config file.NOTICE
: After this stage, all communication is encrypted using an AEAD cipher specified in the config file, with its key being the account password. - Cilent receives
Greeting Response
from the server and decrypts it. - Client encrypts and sends
Request
to Proxy Server. - Client receives and decrypts
Reply
from Proxy Server. - Client begins relaying encrypted data between the Local Application and the Proxy Server.
-
Server-Side Flow:
- Proxy Server receives Gordafarid
Initial Greeting
from Client Proxy and decrypts it using AES/GCM algorithm and pre-shared key and specified in theinitPassword
field of the config file.NOTICE
: After this stage, all communication is encrypted using an AEAD cipher specified in the config file, with its key being the account password. - Proxy Server sends encrypted Gordafarid
Greeting Response
to Client Proxy. - Proxy Server receives and decrypts
Request
from Client Proxy . - Proxy Server sends encrypted
Reply
to Client proxy. - Proxy Server establishes connection to Target Server that was indicated in the handshake process.
- Proxy Server begins relaying encrypted data between Client Proxy and Target Server.
- Proxy Server receives Gordafarid
-
-
- Please read CODEBASE_OVERVIEW.md
-
-
- Releases page
-
- Set the configuration file for the server
The best practice is to put the configuration file in the same directory as the executable, or use the -config flag to specify the path to the configuration file.
- Run the server
- Set the configuration file for the server
-
- Set the configuration file for the client
The best practice is to put the configuration file in the same directory as the executable, or use the -config flag to specify the path to the configuration file.
- Run the client
- Set the configuration file for the client
-
-
-
git clone https://github.com/Iam54r1n4/Gordafarid
-
- Navigate to the server directory
cd Gordafarid/cmd/server/
- Set the configuration file for the server
vi config.toml
- Build the server
go build -o gordafarid-server -v .
- Run the server
./gordafarid-server -config config.toml
- Navigate to the server directory
-
- Navigate to the client directory
cd Gordafarid/cmd/client/
- Set the configuration file for the client
vi config.toml
- Build the client
go build -o gordafarid-client -v .
- Run the client
./gordafarid-client -config config.toml
- Navigate to the client directory
-
- Go 1.22.2
- golang.org/x/crypto v0.27.0
- golang.org/x/sys v0.25.0
- github.com/BurntSushi/toml v1.4.0
- This project is licensed under the GNU License. See the LICENSE file for details.
- Special thanks to @ReturnFI for their valuable assistance.
- This project should not be used in production environments without significant security enhancements and thorough testing.
- I wrote this project in less than two weeks, so it's not perfect.