mirror
/
vk-turn-proxy
mirror of https://github.com/cacggghp/vk-turn-proxy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 Commits
2 Branches
16 Tags
2.6 MiB
 
 
 
 
Tree: 9bb33fc30e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9bb33fc30e'
${ noResults }
vk-turn-proxy/client/main.go

1820 lines
54 KiB
Raw Blame History

// SPDX-FileCopyrightText: 2023 The Pion community <https://pion.ly>
// SPDX-License-Identifier: MIT
package main
import (
"bytes"
"context"
"crypto/md5"
"crypto/sha256"
"crypto/tls"
"encoding/base64"
"encoding/hex"
"encoding/json"
"flag"
"fmt"
"io"
"log"
"math/rand"
"net"
"net/http"
neturl "net/url"
"os"
"os/signal"
"regexp"
"strconv"
"strings"
"sync"
"sync/atomic"
"syscall"
"time"
fhttp "github.com/bogdanfinn/fhttp"
tlsclient "github.com/bogdanfinn/tls-client"
"github.com/bogdanfinn/tls-client/profiles"
"github.com/bschaatsbergen/dnsdialer"
"github.com/cbeuw/connutil"
"github.com/google/uuid"
"github.com/gorilla/websocket"
"github.com/pion/dtls/v3"
"github.com/pion/dtls/v3/pkg/crypto/selfsign"
"github.com/pion/logging"
"github.com/pion/transport/v4"
"github.com/pion/turn/v5"
)
type getCredsFunc func(ctx context.Context, link string, streamID int) (string, string, string, error)
type directNet struct{}
type directDialer struct {
*net.Dialer
}
type directListenConfig struct {
*net.ListenConfig
}
// Global state trackers
var (
activeLocalPeer atomic.Value
globalCaptchaLockout atomic.Int64
connectedStreams atomic.Int32
globalAppCancel context.CancelFunc
handshakeSem = make(chan struct{}, 3)
isDebug bool
manualCaptcha bool
)
type UDPPacket struct {
Data []byte
N int
}
var packetPool = sync.Pool{
New: func() any { return &UDPPacket{Data: make([]byte, 2048)} },
}
func newDirectNet() transport.Net {
return directNet{}
}
func (directNet) ListenPacket(network string, address string) (net.PacketConn, error) {
return net.ListenPacket(network, address)
}
func (directNet) ListenUDP(network string, locAddr *net.UDPAddr) (transport.UDPConn, error) {
return net.ListenUDP(network, locAddr)
}
func (directNet) ListenTCP(network string, laddr *net.TCPAddr) (transport.TCPListener, error) {
listener, err := net.ListenTCP(network, laddr)
if err != nil {
return nil, err
}
return directTCPListener{listener}, nil
}
func (directNet) Dial(network, address string) (net.Conn, error) {
return net.Dial(network, address)
}
func (directNet) DialUDP(network string, laddr, raddr *net.UDPAddr) (transport.UDPConn, error) {
return net.DialUDP(network, laddr, raddr)
}
func (directNet) DialTCP(network string, laddr, raddr *net.TCPAddr) (transport.TCPConn, error) {
return net.DialTCP(network, laddr, raddr)
}
func (directNet) ResolveIPAddr(network, address string) (*net.IPAddr, error) {
return net.ResolveIPAddr(network, address)
}
func (directNet) ResolveUDPAddr(network, address string) (*net.UDPAddr, error) {
return net.ResolveUDPAddr(network, address)
}
func (directNet) ResolveTCPAddr(network, address string) (*net.TCPAddr, error) {
return net.ResolveTCPAddr(network, address)
}
func (directNet) Interfaces() ([]*transport.Interface, error) {
return nil, transport.ErrNotSupported
}
func (directNet) InterfaceByIndex(index int) (*transport.Interface, error) {
return nil, fmt.Errorf("%w: index=%d", transport.ErrInterfaceNotFound, index)
}
func (directNet) InterfaceByName(name string) (*transport.Interface, error) {
return nil, fmt.Errorf("%w: %s", transport.ErrInterfaceNotFound, name)
}
func (directNet) CreateDialer(dialer *net.Dialer) transport.Dialer {
return directDialer{Dialer: dialer}
}
func (directNet) CreateListenConfig(listenerConfig *net.ListenConfig) transport.ListenConfig {
return directListenConfig{ListenConfig: listenerConfig}
}
func (d directDialer) Dial(network, address string) (net.Conn, error) {
return d.Dialer.Dial(network, address)
}
func (d directListenConfig) Listen(ctx context.Context, network, address string) (net.Listener, error) {
return d.ListenConfig.Listen(ctx, network, address)
}
func (d directListenConfig) ListenPacket(ctx context.Context, network, address string) (net.PacketConn, error) {
return d.ListenConfig.ListenPacket(ctx, network, address)
}
type directTCPListener struct {
*net.TCPListener
}
func (l directTCPListener) AcceptTCP() (transport.TCPConn, error) {
return l.TCPListener.AcceptTCP()
}
// region Helper: HTTP Headers Injection
// applyBrowserProfile applies consistent User-Agent and Client Hints to bypass WAFs
func applyBrowserProfile(req *http.Request, profile Profile) {
req.Header.Set("User-Agent", profile.UserAgent)
req.Header.Set("sec-ch-ua", profile.SecChUa)
req.Header.Set("sec-ch-ua-mobile", profile.SecChUaMobile)
req.Header.Set("sec-ch-ua-platform", profile.SecChUaPlatform)
req.Header.Set("Accept-Language", "en-US,en;q=0.9")
req.Header.Set("DNT", "1")
}
func applyBrowserProfileFhttp(req *fhttp.Request, profile Profile) {
req.Header.Set("User-Agent", profile.UserAgent)
req.Header.Set("sec-ch-ua", profile.SecChUa)
req.Header.Set("sec-ch-ua-mobile", profile.SecChUaMobile)
req.Header.Set("sec-ch-ua-platform", profile.SecChUaPlatform)
req.Header.Set("Accept-Language", "en-US,en;q=0.9")
req.Header.Set("DNT", "1")
}
func generateBrowserFp(profile Profile) string {
data := profile.UserAgent + profile.SecChUa + "1920x1080x24"
h := md5.Sum([]byte(data))
return hex.EncodeToString(h[:])
}
func generateFakeCursor() string {
startX := 600 + rand.Intn(400)
startY := 300 + rand.Intn(200)
startTime := time.Now().UnixMilli() - int64(rand.Intn(2000)+1000)
var points []string
for i := 0; i < 15+rand.Intn(10); i++ {
startX += rand.Intn(15) - 5
startY += rand.Intn(15) + 2
startTime += int64(rand.Intn(40) + 10)
points = append(points, fmt.Sprintf(`{"x":%d,"y":%d,"t":%d}`, startX, startY, startTime))
}
return "[" + strings.Join(points, ",") + "]"
}
func getCustomNetDialer() net.Dialer {
return net.Dialer{
Timeout: 20 * time.Second,
KeepAlive: 30 * time.Second,
Resolver: &net.Resolver{
PreferGo: true,
Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
var d net.Dialer
dnsServers := []string{"77.88.8.8:53", "77.88.8.1:53", "8.8.8.8:53", "8.8.4.4:53", "1.1.1.1:53", "1.0.0.1:53"}
var lastErr error
for _, dns := range dnsServers {
conn, err := d.DialContext(ctx, "udp", dns)
if err == nil {
return conn, nil
}
lastErr = err
}
return nil, lastErr
},
},
}
}
// endregion
// region Automatic Captcha Solver & Authentication
type VkCaptchaError struct {
ErrorCode int
ErrorMsg string
CaptchaSid string
CaptchaImg string
RedirectUri string
IsSoundCaptchaAvailable bool
SessionToken string
CaptchaTs string
CaptchaAttempt string
}
func ParseVkCaptchaError(errData map[string]interface{}) *VkCaptchaError {
codeFloat, _ := errData["error_code"].(float64)
code := int(codeFloat)
redirectUri, _ := errData["redirect_uri"].(string)
captchaSid, _ := errData["captcha_sid"].(string)
if captchaSid == "" {
if sidNum, ok := errData["captcha_sid"].(float64); ok {
captchaSid = fmt.Sprintf("%.0f", sidNum)
}
}
captchaImg, _ := errData["captcha_img"].(string)
errorMsg, _ := errData["error_msg"].(string)
var sessionToken string
if redirectUri != "" {
if parsed, err := neturl.Parse(redirectUri); err == nil {
sessionToken = parsed.Query().Get("session_token")
}
}
isSound, _ := errData["is_sound_captcha_available"].(bool)
var captchaTs string
if tsFloat, ok := errData["captcha_ts"].(float64); ok {
captchaTs = fmt.Sprintf("%.0f", tsFloat)
} else if tsStr, ok := errData["captcha_ts"].(string); ok {
captchaTs = tsStr
}
var captchaAttempt string
if attFloat, ok := errData["captcha_attempt"].(float64); ok {
captchaAttempt = fmt.Sprintf("%.0f", attFloat)
} else if attStr, ok := errData["captcha_attempt"].(string); ok {
captchaAttempt = attStr
}
return &VkCaptchaError{
ErrorCode: code,
ErrorMsg: errorMsg,
CaptchaSid: captchaSid,
CaptchaImg: captchaImg,
RedirectUri: redirectUri,
IsSoundCaptchaAvailable: isSound,
SessionToken: sessionToken,
CaptchaTs: captchaTs,
CaptchaAttempt: captchaAttempt,
}
}
func (e *VkCaptchaError) IsCaptchaError() bool {
return e.ErrorCode == 14 && e.RedirectUri != "" && e.SessionToken != ""
}
func solveVkCaptcha(ctx context.Context, captchaErr *VkCaptchaError, streamID int, client tlsclient.HttpClient, profile Profile) (string, error) {
log.Printf("[STREAM %d] [Captcha] Solving Not Robot Captcha...", streamID)
if captchaErr.SessionToken == "" {
return "", fmt.Errorf("no session_token in redirect_uri for auto-solve")
}
if captchaErr.RedirectUri == "" {
return "", fmt.Errorf("no redirect_uri for auto-solve")
}
powInput, difficulty, err := fetchPowInput(ctx, captchaErr.RedirectUri, client, profile)
if err != nil {
return "", fmt.Errorf("failed to fetch PoW input: %w", err)
}
log.Printf("[STREAM %d] [Captcha] PoW input: %s, difficulty: %d", streamID, powInput, difficulty)
hash := solvePoW(powInput, difficulty)
log.Printf("[STREAM %d] [Captcha] PoW solved: hash=%s", streamID, hash)
successToken, err := callCaptchaNotRobot(ctx, captchaErr.SessionToken, hash, streamID, client, profile)
if err != nil {
return "", fmt.Errorf("captchaNotRobot API failed: %w", err)
}
log.Printf("[STREAM %d] [Captcha] Success! Got success_token", streamID)
return successToken, nil
}
func fetchPowInput(ctx context.Context, redirectUri string, client tlsclient.HttpClient, profile Profile) (string, int, error) {
parsedURL, err := neturl.Parse(redirectUri)
if err != nil {
return "", 0, err
}
domain := parsedURL.Hostname()
req, err := fhttp.NewRequestWithContext(ctx, "GET", redirectUri, nil)
if err != nil {
return "", 0, err
}
req.Host = domain
applyBrowserProfileFhttp(req, profile)
req.Header.Set("Sec-Fetch-Site", "none")
req.Header.Set("Sec-Fetch-Mode", "navigate")
req.Header.Set("Sec-Fetch-Dest", "document")
req.Header.Set("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
resp, err := client.Do(req)
if err != nil {
return "", 0, err
}
defer func(Body io.ReadCloser) {
_ = Body.Close()
}(resp.Body)
body, err := io.ReadAll(resp.Body)
if err != nil {
return "", 0, err
}
html := string(body)
powInputRe := regexp.MustCompile(`const\s+powInput\s*=\s*"([^"]+)"`)
powInputMatch := powInputRe.FindStringSubmatch(html)
if len(powInputMatch) < 2 {
return "", 0, fmt.Errorf("powInput not found in captcha HTML")
}
powInput := powInputMatch[1]
diffRe := regexp.MustCompile(`startsWith\('0'\.repeat\((\d+)\)\)`)
diffMatch := diffRe.FindStringSubmatch(html)
difficulty := 2
if len(diffMatch) >= 2 {
if d, err := strconv.Atoi(diffMatch[1]); err == nil {
difficulty = d
}
}
return powInput, difficulty, nil
}
func solvePoW(powInput string, difficulty int) string {
target := strings.Repeat("0", difficulty)
for nonce := 1; nonce <= 10000000; nonce++ {
data := powInput + strconv.Itoa(nonce)
hash := sha256.Sum256([]byte(data))
hexHash := hex.EncodeToString(hash[:])
if strings.HasPrefix(hexHash, target) {
return hexHash
}
}
return ""
}
func callCaptchaNotRobot(ctx context.Context, sessionToken, hash string, streamID int, client tlsclient.HttpClient, profile Profile) (string, error) {
vkReq := func(method string, postData string) (map[string]interface{}, error) {
reqURL := "https://api.vk.ru/method/" + method + "?v=5.131"
parsedURL, _ := neturl.Parse(reqURL)
domain := parsedURL.Hostname()
req, err := fhttp.NewRequestWithContext(ctx, "POST", reqURL, strings.NewReader(postData))
if err != nil {
return nil, err
}
req.Host = domain
applyBrowserProfileFhttp(req, profile)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Accept", "*/*")
req.Header.Set("Origin", "https://id.vk.ru")
req.Header.Set("Referer", "https://id.vk.ru/")
req.Header.Set("Sec-Fetch-Site", "same-site")
req.Header.Set("Sec-Fetch-Mode", "cors")
req.Header.Set("Sec-Fetch-Dest", "empty")
req.Header.Set("Sec-GPC", "1")
req.Header.Set("Priority", "u=1, i")
httpResp, err := client.Do(req)
if err != nil {
return nil, err
}
defer func(Body io.ReadCloser) {
_ = Body.Close()
}(httpResp.Body)
body, err := io.ReadAll(httpResp.Body)
if err != nil {
return nil, err
}
var resp map[string]interface{}
if err := json.Unmarshal(body, &resp); err != nil {
return nil, err
}
return resp, nil
}
baseParams := fmt.Sprintf("session_token=%s&domain=vk.com&adFp=&access_token=", neturl.QueryEscape(sessionToken))
log.Printf("[STREAM %d] [Captcha] Step 1/4: settings", streamID)
if _, err := vkReq("captchaNotRobot.settings", baseParams); err != nil {
return "", fmt.Errorf("settings failed: %w", err)
}
time.Sleep(200 * time.Millisecond)
log.Printf("[STREAM %d] [Captcha] Step 2/4: componentDone", streamID)
browserFp := generateBrowserFp(profile)
deviceJSON := fmt.Sprintf(`{"screenWidth":1920,"screenHeight":1080,"screenAvailWidth":1920,"screenAvailHeight":1040,"innerWidth":1920,"innerHeight":969,"devicePixelRatio":1,"language":"en-US","languages":["en-US"],"webdriver":false,"hardwareConcurrency":8,"deviceMemory":8,"connectionEffectiveType":"4g","notificationsPermission":"default","userAgent":"%s","platform":"Win32"}`, profile.UserAgent)
componentDoneData := baseParams + fmt.Sprintf("&browser_fp=%s&device=%s", browserFp, neturl.QueryEscape(deviceJSON))
if _, err := vkReq("captchaNotRobot.componentDone", componentDoneData); err != nil {
return "", fmt.Errorf("componentDone failed: %w", err)
}
time.Sleep(200 * time.Millisecond)
log.Printf("[STREAM %d] [Captcha] Step 3/4: check", streamID)
cursorJSON := generateFakeCursor()
answer := base64.StdEncoding.EncodeToString([]byte("{}"))
// Dynamically generate debug_info to avoid static fingerprint bans
debugInfoBytes := md5.Sum([]byte(profile.UserAgent + strconv.FormatInt(time.Now().UnixNano(), 10)))
debugInfo := hex.EncodeToString(debugInfoBytes[:])
connectionRtt := "[50,50,50,50,50,50,50,50,50,50]"
connectionDownlink := "[9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5]"
checkData := baseParams + fmt.Sprintf(
"&accelerometer=%s&gyroscope=%s&motion=%s&cursor=%s&taps=%s&connectionRtt=%s&connectionDownlink=%s&browser_fp=%s&hash=%s&answer=%s&debug_info=%s",
neturl.QueryEscape("[]"), neturl.QueryEscape("[]"), neturl.QueryEscape("[]"),
neturl.QueryEscape(cursorJSON), neturl.QueryEscape("[]"), neturl.QueryEscape(connectionRtt),
neturl.QueryEscape(connectionDownlink),
browserFp, hash, answer, debugInfo,
)
checkResp, err := vkReq("captchaNotRobot.check", checkData)
if err != nil {
return "", fmt.Errorf("check failed: %w", err)
}
respObj, ok := checkResp["response"].(map[string]interface{})
if !ok {
return "", fmt.Errorf("invalid check response: %v", checkResp)
}
status, _ := respObj["status"].(string)
if status != "OK" {
return "", fmt.Errorf("check status: %s", status)
}
successToken, ok := respObj["success_token"].(string)
if !ok || successToken == "" {
return "", fmt.Errorf("success_token not found")
}
time.Sleep(200 * time.Millisecond)
log.Printf("[STREAM %d] [Captcha] Step 4/4: endSession", streamID)
_, err = vkReq("captchaNotRobot.endSession", baseParams)
if err != nil {
log.Printf("[STREAM %d] [Captcha] Warning: endSession failed: %v", streamID, err)
}
return successToken, nil
}
// endregion
// region VK Credentials Layer
type VKCredentials struct {
ClientID string
ClientSecret string
}
var vkCredentialsList = []VKCredentials{
{ClientID: "6287487", ClientSecret: "QbYic1K3lEV5kTGiqlq2"}, // VK_WEB_APP_ID
{ClientID: "7879029", ClientSecret: "aR5NKGmm03GYrCiNKsaw"}, // VK_MVK_APP_ID
{ClientID: "52461373", ClientSecret: "o557NLIkAErNhakXrQ7A"}, // VK_WEB_VKVIDEO_APP_ID
{ClientID: "52649896", ClientSecret: "WStp4ihWG4l3nmXZgIbC"}, // VK_MVK_VKVIDEO_APP_ID
{ClientID: "51781872", ClientSecret: "IjjCNl4L4Tf5QZEXIHKK"}, // VK_ID_AUTH_APP
}
type TurnCredentials struct {
Username string
Password string
ServerAddr string
ExpiresAt time.Time
Link string
}
type StreamCredentialsCache struct {
creds TurnCredentials
mutex sync.RWMutex
errorCount atomic.Int32
lastErrorTime atomic.Int64
}
const (
credentialLifetime = 10 * time.Minute
cacheSafetyMargin = 60 * time.Second
maxCacheErrors = 3
errorWindow = 10 * time.Second
streamsPerCache = 10
)
func getCacheID(streamID int) int {
return streamID / streamsPerCache
}
func vkDelayRandom(minMs, maxMs int) {
ms := minMs + rand.Intn(maxMs-minMs+1)
time.Sleep(time.Duration(ms) * time.Millisecond)
}
var credentialsStore = struct {
mu sync.RWMutex
caches map[int]*StreamCredentialsCache
}{
caches: make(map[int]*StreamCredentialsCache),
}
func getStreamCache(streamID int) *StreamCredentialsCache {
cacheID := getCacheID(streamID)
credentialsStore.mu.RLock()
cache, exists := credentialsStore.caches[cacheID]
credentialsStore.mu.RUnlock()
if exists {
return cache
}
credentialsStore.mu.Lock()
defer credentialsStore.mu.Unlock()
if cache, exists = credentialsStore.caches[cacheID]; exists {
return cache
}
cache = &StreamCredentialsCache{}
credentialsStore.caches[cacheID] = cache
return cache
}
func isAuthError(err error) bool {
if err == nil {
return false
}
errStr := err.Error()
return strings.Contains(errStr, "401") ||
strings.Contains(errStr, "Unauthorized") ||
strings.Contains(errStr, "authentication") ||
strings.Contains(errStr, "invalid credential") ||
strings.Contains(errStr, "stale nonce")
}
func handleAuthError(streamID int) bool {
cache := getStreamCache(streamID)
cacheID := getCacheID(streamID)
now := time.Now().Unix()
if now-cache.lastErrorTime.Load() > int64(errorWindow.Seconds()) {
cache.errorCount.Store(0)
}
count := cache.errorCount.Add(1)
cache.lastErrorTime.Store(now)
log.Printf("[STREAM %d] Auth error (cache=%d, count=%d/%d)", streamID, cacheID, count, maxCacheErrors)
if count >= maxCacheErrors {
log.Printf("[VK Auth] Multiple auth errors detected (%d), invalidating cache %d for stream %d...", count, cacheID, streamID)
cache.invalidate(streamID)
return true
}
return false
}
func (c *StreamCredentialsCache) invalidate(streamID int) {
c.mutex.Lock()
c.creds = TurnCredentials{}
c.mutex.Unlock()
c.errorCount.Store(0)
c.lastErrorTime.Store(0)
log.Printf("[STREAM %d] [VK Auth] Credentials cache invalidated", streamID)
}
func getVkCredsCached(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) {
cache := getStreamCache(streamID)
cacheID := getCacheID(streamID)
cache.mutex.RLock()
if cache.creds.Link == link && time.Now().Before(cache.creds.ExpiresAt) {
expires := time.Until(cache.creds.ExpiresAt)
u, p, a := cache.creds.Username, cache.creds.Password, cache.creds.ServerAddr
cache.mutex.RUnlock()
if isDebug {
log.Printf("[STREAM %d] [VK Auth] Using cached credentials (cache=%d, expires in %v)", streamID, cacheID, expires)
}
return u, p, a, nil
}
cache.mutex.RUnlock()
cache.mutex.Lock()
defer cache.mutex.Unlock()
// Double-check inside lock
if cache.creds.Link == link && time.Now().Before(cache.creds.ExpiresAt) {
return cache.creds.Username, cache.creds.Password, cache.creds.ServerAddr, nil
}
user, pass, addr, err := fetchVkCredsSerialized(ctx, link, streamID, dialer)
if err != nil {
return "", "", "", err
}
cache.creds = TurnCredentials{Username: user, Password: pass, ServerAddr: addr, ExpiresAt: time.Now().Add(credentialLifetime - cacheSafetyMargin), Link: link}
return user, pass, addr, nil
}
var (
vkRequestMu sync.Mutex
globalLastVkFetchTime time.Time
)
func fetchVkCredsSerialized(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) {
vkRequestMu.Lock()
defer vkRequestMu.Unlock()
// Ensure a minimum cooldown between credential requests to avoid VK rate limits
minInterval := 3*time.Second + time.Duration(rand.Intn(3000))*time.Millisecond
elapsed := time.Since(globalLastVkFetchTime)
if !globalLastVkFetchTime.IsZero() && elapsed < minInterval {
wait := minInterval - elapsed
log.Printf("[STREAM %d] [VK Auth] Throttling: waiting %v to prevent rate limit...", streamID, wait.Truncate(time.Millisecond))
select {
case <-ctx.Done():
return "", "", "", ctx.Err()
case <-time.After(wait):
}
}
defer func() {
globalLastVkFetchTime = time.Now()
}()
return fetchVkCreds(ctx, link, streamID, dialer)
}
func fetchVkCreds(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) {
// Check Global Lockout to prevent API bans
if time.Now().Unix() < globalCaptchaLockout.Load() {
return "", "", "", fmt.Errorf("CAPTCHA_WAIT_REQUIRED: global lockout active")
}
var lastErr error
jar := tlsclient.NewCookieJar()
for _, creds := range vkCredentialsList {
log.Printf("[STREAM %d] [VK Auth] Trying credentials: client_id=%s", streamID, creds.ClientID)
user, pass, addr, err := getTokenChain(ctx, link, streamID, creds, dialer, jar)
if err == nil {
log.Printf("[STREAM %d] [VK Auth] Success with client_id=%s", streamID, creds.ClientID)
return user, pass, addr, nil
}
lastErr = err
log.Printf("[STREAM %d] [VK Auth] Failed with client_id=%s: %v", streamID, creds.ClientID, err)
// Hard abort on captcha/fatal conditions instead of trying next creds
if strings.Contains(err.Error(), "CAPTCHA_WAIT_REQUIRED") || strings.Contains(err.Error(), "FATAL_CAPTCHA") {
return "", "", "", err
}
if strings.Contains(err.Error(), "error_code:29") || strings.Contains(err.Error(), "error_code: 29") || strings.Contains(err.Error(), "Rate limit") {
log.Printf("[STREAM %d] [VK Auth] Rate limit detected, trying next credentials...", streamID)
}
}
return "", "", "", fmt.Errorf("all VK credentials failed: %w", lastErr)
}
func getTokenChain(ctx context.Context, link string, streamID int, creds VKCredentials, dialer *dnsdialer.Dialer, jar tlsclient.CookieJar) (string, string, string, error) {
profile := Profile{
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
SecChUa: `"Not(A:Brand";v="99", "Google Chrome";v="146", "Chromium";v="146"`,
SecChUaMobile: "?0",
SecChUaPlatform: `"Windows"`,
}
client, err := tlsclient.NewHttpClient(tlsclient.NewNoopLogger(),
tlsclient.WithTimeoutSeconds(20),
tlsclient.WithClientProfile(profiles.Chrome_146),
tlsclient.WithCookieJar(jar),
tlsclient.WithDialer(getCustomNetDialer()),
)
if err != nil {
return "", "", "", fmt.Errorf("failed to initialize tls_client: %w", err)
}
name := generateName()
escapedName := neturl.QueryEscape(name)
log.Printf("[STREAM %d] [VK Auth] Connecting Identity - Name: %s | User-Agent: %s", streamID, name, profile.UserAgent)
doRequest := func(data string, url string) (resp map[string]interface{}, err error) {
parsedURL, _ := neturl.Parse(url)
domain := parsedURL.Hostname()
req, err := fhttp.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer([]byte(data)))
if err != nil {
return nil, err
}
req.Host = domain
applyBrowserProfileFhttp(req, profile)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Accept", "*/*")
req.Header.Set("Origin", "https://vk.ru")
req.Header.Set("Referer", "https://vk.ru/")
req.Header.Set("Sec-Fetch-Site", "same-site")
req.Header.Set("Sec-Fetch-Mode", "cors")
req.Header.Set("Sec-Fetch-Dest", "empty")
req.Header.Set("Priority", "u=1, i")
httpResp, err := client.Do(req)
if err != nil {
return nil, err
}
defer func() {
if closeErr := httpResp.Body.Close(); closeErr != nil {
log.Printf("close response body: %s", closeErr)
}
}()
body, err := io.ReadAll(httpResp.Body)
if err != nil {
return nil, err
}
err = json.Unmarshal(body, &resp)
if err != nil {
return nil, err
}
return resp, nil
}
// Token 1
data := fmt.Sprintf("client_id=%s&token_type=messages&client_secret=%s&version=1&app_id=%s", creds.ClientID, creds.ClientSecret, creds.ClientID)
resp, err := doRequest(data, "https://login.vk.ru/?act=get_anonym_token")
if err != nil {
return "", "", "", err
}
dataMap, ok := resp["data"].(map[string]interface{})
if !ok {
return "", "", "", fmt.Errorf("unexpected anon token response: %v", resp)
}
token1, ok := dataMap["access_token"].(string)
if !ok {
return "", "", "", fmt.Errorf("missing access_token in response: %v", resp)
}
vkDelayRandom(100, 150)
// Token 1 -> getCallPreview
data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&fields=photo_200&access_token=%s", link, token1)
_, _ = doRequest(data, "https://api.vk.ru/method/calls.getCallPreview?v=5.275&client_id="+creds.ClientID)
vkDelayRandom(200, 400)
// Token 2
data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&access_token=%s", link, escapedName, token1)
urlAddr := fmt.Sprintf("https://api.vk.ru/method/calls.getAnonymousToken?v=5.275&client_id=%s", creds.ClientID)
var token2 string
maxAutoAttempts := 2
if manualCaptcha {
maxAutoAttempts = 0
}
for attempt := 0; attempt <= maxAutoAttempts+1; attempt++ {
resp, err = doRequest(data, urlAddr)
if err != nil {
return "", "", "", err
}
if errObj, hasErr := resp["error"].(map[string]interface{}); hasErr {
captchaErr := ParseVkCaptchaError(errObj)
if captchaErr != nil && captchaErr.IsCaptchaError() {
var successToken string
var captchaKey string
var solveErr error
if attempt < maxAutoAttempts {
// Auto Solve Attempts
if captchaErr.SessionToken != "" && captchaErr.RedirectUri != "" {
successToken, solveErr = solveVkCaptcha(ctx, captchaErr, streamID, client, profile)
if solveErr != nil {
log.Printf("[STREAM %d] [Captcha] Auto solve failed: %v", streamID, solveErr)
}
} else {
solveErr = fmt.Errorf("missing fields for auto solve")
}
} else if attempt == maxAutoAttempts {
// Manual Solve Fallback with 60s Timeout
log.Printf("[STREAM %d] [Captcha] Auto failed %d times. Triggering MANUAL fallback...", streamID, maxAutoAttempts)
manualCtx, manualCancel := context.WithTimeout(ctx, 60*time.Second)
type manualRes struct {
token string
key string
err error
}
resCh := make(chan manualRes, 1)
go func() {
var t, k string
var e error
if captchaErr.RedirectUri != "" {
t, e = solveCaptchaViaProxy(captchaErr.RedirectUri, dialer)
} else if captchaErr.CaptchaImg != "" {
k, e = solveCaptchaViaHTTP(captchaErr.CaptchaImg)
} else {
e = fmt.Errorf("no redirect_uri or captcha_img")
}
resCh <- manualRes{t, k, e}
}()
select {
case res := <-resCh:
successToken = res.token
captchaKey = res.key
solveErr = res.err
case <-manualCtx.Done():
solveErr = fmt.Errorf("manual captcha timed out after 60s")
}
manualCancel()
} else {
solveErr = fmt.Errorf("max attempts reached")
}
// If solving failed (auto or manual) or timed out
if solveErr != nil {
log.Printf("[STREAM %d] [Captcha] Failed to solve (attempt %d): %v", streamID, attempt+1, solveErr)
if attempt < maxAutoAttempts-1 {
log.Printf("[STREAM %d] [Captcha] Backing off for 10 seconds before next auto attempt...", streamID)
select {
case <-ctx.Done():
return "", "", "", ctx.Err()
case <-time.After(10 * time.Second):
}
continue
} else if attempt == maxAutoAttempts-1 {
log.Printf("[STREAM %d] [Captcha] Backing off for 2 seconds before manual fallback...", streamID)
select {
case <-ctx.Done():
return "", "", "", ctx.Err()
case <-time.After(2 * time.Second):
}
continue
}
// Engage global lockout to protect API
globalCaptchaLockout.Store(time.Now().Add(60 * time.Second).Unix())
// If we have 0 streams alive, this is fatal
if connectedStreams.Load() == 0 {
log.Printf("[STREAM %d] [FATAL] 0 connected streams and manual captcha failed/timed out.", streamID)
return "", "", "", fmt.Errorf("FATAL_CAPTCHA_FAILED_NO_STREAMS")
}
return "", "", "", fmt.Errorf("CAPTCHA_WAIT_REQUIRED")
}
if captchaErr.CaptchaAttempt == "0" || captchaErr.CaptchaAttempt == "" {
captchaErr.CaptchaAttempt = "1"
}
if captchaKey != "" {
data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&captcha_key=%s&captcha_sid=%s&access_token=%s",
link, escapedName, neturl.QueryEscape(captchaKey), captchaErr.CaptchaSid, token1)
} else {
data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&captcha_key=&captcha_sid=%s&is_sound_captcha=0&success_token=%s&captcha_ts=%s&captcha_attempt=%s&access_token=%s",
link, escapedName, captchaErr.CaptchaSid, neturl.QueryEscape(successToken), captchaErr.CaptchaTs, captchaErr.CaptchaAttempt, token1)
}
continue
}
return "", "", "", fmt.Errorf("VK API error: %v", errObj)
}
respMap, ok := resp["response"].(map[string]interface{})
if !ok {
return "", "", "", fmt.Errorf("unexpected getAnonymousToken response: %v", resp)
}
token2, ok = respMap["token"].(string)
if !ok {
return "", "", "", fmt.Errorf("missing token in response: %v", resp)
}
break
}
vkDelayRandom(100, 150)
// Token 3
sessionData := fmt.Sprintf(`{"version":2,"device_id":"%s","client_version":1.1,"client_type":"SDK_JS"}`, uuid.New())
data = fmt.Sprintf("session_data=%s&method=auth.anonymLogin&format=JSON&application_key=CGMMEJLGDIHBABABA", neturl.QueryEscape(sessionData))
resp, err = doRequest(data, "https://calls.okcdn.ru/fb.do")
if err != nil {
return "", "", "", err
}
token3 := resp["session_key"].(string)
vkDelayRandom(100, 150)
// Token 4 -> TURN Creds
data = fmt.Sprintf("joinLink=%s&isVideo=false&protocolVersion=5&capabilities=2F7F&anonymToken=%s&method=vchat.joinConversationByLink&format=JSON&application_key=CGMMEJLGDIHBABABA&session_key=%s", link, token2, token3)
resp, err = doRequest(data, "https://calls.okcdn.ru/fb.do")
if err != nil {
return "", "", "", err
}
ts := resp["turn_server"].(map[string]interface{})
user := ts["username"].(string)
pass := ts["credential"].(string)
urls := ts["urls"].([]interface{})
urlStr := urls[0].(string)
clean := strings.Split(urlStr, "?")[0]
address := strings.TrimPrefix(strings.TrimPrefix(clean, "turn:"), "turns:")
return user, pass, address, nil
}
// endregion
func getYandexCreds(link string) (string, string, string, error) {
const telemostConfHost = "cloud-api.yandex.ru"
telemostConfPath := fmt.Sprintf("%s%s%s", "/telemost_front/v2/telemost/conferences/https%3A%2F%2Ftelemost.yandex.ru%2Fj%2F", link, "/connection?next_gen_media_platform_allowed=false")
profile := getRandomProfile()
name := generateName()
type ConferenceResponse struct {
URI string `json:"uri"`
RoomID string `json:"room_id"`
PeerID string `json:"peer_id"`
ClientConfiguration struct {
MediaServerURL string `json:"media_server_url"`
} `json:"client_configuration"`
Credentials string `json:"credentials"`
}
type PartMeta struct {
Name string `json:"name"`
Role string `json:"role"`
Description string `json:"description"`
SendAudio bool `json:"sendAudio"`
SendVideo bool `json:"sendVideo"`
}
type PartAttrs struct {
Name string `json:"name"`
Role string `json:"role"`
Description string `json:"description"`
}
type SdkInfo struct {
Implementation string `json:"implementation"`
Version string `json:"version"`
UserAgent string `json:"userAgent"`
HwConcurrency int `json:"hwConcurrency"`
}
type Capabilities struct {
OfferAnswerMode []string `json:"offerAnswerMode"`
InitialSubscriberOffer []string `json:"initialSubscriberOffer"`
SlotsMode []string `json:"slotsMode"`
SimulcastMode []string `json:"simulcastMode"`
SelfVadStatus []string `json:"selfVadStatus"`
DataChannelSharing []string `json:"dataChannelSharing"`
VideoEncoderConfig []string `json:"videoEncoderConfig"`
DataChannelVideoCodec []string `json:"dataChannelVideoCodec"`
BandwidthLimitationReason []string `json:"bandwidthLimitationReason"`
SdkDefaultDeviceManagement []string `json:"sdkDefaultDeviceManagement"`
JoinOrderLayout []string `json:"joinOrderLayout"`
PinLayout []string `json:"pinLayout"`
SendSelfViewVideoSlot []string `json:"sendSelfViewVideoSlot"`
ServerLayoutTransition []string `json:"serverLayoutTransition"`
SdkPublisherOptimizeBitrate []string `json:"sdkPublisherOptimizeBitrate"`
SdkNetworkLostDetection []string `json:"sdkNetworkLostDetection"`
SdkNetworkPathMonitor []string `json:"sdkNetworkPathMonitor"`
PublisherVp9 []string `json:"publisherVp9"`
SvcMode []string `json:"svcMode"`
SubscriberOfferAsyncAck []string `json:"subscriberOfferAsyncAck"`
SvcModes []string `json:"svcModes"`
ReportTelemetryModes []string `json:"reportTelemetryModes"`
KeepDefaultDevicesModes []string `json:"keepDefaultDevicesModes"`
}
type HelloPayload struct {
ParticipantMeta PartMeta `json:"participantMeta"`
ParticipantAttributes PartAttrs `json:"participantAttributes"`
SendAudio bool `json:"sendAudio"`
SendVideo bool `json:"sendVideo"`
SendSharing bool `json:"sendSharing"`
ParticipantID string `json:"participantId"`
RoomID string `json:"roomId"`
ServiceName string `json:"serviceName"`
Credentials string `json:"credentials"`
CapabilitiesOffer Capabilities `json:"capabilitiesOffer"`
SdkInfo SdkInfo `json:"sdkInfo"`
SdkInitializationID string `json:"sdkInitializationId"`
DisablePublisher bool `json:"disablePublisher"`
DisableSubscriber bool `json:"disableSubscriber"`
DisableSubscriberAudio bool `json:"disableSubscriberAudio"`
}
type HelloRequest struct {
UID string `json:"uid"`
Hello HelloPayload `json:"hello"`
}
type FlexUrls []string
type WSSResponse struct {
UID string `json:"uid"`
ServerHello struct {
RtcConfiguration struct {
IceServers []struct {
Urls FlexUrls `json:"urls"`
Username string `json:"username,omitempty"`
Credential string `json:"credential,omitempty"`
} `json:"iceServers"`
} `json:"rtcConfiguration"`
} `json:"serverHello"`
}
type WSSAck struct {
Uid string `json:"uid"`
Ack struct {
Status struct {
Code string `json:"code"`
} `json:"status"`
} `json:"ack"`
}
type WSSData struct {
ParticipantId string
RoomId string
Credentials string
Wss string
}
endpoint := "https://" + telemostConfHost + telemostConfPath
tr := &http.Transport{
MaxIdleConns: 100,
MaxIdleConnsPerHost: 100,
IdleConnTimeout: 90 * time.Second,
}
client := &http.Client{
Timeout: 20 * time.Second,
Transport: tr,
}
defer client.CloseIdleConnections()
req, err := http.NewRequest("GET", endpoint, nil)
if err != nil {
return "", "", "", err
}
applyBrowserProfile(req, profile)
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Referer", "https://telemost.yandex.ru/")
req.Header.Set("Origin", "https://telemost.yandex.ru")
req.Header.Set("Client-Instance-Id", uuid.New().String())
resp, err := client.Do(req)
if err != nil {
return "", "", "", err
}
defer func() {
if closeErr := resp.Body.Close(); closeErr != nil {
log.Printf("close response body: %s", closeErr)
}
}()
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
return "", "", "", fmt.Errorf("GetConference: status=%s body=%s", resp.Status, string(body))
}
var result ConferenceResponse
if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", "", "", fmt.Errorf("decode conf: %v", err)
}
data := WSSData{
ParticipantId: result.PeerID,
RoomId: result.RoomID,
Credentials: result.Credentials,
Wss: result.ClientConfiguration.MediaServerURL,
}
h := http.Header{}
h.Set("Origin", "https://telemost.yandex.ru")
h.Set("User-Agent", profile.UserAgent)
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
dialer := websocket.Dialer{}
conn, _, err := dialer.DialContext(ctx, data.Wss, h)
if err != nil {
return "", "", "", fmt.Errorf("ws dial: %w", err)
}
defer func() {
if closeErr := conn.Close(); closeErr != nil {
log.Printf("close websocket: %s", closeErr)
}
}()
req1 := HelloRequest{
UID: uuid.New().String(),
Hello: HelloPayload{
ParticipantMeta: PartMeta{
Name: name,
Role: "SPEAKER",
Description: "",
SendAudio: false,
SendVideo: false,
},
ParticipantAttributes: PartAttrs{
Name: name,
Role: "SPEAKER",
Description: "",
},
SendAudio: false,
SendVideo: false,
SendSharing: false,
ParticipantID: data.ParticipantId,
RoomID: data.RoomId,
ServiceName: "telemost",
Credentials: data.Credentials,
SdkInfo: SdkInfo{
Implementation: "browser",
Version: "5.15.0",
UserAgent: profile.UserAgent,
HwConcurrency: 4,
},
SdkInitializationID: uuid.New().String(),
DisablePublisher: false,
DisableSubscriber: false,
DisableSubscriberAudio: false,
CapabilitiesOffer: Capabilities{
OfferAnswerMode: []string{"SEPARATE"},
InitialSubscriberOffer: []string{"ON_HELLO"},
SlotsMode: []string{"FROM_CONTROLLER"},
SimulcastMode: []string{"DISABLED"},
SelfVadStatus: []string{"FROM_SERVER"},
DataChannelSharing: []string{"TO_RTP"},
VideoEncoderConfig: []string{"NO_CONFIG"},
DataChannelVideoCodec: []string{"VP8"},
BandwidthLimitationReason: []string{"BANDWIDTH_REASON_DISABLED"},
SdkDefaultDeviceManagement: []string{"SDK_DEFAULT_DEVICE_MANAGEMENT_DISABLED"},
JoinOrderLayout: []string{"JOIN_ORDER_LAYOUT_DISABLED"},
PinLayout: []string{"PIN_LAYOUT_DISABLED"},
SendSelfViewVideoSlot: []string{"SEND_SELF_VIEW_VIDEO_SLOT_DISABLED"},
ServerLayoutTransition: []string{"SERVER_LAYOUT_TRANSITION_DISABLED"},
SdkPublisherOptimizeBitrate: []string{"SDK_PUBLISHER_OPTIMIZE_BITRATE_DISABLED"},
SdkNetworkLostDetection: []string{"SDK_NETWORK_LOST_DETECTION_DISABLED"},
SdkNetworkPathMonitor: []string{"SDK_NETWORK_PATH_MONITOR_DISABLED"},
PublisherVp9: []string{"PUBLISH_VP9_DISABLED"},
SvcMode: []string{"SVC_MODE_DISABLED"},
SubscriberOfferAsyncAck: []string{"SUBSCRIBER_OFFER_ASYNC_ACK_DISABLED"},
SvcModes: []string{"FALSE"},
ReportTelemetryModes: []string{"TRUE"},
KeepDefaultDevicesModes: []string{"TRUE"},
},
},
}
if isDebug {
b, _ := json.MarshalIndent(req1, "", " ")
log.Printf("Sending HELLO:\n%s", string(b))
}
if err := conn.WriteJSON(req1); err != nil {
return "", "", "", fmt.Errorf("ws write: %w", err)
}
if err := conn.SetReadDeadline(time.Now().Add(15 * time.Second)); err != nil {
return "", "", "", fmt.Errorf("ws set read deadline: %w", err)
}
for {
_, msg, err := conn.ReadMessage()
if err != nil {
return "", "", "", fmt.Errorf("ws read: %w", err)
}
if isDebug {
s := string(msg)
if len(s) > 800 {
s = s[:800] + "...(truncated)"
}
log.Printf("WSS recv: %s", s)
}
var ack WSSAck
if err := json.Unmarshal(msg, &ack); err == nil && ack.Ack.Status.Code != "" {
continue
}
var resp WSSResponse
if err := json.Unmarshal(msg, &resp); err == nil {
ice := resp.ServerHello.RtcConfiguration.IceServers
for _, s := range ice {
for _, u := range s.Urls {
if !strings.HasPrefix(u, "turn:") && !strings.HasPrefix(u, "turns:") {
continue
}
if strings.Contains(u, "transport=tcp") {
continue
}
clean := strings.Split(u, "?")[0]
address := strings.TrimPrefix(strings.TrimPrefix(clean, "turn:"), "turns:")
return s.Username, s.Credential, address, nil
}
}
}
}
}
func dtlsFunc(ctx context.Context, conn net.PacketConn, peer *net.UDPAddr) (net.Conn, error) {
certificate, err := selfsign.GenerateSelfSigned()
if err != nil {
return nil, err
}
config := &dtls.Config{
Certificates: []tls.Certificate{certificate},
InsecureSkipVerify: true,
ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
CipherSuites: []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
ConnectionIDGenerator: dtls.OnlySendCIDGenerator(),
}
select {
case handshakeSem <- struct{}{}:
defer func() { <-handshakeSem }()
case <-ctx.Done():
return nil, ctx.Err()
}
ctx1, cancel := context.WithTimeout(ctx, 20*time.Second)
defer cancel()
dtlsConn, err := dtls.Client(conn, peer, config)
if err != nil {
return nil, err
}
if err := dtlsConn.HandshakeContext(ctx1); err != nil {
return nil, err
}
return dtlsConn, nil
}
func oneDtlsConnection(ctx context.Context, peer *net.UDPAddr, listenConn net.PacketConn, inboundChan <-chan *UDPPacket, connchan chan<- net.PacketConn, okchan chan<- struct{}, streamID int) error {
time.Sleep(time.Duration(rand.Intn(400)+100) * time.Millisecond)
dtlsctx, dtlscancel := context.WithCancel(ctx)
defer dtlscancel()
conn1, conn2 := connutil.AsyncPacketPipe()
go func() {
for {
select {
case <-dtlsctx.Done():
return
case connchan <- conn2:
}
}
}()
dtlsConn, err1 := dtlsFunc(dtlsctx, conn1, peer)
if err1 != nil {
return fmt.Errorf("failed to connect DTLS: %s", err1)
}
defer func() {
if closeErr := dtlsConn.Close(); closeErr != nil {
log.Printf("[STREAM %d] failed to close DTLS connection: %s", streamID, closeErr)
}
log.Printf("[STREAM %d] Closed DTLS connection\n", streamID)
}()
log.Printf("[STREAM %d] Established DTLS connection!\n", streamID)
if okchan != nil {
go func() {
select {
case okchan <- struct{}{}:
case <-dtlsctx.Done():
}
}()
}
wg := sync.WaitGroup{}
wg.Add(1)
context.AfterFunc(dtlsctx, func() {
_ = dtlsConn.SetDeadline(time.Now())
})
go func() {
defer dtlscancel()
for {
select {
case <-dtlsctx.Done():
return
case pkt := <-inboundChan:
_, _ = dtlsConn.Write(pkt.Data[:pkt.N])
packetPool.Put(pkt)
}
}
}()
go func() {
defer wg.Done()
defer dtlscancel()
buf := make([]byte, 1600)
for {
n, err1 := dtlsConn.Read(buf)
if err1 != nil {
return
}
// Send back to the active WG client
if peerAddr := activeLocalPeer.Load(); peerAddr != nil {
_, _ = listenConn.WriteTo(buf[:n], peerAddr.(net.Addr))
}
}
}()
wg.Wait()
if err := dtlsConn.SetDeadline(time.Time{}); err != nil {
log.Printf("[STREAM %d] Failed to clear DTLS deadline: %s", streamID, err)
}
return nil
}
type connectedUDPConn struct {
*net.UDPConn
}
func (c *connectedUDPConn) WriteTo(p []byte, _ net.Addr) (int, error) {
return c.Write(p)
}
type turnParams struct {
host string
port string
link string
udp bool
getCreds getCredsFunc
}
func oneTurnConnection(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, conn2 net.PacketConn, streamID int, c chan<- error) {
time.Sleep(time.Duration(rand.Intn(400)+100) * time.Millisecond)
var err error = nil
defer func() { c <- err }()
user, pass, urlTarget, err1 := turnParams.getCreds(ctx, turnParams.link, streamID)
if err1 != nil {
err = fmt.Errorf("failed to get TURN credentials: %s", err1)
return
}
urlhost, urlport, err1 := net.SplitHostPort(urlTarget)
if err1 != nil {
err = fmt.Errorf("failed to parse TURN server address: %s", err1)
return
}
if turnParams.host != "" {
urlhost = turnParams.host
}
if turnParams.port != "" {
urlport = turnParams.port
}
var turnServerAddr string
turnServerAddr = net.JoinHostPort(urlhost, urlport)
turnServerUdpAddr, err1 := net.ResolveUDPAddr("udp", turnServerAddr)
if err1 != nil {
err = fmt.Errorf("failed to resolve TURN server address: %s", err1)
return
}
turnServerAddr = turnServerUdpAddr.String()
var cfg *turn.ClientConfig
var turnConn net.PacketConn
var d net.Dialer
ctx1, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel()
if turnParams.udp {
conn, err2 := net.DialUDP("udp", nil, turnServerUdpAddr)
if err2 != nil {
err = fmt.Errorf("failed to connect to TURN server: %s", err2)
return
}
defer func() {
if err1 = conn.Close(); err1 != nil {
err = fmt.Errorf("failed to close TURN server connection: %s", err1)
return
}
}()
turnConn = &connectedUDPConn{conn}
} else {
conn, err2 := d.DialContext(ctx1, "tcp", turnServerAddr)
if err2 != nil {
err = fmt.Errorf("failed to connect to TURN server: %s", err2)
return
}
defer func() {
if err1 = conn.Close(); err1 != nil {
err = fmt.Errorf("failed to close TURN server connection: %s", err1)
return
}
}()
turnConn = turn.NewSTUNConn(conn)
}
var addrFamily turn.RequestedAddressFamily
if peer.IP.To4() != nil {
addrFamily = turn.RequestedAddressFamilyIPv4
} else {
addrFamily = turn.RequestedAddressFamilyIPv6
}
cfg = &turn.ClientConfig{
STUNServerAddr: turnServerAddr,
TURNServerAddr: turnServerAddr,
Conn: turnConn,
Net: newDirectNet(),
Username: user,
Password: pass,
RequestedAddressFamily: addrFamily,
LoggerFactory: logging.NewDefaultLoggerFactory(),
}
client, err1 := turn.NewClient(cfg)
if err1 != nil {
err = fmt.Errorf("failed to create TURN client: %s", err1)
return
}
defer client.Close()
err1 = client.Listen()
if err1 != nil {
err = fmt.Errorf("failed to listen: %s", err1)
return
}
relayConn, err1 := client.Allocate()
if err1 != nil {
if isAuthError(err1) {
handleAuthError(streamID)
}
err = fmt.Errorf("failed to allocate: %s", err1)
return
}
// Reset error count on successful allocation
getStreamCache(streamID).errorCount.Store(0)
// Safely track active streams globally
connectedStreams.Add(1)
defer func() {
connectedStreams.Add(-1)
if err1 := relayConn.Close(); err1 != nil {
err = fmt.Errorf("failed to close TURN allocated connection: %s", err1)
}
}()
if isDebug {
log.Printf("[STREAM %d] relayed-address=%s", streamID, relayConn.LocalAddr().String())
}
wg := sync.WaitGroup{}
wg.Add(1)
turnctx, turncancel := context.WithCancel(ctx)
context.AfterFunc(turnctx, func() {
if err := relayConn.SetDeadline(time.Now()); err != nil {
log.Printf("Failed to set relay deadline: %s", err)
}
// Do not set conn2 deadline (conn2 can sometimes be listenConn if direct mode is used)
})
var internalPipeAddr atomic.Value
go func() {
defer turncancel()
buf := make([]byte, 1600)
for {
if turnctx.Err() != nil {
return
}
n, addr1, err1 := conn2.ReadFrom(buf)
if err1 != nil {
return
}
if turnctx.Err() != nil {
return
}
internalPipeAddr.Store(addr1)
_, err1 = relayConn.WriteTo(buf[:n], peer)
if err1 != nil {
return
}
}
}()
go func() {
defer wg.Done()
defer turncancel()
buf := make([]byte, 1600)
for {
n, _, err1 := relayConn.ReadFrom(buf)
if err1 != nil {
return
}
addr1 := internalPipeAddr.Load()
if addr1 == nil {
continue
}
_, err1 = conn2.WriteTo(buf[:n], addr1.(net.Addr))
if err1 != nil {
return
}
}
}()
wg.Wait()
if err := relayConn.SetDeadline(time.Time{}); err != nil {
log.Printf("Failed to clear relay deadline: %s", err)
}
}
func oneDtlsConnectionLoop(ctx context.Context, peer *net.UDPAddr, listenConn net.PacketConn, inboundChan <-chan *UDPPacket, connchan chan<- net.PacketConn, okchan chan<- struct{}, streamID int) {
for {
select {
case <-ctx.Done():
return
default:
err := oneDtlsConnection(ctx, peer, listenConn, inboundChan, connchan, okchan, streamID)
if err != nil {
if time.Now().Unix() < globalCaptchaLockout.Load() && strings.Contains(err.Error(), "context deadline exceeded") {
continue
}
select {
case <-ctx.Done():
return
case <-time.After(time.Duration(10+rand.Intn(20)) * time.Second):
}
}
}
}
}
func oneTurnConnectionLoop(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, connchan <-chan net.PacketConn, t <-chan time.Time, streamID int) {
for {
select {
case <-ctx.Done():
return
case conn2 := <-connchan:
select {
case <-t:
case <-ctx.Done():
return
}
c := make(chan error)
go oneTurnConnection(ctx, turnParams, peer, conn2, streamID, c)
if err := <-c; err != nil {
if strings.Contains(err.Error(), "FATAL_CAPTCHA") {
log.Printf("[STREAM %d] Fatal manual captcha error. Shutting down application.", streamID)
if globalAppCancel != nil {
globalAppCancel()
}
return
}
if strings.Contains(err.Error(), "CAPTCHA_WAIT_REQUIRED") {
if !strings.Contains(err.Error(), "global lockout active") {
log.Printf("[STREAM %d] Backing off for 60 seconds to avoid IP ban...", streamID)
select {
case <-ctx.Done():
return
case <-time.After(60 * time.Second):
}
} else {
lockoutEnd := globalCaptchaLockout.Load()
sleepDuration := time.Until(time.Unix(lockoutEnd, 0))
if sleepDuration < 0 {
sleepDuration = 5 * time.Second
}
select {
case <-ctx.Done():
return
case <-time.After(sleepDuration):
}
}
} else {
log.Printf("[STREAM %d] %s", streamID, err)
time.Sleep(2 * time.Second)
}
}
}
}
}
func main() {
ctx, cancel := context.WithCancel(context.Background())
globalAppCancel = cancel
defer cancel()
signalChan := make(chan os.Signal, 1)
signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT)
go func() {
<-signalChan
log.Printf("Terminating...\n")
cancel()
select {
case <-signalChan:
case <-time.After(5 * time.Second):
}
log.Fatalf("Exit...\n")
}()
host := flag.String("turn", "", "override TURN server ip")
port := flag.String("port", "", "override TURN port")
listen := flag.String("listen", "127.0.0.1:9000", "listen on ip:port")
vklink := flag.String("vk-link", "", "VK calls invite link \"https://vk.com/call/join/...\"")
yalink := flag.String("yandex-link", "", "Yandex telemost invite link \"https://telemost.yandex.ru/j/...\"")
peerAddr := flag.String("peer", "", "peer server address (host:port)")
n := flag.Int("n", 0, "connections to TURN (default 10 for VK, 1 for Yandex)")
udp := flag.Bool("udp", false, "connect to TURN with UDP")
direct := flag.Bool("no-dtls", false, "connect without obfuscation. DO NOT USE")
debugFlag := flag.Bool("debug", false, "enable debug logging")
manualCaptchaFlag := flag.Bool("manual-captcha", false, "skip auto captcha solving, use manual mode immediately")
flag.Parse()
if *peerAddr == "" {
log.Panicf("Need peer address!")
}
peer, err := net.ResolveUDPAddr("udp", *peerAddr)
if err != nil {
panic(err)
}
if (*vklink == "") == (*yalink == "") {
log.Panicf("Need either vk-link or yandex-link!")
}
isDebug = *debugFlag
manualCaptcha = *manualCaptchaFlag
var link string
var getCreds getCredsFunc
if *vklink != "" {
parts := strings.Split(*vklink, "join/")
link = parts[len(parts)-1]
dialer := dnsdialer.New(
dnsdialer.WithResolvers("77.88.8.8:53", "77.88.8.1:53", "8.8.8.8:53", "8.8.4.4:53", "1.1.1.1:53", "1.0.0.1:53"),
dnsdialer.WithStrategy(dnsdialer.Fallback{}),
dnsdialer.WithCache(100, 10*time.Hour, 10*time.Hour),
)
getCreds = func(ctx context.Context, s string, streamID int) (string, string, string, error) {
return getVkCredsCached(ctx, s, streamID, dialer)
}
if *n <= 0 {
*n = 10
}
} else {
parts := strings.Split(*yalink, "j/")
link = parts[len(parts)-1]
getCreds = func(ctx context.Context, s string, streamID int) (string, string, string, error) {
return getYandexCreds(s)
}
if *n <= 0 {
*n = 1
}
}
if idx := strings.IndexAny(link, "/?#"); idx != -1 {
link = link[:idx]
}
params := &turnParams{
host: *host,
port: *port,
link: link,
udp: *udp,
getCreds: getCreds,
}
listenConn, err := net.ListenPacket("udp", *listen)
if err != nil {
log.Panicf("Failed to listen: %s", err)
}
context.AfterFunc(ctx, func() {
if closeErr := listenConn.Close(); closeErr != nil {
log.Printf("Failed to close local connection: %s", closeErr)
}
})
numStreams := *n
if numStreams <= 0 {
numStreams = 1
}
// Shared Worker Pool Queue for Aggregation
inboundChan := make(chan *UDPPacket, 2000)
go func() {
for {
pkt := packetPool.Get().(*UDPPacket)
nRead, addr, err := listenConn.ReadFrom(pkt.Data)
if err != nil {
return
}
// Save the local WireGuard peer address
current := activeLocalPeer.Load()
if current == nil || current.(net.Addr).String() != addr.String() {
activeLocalPeer.Store(addr)
}
pkt.N = nRead
select {
case inboundChan <- pkt:
default:
// Drop the packet only if the global queue is completely full
packetPool.Put(pkt)
}
}
}()
wg1 := sync.WaitGroup{}
t := time.Tick(200 * time.Millisecond)
if *direct {
log.Panicf("Direct mode not supported with dispatcher")
}
okchan := make(chan struct{})
connchan := make(chan net.PacketConn)
wg1.Add(1)
go func() {
defer wg1.Done()
oneDtlsConnectionLoop(ctx, peer, listenConn, inboundChan, connchan, okchan, 1)
}()
wg1.Add(1)
go func() {
defer wg1.Done()
oneTurnConnectionLoop(ctx, params, peer, connchan, t, 1)
}()
select {
case <-okchan:
case <-ctx.Done():
}
for i := 1; i < numStreams; i++ {
cchan := make(chan net.PacketConn)
wg1.Add(1)
go func(streamID int) {
defer wg1.Done()
oneDtlsConnectionLoop(ctx, peer, listenConn, inboundChan, cchan, nil, streamID)
}(i)
wg1.Add(1)
go func(streamID int) {
defer wg1.Done()
oneTurnConnectionLoop(ctx, params, peer, cchan, t, streamID)
}(i)
}
wg1.Wait()
}