ipn/pipws: websockets tunnel

Author: ignoramous

go.mod

@@ -24,12 +24,14 @@ require (
 	golang.org/x/mobile v0.0.0-20220518205345-8578da9835fd
 	golang.zx2c4.com/wireguard v0.0.0-20230317141804-7f511c3bb16d
 	gvisor.dev/gvisor v0.0.0-20230407213733-b6e172e0e152
+	nhooyr.io/websocket v1.8.7
 )
 
 require (
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
 	github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 // indirect
 	github.com/google/btree v1.0.1 // indirect
+	github.com/klauspost/compress v1.10.3 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/txthinking/runnergroup v0.0.0-20210608031112-152c7c4432bf // indirect
 	golang.org/x/mod v0.7.0 // indirect

go.sum

@@ -33,15 +33,26 @@ github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819/go.mod h1:Ro8st/El
 github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/eycorsican/go-tun2socks v1.16.11 h1:+hJDNgisrYaGEqoSxhdikMgMJ4Ilfwm/IZDrWRrbaH8=
 github.com/eycorsican/go-tun2socks v1.16.11/go.mod h1:wgB2BFT8ZaPKyKOQ/5dljMG/YIow+AIXyq4KBwJ5sGQ=
+github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
+github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -55,22 +66,28 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/jedisct1/go-clocksmith v0.0.0-20190707124905-73e087c7979c h1:a/NQUT7AXkEfhaZ+nb7Uzqijo1Qc7C7SZpRrv+6UQDA=
 github.com/jedisct1/go-clocksmith v0.0.0-20190707124905-73e087c7979c/go.mod h1:SAINchklztk2jcLWJ4bpNF4KnwDUSUTX+cJbspWC2Rw=
 github.com/jedisct1/go-dnsstamps v0.0.0-20200621175006-302248eecc94 h1:O5X61fl3p/dl+7hLDwDamJxRY6z/LwuH1XD+OyNNlxE=
 github.com/jedisct1/go-dnsstamps v0.0.0-20200621175006-302248eecc94/go.mod h1:128Ik0lG+DBYL6zaSgN3icmzDASeQgkSy3+Sp10trLc=
 github.com/jedisct1/xsecretbox v0.0.0-20190909160646-b731c21297f9 h1:nGfB2s9K0GyHuNkJmXkIjP+m7je6Q6gjirr+weAEtDo=
 github.com/jedisct1/xsecretbox v0.0.0-20190909160646-b731c21297f9/go.mod h1:MipBKo+gZlzpd1JXA1OliuwvtQizlFeu4aMAyTLh8bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/k-sone/critbitgo v1.4.0 h1:l71cTyBGeh6X5ATh6Fibgw3+rtNT80BA0uNNWgkPrbE=
 github.com/k-sone/critbitgo v1.4.0/go.mod h1:7E6pyoyADnFxlUBEKcnfS49b7SUAQGMK+OAp/UQvo0s=
+github.com/klauspost/compress v1.10.3 h1:OP96hzwJVBIHYU52pVTI6CczrxPvrGfgqF9N5eTO0Q8=
+github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/miekg/dns v1.1.49 h1:qe0mQU3Z/XpFeE+AEBo2rqaS1IPBJ3anmqZ4XiZJVG8=
@@ -123,6 +140,8 @@ github.com/txthinking/socks5 v0.0.0-20220615051428-39268faee3e6 h1:8DkPbOq/EPxbD
 github.com/txthinking/socks5 v0.0.0-20220615051428-39268faee3e6/go.mod h1:7NloQcrxaZYKURWph5HLxVDlIwMHJXCPkeWPtpftsIg=
 github.com/txthinking/x v0.0.0-20210326105829-476fab902fbe h1:gMWxZxBFRAXqoGkwkYlPX2zvyyKNWJpxOxCrjqJkm5A=
 github.com/txthinking/x v0.0.0-20210326105829-476fab902fbe/go.mod h1:WgqbSEmUYSjEV3B1qmee/PpP2NYEz4bL9/+mF1ma+s4=
+github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
+github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -179,6 +198,7 @@ golang.org/x/sys v0.0.0-20190909082730-f460065e899a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191224085550-c709ea063b76/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200824131525-c12d262b63d8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -194,6 +214,7 @@ golang.org/x/sys v0.5.1-0.20230222185716-a3b23cc77e89 h1:260HNjMTPDya+jq5AM1zZLg
 golang.org/x/sys v0.5.1-0.20230222185716-a3b23cc77e89/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
@@ -237,6 +258,7 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -246,3 +268,5 @@ gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLRE
 gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
 gvisor.dev/gvisor v0.0.0-20230407213733-b6e172e0e152 h1:ZYILu78u7jC1D1rlKR4Zi6thz/qEye0u5vVvCdC0xec=
 gvisor.dev/gvisor v0.0.0-20230407213733-b6e172e0e152/go.mod h1:pzr6sy8gDLfVmDAg8OYrlKvGEHw5C3PGTiBXBTCx76Q=
+nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=
+nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=

intra/ipn/pipws.go

@@ -0,0 +1,242 @@
+// Copyright (c) 2023 RethinkDNS and its authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package ipn
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/celzero/firestack/intra/core"
+	"github.com/celzero/firestack/intra/core/ipmap"
+	"github.com/celzero/firestack/intra/log"
+	"github.com/celzero/firestack/intra/protect"
+	"github.com/celzero/firestack/intra/settings"
+	"github.com/celzero/firestack/intra/split"
+	"nhooyr.io/websocket"
+)
+
+const (
+	writeTimeout time.Duration = 10 * time.Second
+)
+
+type pipws struct {
+	Proxy
+	id       string      // some unique identifier
+	url      string      // h2 proxy url
+	hostname string      // h2 proxy hostname
+	port     int         // h2 proxy port
+	ips      ipmap.IPMap // h2 proxy working ips
+	token    string      // hex, client token
+	sig      string      // hex, authorizer signed client token
+	client   http.Client // h2 client
+	dialer   *net.Dialer // h2 dialer
+	status   int         // proxy status: TOK, TKO, END
+}
+
+var _ core.TCPConn = &pipwsconn{}
+
+// pipwsconn minimally adapts net.Conn to the core.TCPConn interface
+type pipwsconn struct {
+	net.Conn
+}
+
+func (c *pipwsconn) CloseRead() error  { return c.Close() }
+func (c *pipwsconn) CloseWrite() error { return c.Close() }
+
+func (t *pipws) dial(network, addr string) (net.Conn, error) {
+	log.D("piph2: dialing %s", addr)
+	domain, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return nil, err
+	}
+
+	tcpaddr := func(ip net.IP) *net.TCPAddr {
+		return &net.TCPAddr{IP: ip, Port: port}
+	}
+
+	var conn net.Conn
+	ips := t.ips.Get(domain)
+	confirmed := ips.Confirmed()
+	if confirmed != nil {
+		if conn, err = split.DialWithSplitRetry(t.dialer, tcpaddr(confirmed), nil); err == nil {
+			log.I("piph2: confirmed IP %s worked", confirmed.String())
+			return conn, nil
+		}
+		log.D("piph2: confirmed IP %s failed with err %v", confirmed.String(), err)
+		ips.Disconfirm(confirmed)
+	}
+
+	log.D("piph2: trying all IPs")
+	for _, ip := range ips.GetAll() {
+		if ip.Equal(confirmed) {
+			continue
+		}
+		if conn, err = split.DialWithSplitRetry(t.dialer, tcpaddr(ip), nil); err == nil {
+			log.I("piph2: found working IP: %s", ip.String())
+			return conn, nil
+		}
+	}
+	return nil, err
+}
+
+func (t *pipws) wsconn(rurl, msg string) (c net.Conn, res *http.Response, err error) {
+	var ws *websocket.Conn
+	ctx := context.Background()
+	hdrs := http.Header{}
+	hdrs.Set("User-Agent", "")
+	hdrs.Set("X-Nile-Pip-Claim", t.claim(msg))
+	hdrs.Set("X-Nile-Pip-Msg", msg)
+
+	log.D("connecting to %s", rurl)
+
+	ws, res, err = websocket.Dial(ctx, rurl, &websocket.DialOptions{
+		CompressionMode: websocket.CompressionNoContextTakeover,
+		HTTPClient:      &t.client,
+		HTTPHeader:      hdrs,
+	})
+	if err != nil {
+		log.E("websocket: %v\n", err)
+		return
+	}
+
+	conn := websocket.NetConn(ctx, ws, websocket.MessageBinary)
+	c = &pipwsconn{conn}
+	return
+}
+
+func NewPipWsProxy(id string, ctl protect.Controller, po *settings.ProxyOptions) (Proxy, error) {
+	parsedurl, err := url.Parse(po.Url())
+	if err != nil {
+		return nil, err
+	}
+	// may be "pipws"
+	if parsedurl.Scheme != "wss" {
+		parsedurl.Scheme = "wss"
+	}
+	portStr := parsedurl.Port()
+	var port int
+	if len(portStr) > 0 {
+		port, err = strconv.Atoi(portStr)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		port = 443
+	}
+
+	dialer := protect.MakeNsDialer(ctl)
+	t := &pipws{
+		id:       id,
+		url:      parsedurl.String(),
+		hostname: parsedurl.Hostname(),
+		port:     port,
+		dialer:   dialer,
+		token:    po.Auth.User,
+		sig:      po.Auth.Password,
+		ips:      ipmap.NewIPMap(dialer.Resolver),
+		status:   TOK,
+	}
+
+	ipset := t.ips.Of(t.hostname, po.Addrs) // po.Addrs may be nil or empty
+	if ipset.Empty() {
+		log.W("pipws: zero bootstrap ips %s", t.hostname)
+	}
+
+	t.client.Transport = &http.Transport{
+		Dial:                  t.dial,
+		TLSHandshakeTimeout:   writeTimeout,
+		ResponseHeaderTimeout: writeTimeout,
+	}
+	return t, nil
+}
+
+func (t *pipws) ID() string {
+	return t.id
+}
+
+func (t *pipws) Type() string {
+	return PIPWS
+}
+
+func (t *pipws) GetAddr() string {
+	return t.hostname + ":" + strconv.Itoa(t.port)
+}
+
+func (t *pipws) Stop() error {
+	t.status = END
+	return nil
+}
+
+func (t *pipws) Status() int {
+	return t.status
+}
+
+func (t *pipws) claim(msg string) string {
+	if len(t.token) == 0 || len(t.sig) == 0 {
+		return ""
+	}
+	// hmac msg keyed by token's sig
+	msgmac := hmac256(hex2byte(msg), hex2byte(t.sig))
+	return claimprefix + t.token + ":" + t.sig + ":" + byte2hex(msgmac)
+}
+
+func (t *pipws) Dial(network, addr string) (Conn, error) {
+	if t.status == END {
+		return nil, errProxyStopped
+	}
+	if network != "tcp" {
+		return nil, errUnexpectedProxy
+	}
+
+	u, err := url.Parse(t.url)
+	if err != nil {
+		return nil, err
+	}
+	ipp, err := netip.ParseAddrPort(addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if !strings.HasSuffix(u.Path, "/") {
+		u.Path += "/"
+	}
+	u.Path += ipp.Addr().String() + "/" + strconv.Itoa(int(ipp.Port())) + "/" + network
+
+	msg, err := hexnonce(ipp)
+	if err != nil {
+		log.E("pipws: nonce err: %v", err)
+		return nil, err
+	}
+
+	rurl := u.String()
+	c, res, err := t.wsconn(rurl, msg)
+	if err != nil {
+		log.E("pipws: req err: %v", err)
+		t.status = TKO
+		return nil, err
+	}
+	if res.StatusCode != 101 {
+		log.E("pipws: res not ws %d", res.StatusCode)
+		t.status = TKO
+		return nil, err
+	}
+
+	log.D("pipws: duplex %s", rurl)
+
+	t.status = TOK
+	return c, nil
+}

intra/ipn/proxies.go

@@ -27,6 +27,7 @@ const (
 	HTTP1  = "http1"  // HTTP/1.1 proxy
 	WG     = "wg"     // WireGuard-as-a-proxy
 	PIPH2  = "piph2"  // PIP: HTTP/2 proxy
+	PIPWS  = "pipws"  // PIP: WebSockets proxy
 	NOOP   = "noop"   // No proxy
 
 	// status of proxies

intra/ipn/proxy.go

@@ -64,6 +64,8 @@ func (pxr *proxifier) AddProxy(id, txt string) (p Proxy, err error) {
 			p, err = NewHTTPProxy(id, pxr.ctl, opts)
 		case "piph2":
 			p, err = NewPipProxy(id, pxr.ctl, opts)
+		case "pipws":
+			p, err = NewPipWsProxy(id, pxr.ctl, opts)
 		case "wg":
 			err = fmt.Errorf("proxy: id must be prefixed with %s in %s for [%s]", WG, id, txt)
 		default: