// SPDX-FileCopyrightText: 2023 The Pion community // SPDX-License-Identifier: MIT package main import ( "bytes" "context" "crypto/tls" "encoding/json" "flag" "fmt" "io" "log" "math/rand" "net" "net/http" "net/url" "os" "os/signal" "strings" "sync" "sync/atomic" "syscall" "time" "github.com/cbeuw/connutil" "github.com/google/uuid" "github.com/gorilla/websocket" "github.com/pion/dtls/v3" "github.com/pion/dtls/v3/pkg/crypto/selfsign" "github.com/pion/logging" "github.com/pion/turn/v5" ) type getCredsFunc func(context.Context, string, int) (string, string, string, error) const vkClientID = "6287487" const vkClientSecret = "QbYic1K3lEV5kTGiqlq2" const vkAPIVersion = "5.275" // TurnCredentials stores cached TURN credentials type TurnCredentials struct { Username string Password string ServerAddr string ExpiresAt time.Time Link string } // StreamCredentialsCache holds credentials cache for a single stream type StreamCredentialsCache struct { creds TurnCredentials mutex sync.RWMutex errorCount atomic.Int32 lastErrorTime atomic.Int64 } const ( credentialLifetime = 10 * time.Minute cacheSafetyMargin = 60 * time.Second maxCacheErrors = 3 errorWindow = 10 * time.Second streamsPerCache = 4 // Number of streams sharing one credentials cache ) // getCacheID returns the shared cache ID for a given stream ID func getCacheID(streamID int) int { return streamID / streamsPerCache } // credentialsStore manages per-stream credentials caches var credentialsStore = struct { mu sync.RWMutex caches map[int]*StreamCredentialsCache }{ caches: make(map[int]*StreamCredentialsCache), } // getStreamCache returns or creates a shared cache for the given stream ID func getStreamCache(streamID int) *StreamCredentialsCache { cacheID := getCacheID(streamID) // Try read lock first for fast path credentialsStore.mu.RLock() cache, exists := credentialsStore.caches[cacheID] credentialsStore.mu.RUnlock() if exists { return cache } // Need to create new cache credentialsStore.mu.Lock() defer credentialsStore.mu.Unlock() // Double-check after acquiring write lock if cache, exists = credentialsStore.caches[cacheID]; exists { return cache } cache = &StreamCredentialsCache{} credentialsStore.caches[cacheID] = cache return cache } // invalidate invalidates the credentials cache for this stream func (c *StreamCredentialsCache) invalidate(streamID int) { c.mutex.Lock() c.creds = TurnCredentials{} c.mutex.Unlock() // Reset auth error counter c.errorCount.Store(0) c.lastErrorTime.Store(0) log.Printf("[VK Auth] Credentials cache invalidated for stream %d", streamID) } func min(a, b int) int { if a < b { return a } return b } // vkDelay sleeps for a random duration between minMs and maxMs to avoid bot detection func vkDelay(minMs, maxMs int) { ms := minMs + rand.Intn(maxMs-minMs+1) time.Sleep(time.Duration(ms) * time.Millisecond) } // vkCredsMu serializes VK credential fetching to avoid BOT detection from parallel requests var vkCredsMu sync.Mutex // getVkCredsCached checks cache before fetching credentials func getVkCredsCached(ctx context.Context, link string, streamID int) (string, string, string, error) { cache := getStreamCache(streamID) cacheID := getCacheID(streamID) cache.mutex.Lock() defer cache.mutex.Unlock() // Check cache - another stream may have populated it while waiting if cache.creds.Link == link && time.Now().Before(cache.creds.ExpiresAt) { expires := time.Until(cache.creds.ExpiresAt) log.Printf("[VK Auth] Using cached credentials (cache=%d, expires in %v)", cacheID, expires) return cache.creds.Username, cache.creds.Password, cache.creds.ServerAddr, nil } log.Printf("[VK Auth] Cache miss (cache=%d), starting credential fetch...", cacheID) // Check context before long fetch select { case <-ctx.Done(): return "", "", "", ctx.Err() default: } // Fetch credentials with mutex to avoid VK flood control user, pass, addr, err := getVkCredsSafe(ctx, link, streamID) if err != nil { return "", "", "", err } // Store in cache cache.creds = TurnCredentials{ Username: user, Password: pass, ServerAddr: addr, ExpiresAt: time.Now().Add(credentialLifetime - cacheSafetyMargin), Link: link, } log.Printf("[VK Auth] Success! Credentials cached until %v (cache=%d)", cache.creds.ExpiresAt, cacheID) return user, pass, addr, nil } // getVkCredsSafe wraps getVkCreds with mutex to avoid VK flood control func getVkCredsSafe(ctx context.Context, link string, streamID int) (string, string, string, error) { vkCredsMu.Lock() defer vkCredsMu.Unlock() return getVkCreds(ctx, link) } func vkHTTPPost(ctx context.Context, data string, url string) (map[string]interface{}, error) { client := &http.Client{ Timeout: 20 * time.Second, Transport: &http.Transport{ MaxIdleConns: 100, MaxIdleConnsPerHost: 100, IdleConnTimeout: 90 * time.Second, }, } defer client.CloseIdleConnections() req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer([]byte(data))) if err != nil { return nil, err } // Headers matching HAR capture exactly req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36") req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "*/*") req.Header.Set("Accept-Language", "en-US,en;q=0.9") req.Header.Set("Origin", "https://vk.ru") req.Header.Set("Referer", "https://vk.ru/") req.Header.Set("sec-ch-ua-platform", `"Windows"`) req.Header.Set("sec-ch-ua", `"Chromium";v="146", "Not-A.Brand";v="24", "Google Chrome";v="146"`) req.Header.Set("sec-ch-ua-mobile", "?0") req.Header.Set("Sec-Fetch-Site", "same-site") req.Header.Set("Sec-Fetch-Mode", "cors") req.Header.Set("Sec-Fetch-Dest", "empty") req.Header.Set("DNT", "1") req.Header.Set("Priority", "u=1, i") httpResp, err := client.Do(req) if err != nil { return nil, err } defer httpResp.Body.Close() // Handle HTTP errors (redirects, rate limits, etc.) if httpResp.StatusCode >= 400 { body, _ := io.ReadAll(httpResp.Body) return nil, fmt.Errorf("HTTP %d from %s: %s", httpResp.StatusCode, req.URL, string(body[:min(len(body), 500)])) } body, err := io.ReadAll(httpResp.Body) if err != nil { return nil, err } // Check content type - VK may return HTML instead of JSON (captcha page, redirect, etc.) contentType := httpResp.Header.Get("Content-Type") if contentType != "" && !strings.Contains(contentType, "application/json") && !strings.Contains(contentType, "text/javascript") { // Log first 500 chars of non-JSON response for debugging logPreview := string(body) if len(logPreview) > 500 { logPreview = logPreview[:500] + "...(truncated)" } return nil, fmt.Errorf("unexpected content-type %s, status %d, body: %s", contentType, httpResp.StatusCode, logPreview) } var resp map[string]interface{} if err = json.Unmarshal(body, &resp); err != nil { // Log the raw body for debugging logPreview := string(body) if len(logPreview) > 500 { logPreview = logPreview[:500] + "...(truncated)" } return nil, fmt.Errorf("JSON parse error: %w, body: %s", err, logPreview) } return resp, nil } func getVkCreds(ctx context.Context, link string) (string, string, string, error) { // Token 1 (messages) log.Println("[VK Auth] Getting Token 1...") data := fmt.Sprintf("client_id=%s&token_type=messages&client_secret=%s&version=1&app_id=%s", vkClientID, vkClientSecret, vkClientID) resp, err := vkHTTPPost(ctx, data, "https://login.vk.ru/?act=get_anonym_token") if err != nil { return "", "", "", fmt.Errorf("Token 1 request error: %w", err) } if errMsg, ok := resp["error"].(map[string]interface{}); ok { return "", "", "", fmt.Errorf("Token 1 VK error: %v", errMsg) } dataObj, ok := resp["data"].(map[string]interface{}) if !ok { return "", "", "", fmt.Errorf("invalid Token 1 response: %v", resp) } token1, ok := dataObj["access_token"].(string) if !ok { return "", "", "", fmt.Errorf("access_token not found in Token 1 response") } log.Println("[VK Auth] Token 1 received") vkDelay(100, 200) // Token 1 → getCallPreview // getCallPreview (optional, like browser) log.Println("[VK Auth] Getting call preview...") cpData := fmt.Sprintf("vk_join_link=https://vk.ru/call/join/%s&fields=photo_200&access_token=%s", url.QueryEscape(link), token1) cpURL := fmt.Sprintf("https://api.vk.ru/method/calls.getCallPreview?v=%s&client_id=%s", vkAPIVersion, vkClientID) _, _ = vkHTTPPost(ctx, cpData, cpURL) // non-critical vkDelay(500, 1000) // getCallPreview → Token 2 // Token 2 (may require captcha) log.Println("[VK Auth] Getting Token 2...") t2Data := fmt.Sprintf("vk_join_link=https://vk.ru/call/join/%s&name=123&access_token=%s", url.QueryEscape(link), token1) t2URL := fmt.Sprintf("https://api.vk.ru/method/calls.getAnonymousToken?v=%s&client_id=%s", vkAPIVersion, vkClientID) resp, err = vkHTTPPost(ctx, t2Data, t2URL) if err != nil { return "", "", "", fmt.Errorf("Token 2 request error: %w", err) } // Check for captcha error if errMsg, ok := resp["error"].(map[string]interface{}); ok { captchaData, isCaptcha := ExtractCaptchaData(errMsg) if !isCaptcha { return "", "", "", fmt.Errorf("Token 2 VK error: %v", errMsg) } log.Printf("[VK Auth] Captcha detected, solving...") successToken, solveErr := SolveVkCaptcha(ctx, captchaData) if solveErr != nil { return "", "", "", fmt.Errorf("captcha solving failed: %w", solveErr) } // Delay before retry (endSession → Token 2 retry) vkDelay(100, 200) // Retry Token 2 with captcha solution log.Println("[VK Auth] Retrying Token 2 with captcha solution...") t2Data = fmt.Sprintf( "vk_join_link=https://vk.ru/call/join/%s&name=123"+ "&captcha_key=&captcha_sid=%s&is_sound_captcha=0"+ "&success_token=%s&captcha_ts=%s&captcha_attempt=%s"+ "&access_token=%s", url.QueryEscape(link), captchaData.CaptchaSid, successToken, captchaData.CaptchaTs, captchaData.CaptchaAttempt, token1, ) resp, err = vkHTTPPost(ctx, t2Data, t2URL) if err != nil { return "", "", "", fmt.Errorf("Token 2 retry request error: %w", err) } if errMsg2, ok := resp["error"].(map[string]interface{}); ok { return "", "", "", fmt.Errorf("Token 2 retry VK error: %v", errMsg2) } // Token 2 retry → Token 3 vkDelay(100, 200) } token2Obj, ok := resp["response"].(map[string]interface{}) if !ok { return "", "", "", fmt.Errorf("invalid Token 2 response: %v", resp) } token2, ok := token2Obj["token"].(string) if !ok { return "", "", "", fmt.Errorf("token not found in Token 2 response") } log.Println("[VK Auth] Token 2 received") // Token 2 → Token 3 vkDelay(100, 200) // Token 3 (OK auth.anonymLogin) log.Println("[VK Auth] Getting Token 3...") sessionData := fmt.Sprintf(`{"version":2,"device_id":"%s","client_version":1.1,"client_type":"SDK_JS"}`, uuid.New()) t3Data := fmt.Sprintf("session_data=%s&method=auth.anonymLogin&format=JSON&application_key=CGMMEJLGDIHBABABA", url.QueryEscape(sessionData)) resp, err = vkHTTPPost(ctx, t3Data, "https://calls.okcdn.ru/fb.do") if err != nil { return "", "", "", fmt.Errorf("Token 3 request error: %w", err) } if errMsg, ok := resp["error"].(string); ok && errMsg != "" { return "", "", "", fmt.Errorf("Token 3 API error: %s", errMsg) } token3, ok := resp["session_key"].(string) if !ok { return "", "", "", fmt.Errorf("session_key not found in Token 3 response") } log.Println("[VK Auth] Token 3 received") // Token 3 → Final (TURN) vkDelay(100, 200) // Final: vchat.joinConversationByLink (Token 4) log.Println("[VK Auth] Getting TURN credentials (Token 4)...") finalData := fmt.Sprintf( "joinLink=%s&isVideo=false&protocolVersion=5&capabilities=2F7F&anonymToken=%s&method=vchat.joinConversationByLink&format=JSON&application_key=CGMMEJLGDIHBABABA&session_key=%s", url.QueryEscape(link), token2, token3) resp, err = vkHTTPPost(ctx, finalData, "https://calls.okcdn.ru/fb.do") if err != nil { return "", "", "", fmt.Errorf("Final request error: %w", err) } if errMsg, ok := resp["error"].(string); ok && errMsg != "" { return "", "", "", fmt.Errorf("Final API error: %s", errMsg) } ts, ok := resp["turn_server"].(map[string]interface{}) if !ok { return "", "", "", fmt.Errorf("turn_server not found in response: %v", resp) } urls, _ := ts["urls"].([]interface{}) if len(urls) == 0 { return "", "", "", fmt.Errorf("urls not found in turn_server") } urlStr, _ := urls[0].(string) clean := strings.Split(urlStr, "?")[0] address := strings.TrimPrefix(strings.TrimPrefix(clean, "turn:"), "turns:") username, _ := ts["username"].(string) credential, _ := ts["credential"].(string) if username == "" || credential == "" { return "", "", "", fmt.Errorf("username or credential not found in turn_server") } log.Println("[VK Auth] TURN credentials received") vkDelay(1500, 2500) // Final delay before exit return username, credential, address, nil } func getYandexCreds(ctx context.Context, link string, streamID int) (string, string, string, error) { const debug = false const telemostConfHost = "cloud-api.yandex.ru" telemostConfPath := fmt.Sprintf("%s%s%s", "/telemost_front/v2/telemost/conferences/https%3A%2F%2Ftelemost.yandex.ru%2Fj%2F", link, "/connection?next_gen_media_platform_allowed=false") const userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0" type ConferenceResponse struct { URI string `json:"uri"` RoomID string `json:"room_id"` PeerID string `json:"peer_id"` ClientConfiguration struct { MediaServerURL string `json:"media_server_url"` } `json:"client_configuration"` Credentials string `json:"credentials"` } type PartMeta struct { Name string `json:"name"` Role string `json:"role"` Description string `json:"description"` SendAudio bool `json:"sendAudio"` SendVideo bool `json:"sendVideo"` } type PartAttrs struct { Name string `json:"name"` Role string `json:"role"` Description string `json:"description"` } type SdkInfo struct { Implementation string `json:"implementation"` Version string `json:"version"` UserAgent string `json:"userAgent"` HwConcurrency int `json:"hwConcurrency"` } type Capabilities struct { OfferAnswerMode []string `json:"offerAnswerMode"` InitialSubscriberOffer []string `json:"initialSubscriberOffer"` SlotsMode []string `json:"slotsMode"` SimulcastMode []string `json:"simulcastMode"` SelfVadStatus []string `json:"selfVadStatus"` DataChannelSharing []string `json:"dataChannelSharing"` VideoEncoderConfig []string `json:"videoEncoderConfig"` DataChannelVideoCodec []string `json:"dataChannelVideoCodec"` BandwidthLimitationReason []string `json:"bandwidthLimitationReason"` SdkDefaultDeviceManagement []string `json:"sdkDefaultDeviceManagement"` JoinOrderLayout []string `json:"joinOrderLayout"` PinLayout []string `json:"pinLayout"` SendSelfViewVideoSlot []string `json:"sendSelfViewVideoSlot"` ServerLayoutTransition []string `json:"serverLayoutTransition"` SdkPublisherOptimizeBitrate []string `json:"sdkPublisherOptimizeBitrate"` SdkNetworkLostDetection []string `json:"sdkNetworkLostDetection"` SdkNetworkPathMonitor []string `json:"sdkNetworkPathMonitor"` PublisherVp9 []string `json:"publisherVp9"` SvcMode []string `json:"svcMode"` SubscriberOfferAsyncAck []string `json:"subscriberOfferAsyncAck"` SvcModes []string `json:"svcModes"` ReportTelemetryModes []string `json:"reportTelemetryModes"` KeepDefaultDevicesModes []string `json:"keepDefaultDevicesModes"` } type HelloPayload struct { ParticipantMeta PartMeta `json:"participantMeta"` ParticipantAttributes PartAttrs `json:"participantAttributes"` SendAudio bool `json:"sendAudio"` SendVideo bool `json:"sendVideo"` SendSharing bool `json:"sendSharing"` ParticipantID string `json:"participantId"` RoomID string `json:"roomId"` ServiceName string `json:"serviceName"` Credentials string `json:"credentials"` CapabilitiesOffer Capabilities `json:"capabilitiesOffer"` SdkInfo SdkInfo `json:"sdkInfo"` SdkInitializationID string `json:"sdkInitializationId"` DisablePublisher bool `json:"disablePublisher"` DisableSubscriber bool `json:"disableSubscriber"` DisableSubscriberAudio bool `json:"disableSubscriberAudio"` } type HelloRequest struct { UID string `json:"uid"` Hello HelloPayload `json:"hello"` } type FlexUrls []string type WSSResponse struct { UID string `json:"uid"` ServerHello struct { RtcConfiguration struct { IceServers []struct { Urls FlexUrls `json:"urls"` Username string `json:"username,omitempty"` Credential string `json:"credential,omitempty"` } `json:"iceServers"` } `json:"rtcConfiguration"` } `json:"serverHello"` } type WSSAck struct { Uid string `json:"uid"` Ack struct { Status struct { Code string `json:"code"` } `json:"status"` } `json:"ack"` } type WSSData struct { ParticipantId string RoomId string Credentials string Wss string } endpoint := "https://" + telemostConfHost + telemostConfPath client := &http.Client{ Timeout: 20 * time.Second, Transport: &http.Transport{ MaxIdleConns: 100, MaxIdleConnsPerHost: 100, IdleConnTimeout: 90 * time.Second, }, } defer client.CloseIdleConnections() req, err := http.NewRequest("GET", endpoint, nil) if err != nil { return "", "", "", err } req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/json") req.Header.Set("Referer", "https://telemost.yandex.ru/") req.Header.Set("Origin", "https://telemost.yandex.ru") req.Header.Set("Client-Instance-Id", uuid.New().String()) resp, err := client.Do(req) if err != nil { return "", "", "", err } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { body, _ := io.ReadAll(resp.Body) return "", "", "", fmt.Errorf("GetConference: status=%s body=%s", resp.Status, string(body)) } var result ConferenceResponse if err = json.NewDecoder(resp.Body).Decode(&result); err != nil { return "", "", "", fmt.Errorf("decode conf: %v", err) } data := WSSData{ ParticipantId: result.PeerID, RoomId: result.RoomID, Credentials: result.Credentials, Wss: result.ClientConfiguration.MediaServerURL, } h := http.Header{} h.Set("Origin", "https://telemost.yandex.ru") h.Set("User-Agent", userAgent) ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) defer cancel() dialer := websocket.Dialer{} conn, _, err := dialer.DialContext(ctx, data.Wss, h) if err != nil { return "", "", "", fmt.Errorf("ws dial: %w", err) } defer conn.Close() req1 := HelloRequest{ UID: uuid.New().String(), Hello: HelloPayload{ ParticipantMeta: PartMeta{ Name: "Гость", Role: "SPEAKER", Description: "", SendAudio: false, SendVideo: false, }, ParticipantAttributes: PartAttrs{ Name: "Гость", Role: "SPEAKER", Description: "", }, SendAudio: false, SendVideo: false, SendSharing: false, ParticipantID: data.ParticipantId, RoomID: data.RoomId, ServiceName: "telemost", Credentials: data.Credentials, SdkInfo: SdkInfo{ Implementation: "browser", Version: "5.15.0", UserAgent: userAgent, HwConcurrency: 4, }, SdkInitializationID: uuid.New().String(), DisablePublisher: false, DisableSubscriber: false, DisableSubscriberAudio: false, CapabilitiesOffer: Capabilities{ OfferAnswerMode: []string{"SEPARATE"}, InitialSubscriberOffer: []string{"ON_HELLO"}, SlotsMode: []string{"FROM_CONTROLLER"}, SimulcastMode: []string{"DISABLED"}, SelfVadStatus: []string{"FROM_SERVER"}, DataChannelSharing: []string{"TO_RTP"}, VideoEncoderConfig: []string{"NO_CONFIG"}, DataChannelVideoCodec: []string{"VP8"}, BandwidthLimitationReason: []string{"BANDWIDTH_REASON_DISABLED"}, SdkDefaultDeviceManagement: []string{"SDK_DEFAULT_DEVICE_MANAGEMENT_DISABLED"}, JoinOrderLayout: []string{"JOIN_ORDER_LAYOUT_DISABLED"}, PinLayout: []string{"PIN_LAYOUT_DISABLED"}, SendSelfViewVideoSlot: []string{"SEND_SELF_VIEW_VIDEO_SLOT_DISABLED"}, ServerLayoutTransition: []string{"SERVER_LAYOUT_TRANSITION_DISABLED"}, SdkPublisherOptimizeBitrate: []string{"SDK_PUBLISHER_OPTIMIZE_BITRATE_DISABLED"}, SdkNetworkLostDetection: []string{"SDK_NETWORK_LOST_DETECTION_DISABLED"}, SdkNetworkPathMonitor: []string{"SDK_NETWORK_PATH_MONITOR_DISABLED"}, PublisherVp9: []string{"PUBLISH_VP9_DISABLED"}, SvcMode: []string{"SVC_MODE_DISABLED"}, SubscriberOfferAsyncAck: []string{"SUBSCRIBER_OFFER_ASYNC_ACK_DISABLED"}, SvcModes: []string{"FALSE"}, ReportTelemetryModes: []string{"TRUE"}, KeepDefaultDevicesModes: []string{"TRUE"}, }, }, } if debug { b, _ := json.MarshalIndent(req1, "", " ") log.Printf("Sending HELLO:\n%s", string(b)) } if err := conn.WriteJSON(req1); err != nil { return "", "", "", fmt.Errorf("ws write: %w", err) } conn.SetReadDeadline(time.Now().Add(15 * time.Second)) for { _, msg, err := conn.ReadMessage() if err != nil { return "", "", "", fmt.Errorf("ws read: %w", err) } if debug { s := string(msg) if len(s) > 800 { s = s[:800] + "...(truncated)" } log.Printf("WSS recv: %s", s) } var ack WSSAck if err := json.Unmarshal(msg, &ack); err == nil && ack.Ack.Status.Code != "" { continue } var resp WSSResponse if err := json.Unmarshal(msg, &resp); err == nil { ice := resp.ServerHello.RtcConfiguration.IceServers for _, s := range ice { for _, u := range s.Urls { if !strings.HasPrefix(u, "turn:") && !strings.HasPrefix(u, "turns:") { continue } if strings.Contains(u, "transport=tcp") { continue } clean := strings.Split(u, "?")[0] address := strings.TrimPrefix(strings.TrimPrefix(clean, "turn:"), "turns:") return s.Username, s.Credential, address, nil } } } } } func dtlsFunc(ctx context.Context, conn net.PacketConn, peer *net.UDPAddr) (net.Conn, error) { certificate, err := selfsign.GenerateSelfSigned() if err != nil { return nil, err } config := &dtls.Config{ Certificates: []tls.Certificate{certificate}, InsecureSkipVerify: true, ExtendedMasterSecret: dtls.RequireExtendedMasterSecret, CipherSuites: []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, ConnectionIDGenerator: dtls.OnlySendCIDGenerator(), } // Extended timeout to accommodate serialized credential fetching via mutex ctx1, cancel := context.WithTimeout(ctx, 120*time.Second) defer cancel() dtlsConn, err := dtls.Client(conn, peer, config) if err != nil { return nil, err } if err := dtlsConn.HandshakeContext(ctx1); err != nil { return nil, err } return dtlsConn, nil } func oneDtlsConnection(ctx context.Context, peer *net.UDPAddr, listenConn net.PacketConn, connchan chan<- net.PacketConn, okchan chan<- struct{}, c chan<- error, sessionID []byte, streamID byte) { var err error = nil defer func() { c <- err }() dtlsctx, dtlscancel := context.WithCancel(ctx) defer dtlscancel() var conn1, conn2 net.PacketConn conn1, conn2 = connutil.AsyncPacketPipe() go func() { for { select { case <-dtlsctx.Done(): return case connchan <- conn2: } } }() dtlsConn, err1 := dtlsFunc(dtlsctx, conn1, peer) if err1 != nil { err = fmt.Errorf("failed to connect DTLS: %s", err1) return } defer func() { if closeErr := dtlsConn.Close(); closeErr != nil { err = fmt.Errorf("failed to close DTLS connection: %s", closeErr) return } log.Printf("Closed DTLS connection\n") }() // Phase 1: Send Session ID + Stream ID (17 bytes) dtlsConn.SetWriteDeadline(time.Now().Add(time.Second * 5)) idBuf := make([]byte, 17) copy(idBuf[:16], sessionID) idBuf[16] = streamID if _, err1 = dtlsConn.Write(idBuf); err1 != nil { err = fmt.Errorf("failed to send session ID: %s", err1) return } log.Printf("Established DTLS connection and sent session ID with stream %d!\n", streamID) go func() { for { select { case <-dtlsctx.Done(): return case okchan <- struct{}{}: } } }() wg := sync.WaitGroup{} wg.Add(2) context.AfterFunc(dtlsctx, func() { listenConn.SetDeadline(time.Now()) dtlsConn.SetDeadline(time.Now()) }) var addr atomic.Value // Start read-loop on listenConn go func() { defer wg.Done() defer dtlscancel() buf := make([]byte, 1600) for { select { case <-dtlsctx.Done(): return default: } n, addr1, err1 := listenConn.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr.Store(addr1) // store peer _, err1 = dtlsConn.Write(buf[:n]) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() // Start read-loop on dtlsConn go func() { defer wg.Done() defer dtlscancel() buf := make([]byte, 1600) for { select { case <-dtlsctx.Done(): return default: } n, err1 := dtlsConn.Read(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr1, ok := addr.Load().(net.Addr) if !ok { log.Printf("Failed: no listener ip") return } _, err1 = listenConn.WriteTo(buf[:n], addr1) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() wg.Wait() listenConn.SetDeadline(time.Time{}) dtlsConn.SetDeadline(time.Time{}) } type connectedUDPConn struct { *net.UDPConn } func (c *connectedUDPConn) WriteTo(p []byte, _ net.Addr) (int, error) { return c.Write(p) } type turnParams struct { host string port string link string udp bool streamID int getCreds getCredsFunc } func oneTurnConnection(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, conn2 net.PacketConn, c chan<- error) { var err error = nil defer func() { c <- err }() user, pass, url, err1 := turnParams.getCreds(ctx, turnParams.link, turnParams.streamID) if err1 != nil { err = fmt.Errorf("failed to get TURN credentials: %s", err1) return } urlhost, urlport, err1 := net.SplitHostPort(url) if err1 != nil { err = fmt.Errorf("failed to parse TURN server address: %s", err1) return } if turnParams.host != "" { urlhost = turnParams.host } if turnParams.port != "" { urlport = turnParams.port } var turnServerAddr string turnServerAddr = net.JoinHostPort(urlhost, urlport) turnServerUdpAddr, err1 := net.ResolveUDPAddr("udp", turnServerAddr) if err1 != nil { err = fmt.Errorf("failed to resolve TURN server address: %s", err1) return } turnServerAddr = turnServerUdpAddr.String() fmt.Println(turnServerUdpAddr.IP) // Dial TURN Server var cfg *turn.ClientConfig var turnConn net.PacketConn var d net.Dialer ctx1, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() if turnParams.udp { conn, err2 := net.DialUDP("udp", nil, turnServerUdpAddr) // nolint: noctx if err2 != nil { err = fmt.Errorf("failed to connect to TURN server: %s", err2) return } defer func() { if err1 = conn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN server connection: %s", err1) return } }() turnConn = &connectedUDPConn{conn} } else { conn, err2 := d.DialContext(ctx1, "tcp", turnServerAddr) // nolint: noctx if err2 != nil { err = fmt.Errorf("failed to connect to TURN server: %s", err2) return } defer func() { if err1 = conn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN server connection: %s", err1) return } }() turnConn = turn.NewSTUNConn(conn) } var addrFamily turn.RequestedAddressFamily if peer.IP.To4() != nil { addrFamily = turn.RequestedAddressFamilyIPv4 } else { addrFamily = turn.RequestedAddressFamilyIPv6 } // Start a new TURN Client and wrap our net.Conn in a STUNConn // This allows us to simulate datagram based communication over a net.Conn cfg = &turn.ClientConfig{ STUNServerAddr: turnServerAddr, TURNServerAddr: turnServerAddr, Conn: turnConn, Username: user, Password: pass, RequestedAddressFamily: addrFamily, LoggerFactory: logging.NewDefaultLoggerFactory(), } client, err1 := turn.NewClient(cfg) if err1 != nil { err = fmt.Errorf("failed to create TURN client: %s", err1) return } defer client.Close() // Start listening on the conn provided. err1 = client.Listen() if err1 != nil { err = fmt.Errorf("failed to listen: %s", err1) return } // Allocate a relay socket on the TURN server. On success, it // will return a net.PacketConn which represents the remote // socket. relayConn, err1 := client.Allocate() if err1 != nil { err = fmt.Errorf("failed to allocate: %s", err1) return } defer func() { if err1 := relayConn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN allocated connection: %s", err1) } }() // The relayConn's local address is actually the transport // address assigned on the TURN server. log.Printf("relayed-address=%s", relayConn.LocalAddr().String()) wg := sync.WaitGroup{} wg.Add(2) turnctx, turncancel := context.WithCancel(context.Background()) context.AfterFunc(turnctx, func() { relayConn.SetDeadline(time.Now()) conn2.SetDeadline(time.Now()) }) var addr atomic.Value // Start read-loop on conn2 (output of DTLS) go func() { defer wg.Done() defer turncancel() buf := make([]byte, 1600) for { select { case <-turnctx.Done(): return default: } n, addr1, err1 := conn2.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr.Store(addr1) // store peer _, err1 = relayConn.WriteTo(buf[:n], peer) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() // Start read-loop on relayConn go func() { defer wg.Done() defer turncancel() buf := make([]byte, 1600) for { select { case <-turnctx.Done(): return default: } n, _, err1 := relayConn.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr1, ok := addr.Load().(net.Addr) if !ok { log.Printf("Failed: no listener ip") return } _, err1 = conn2.WriteTo(buf[:n], addr1) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() wg.Wait() relayConn.SetDeadline(time.Time{}) conn2.SetDeadline(time.Time{}) } func oneDtlsConnectionLoop(ctx context.Context, peer *net.UDPAddr, listenConnChan <-chan net.PacketConn, connchan chan<- net.PacketConn, okchan chan<- struct{}, sessionID []byte, streamID byte) { for { select { case <-ctx.Done(): return case listenConn := <-listenConnChan: c := make(chan error) go oneDtlsConnection(ctx, peer, listenConn, connchan, okchan, c, sessionID, streamID) if err := <-c; err != nil { log.Printf("%s", err) } } } } func oneTurnConnectionLoop(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, connchan <-chan net.PacketConn, t <-chan time.Time, streamID int) { // Create a copy of turnParams with the streamID tp := *turnParams tp.streamID = streamID for { select { case <-ctx.Done(): return case conn2 := <-connchan: select { case <-t: c := make(chan error) go oneTurnConnection(ctx, &tp, peer, conn2, c) if err := <-c; err != nil { log.Printf("%s", err) } default: } } } } func main() { //nolint:cyclop ctx, cancel := context.WithCancel(context.Background()) defer cancel() signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT) go func() { <-signalChan log.Printf("Terminating...\n") cancel() select { case <-signalChan: case <-time.After(5 * time.Second): } log.Fatalf("Exit...\n") }() host := flag.String("turn", "", "override TURN server ip") port := flag.String("port", "", "override TURN port") listen := flag.String("listen", "127.0.0.1:9000", "listen on ip:port") vklink := flag.String("vk-link", "", "VK calls invite link \"https://vk.com/call/join/...\"") yalink := flag.String("yandex-link", "", "Yandex telemost invite link \"https://telemost.yandex.ru/j/...\"") peerAddr := flag.String("peer", "", "peer server address (host:port)") n := flag.Int("n", 0, "connections to TURN (default 16 for VK, 1 for Yandex)") udp := flag.Bool("udp", false, "connect to TURN with UDP") direct := flag.Bool("no-dtls", false, "connect without obfuscation. DO NOT USE") sessionIDFlag := flag.String("session-id", "", "override session ID (hex, 32 chars)") flag.Parse() if *peerAddr == "" { log.Panicf("Need peer address!") } peer, err := net.ResolveUDPAddr("udp", *peerAddr) if err != nil { panic(err) } if (*vklink == "") == (*yalink == "") { log.Panicf("Need either vk-link or yandex-link!") } var link string var getCreds getCredsFunc if *vklink != "" { parts := strings.Split(*vklink, "join/") link = parts[len(parts)-1] getCreds = getVkCredsCached if *n <= 0 { *n = 4 } } else { parts := strings.Split(*yalink, "j/") link = parts[len(parts)-1] getCreds = getYandexCreds if *n <= 0 { *n = 1 } } if idx := strings.IndexAny(link, "/?#"); idx != -1 { link = link[:idx] } params := &turnParams{ host: *host, port: *port, link: link, udp: *udp, streamID: 0, getCreds: getCreds, } var sessionID []byte if *sessionIDFlag != "" { sessionID = make([]byte, 16) if _, err := fmt.Sscanf(*sessionIDFlag, "%x", &sessionID); err != nil { log.Panicf("Invalid session ID: %v", err) } } else { sessionID, _ = uuid.New().MarshalBinary() } log.Printf("Session ID: %x", sessionID) listenConnChan := make(chan net.PacketConn) listenConn, err := net.ListenPacket("udp", *listen) // nolint: noctx if err != nil { log.Panicf("Failed to listen: %s", err) } context.AfterFunc(ctx, func() { if closeErr := listenConn.Close(); closeErr != nil { log.Panicf("Failed to close local connection: %s", closeErr) } }) go func() { for { select { case <-ctx.Done(): return case listenConnChan <- listenConn: } } }() wg1 := sync.WaitGroup{} t := time.Tick(100 * time.Millisecond) if *direct { for i := 0; i < *n; i++ { wg1.Add(1) streamID := i go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, listenConnChan, t, streamID) }() } } else { okchan := make(chan struct{}) connchan := make(chan net.PacketConn) wg1.Add(1) go func() { defer wg1.Done() oneDtlsConnectionLoop(ctx, peer, listenConnChan, connchan, okchan, sessionID, 0) }() wg1.Add(1) go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, connchan, t, 0) }() select { case <-okchan: case <-ctx.Done(): } for i := 0; i < *n-1; i++ { connchan := make(chan net.PacketConn) streamID := i + 1 wg1.Add(1) go func(sID byte) { defer wg1.Done() oneDtlsConnectionLoop(ctx, peer, listenConnChan, connchan, nil, sessionID, sID) }(byte(streamID)) wg1.Add(1) go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, connchan, t, streamID) }() } } wg1.Wait() }