【New Scientific Approach】💡Reverse Source Recovery of Gost + Lucky STUN

Project address: https://www.github.com/fscarmen/stun_return

Video tutorial: https://youtu.be/nqxA7kFVJi0

Lucky download: https://github.com/gdy666/luci-app-lucky/releases

Gost v3 application download: https://github.com/go-gost/gost/releases

Background and Introduction to the Solution#

In the last issue 【Scientific New Ideas】👏 Reverse Source with Gost + Cloudflare Tunnel, we introduced the principles of reverse CDN and how to use Gost and Cloudflare Tunnel to achieve reverse sourcing.

In this issue, we will introduce how to use the Lucky Stun plugin, in conjunction with Gost, to implement reverse CDN sourcing in a different way.

What is Lucky?#

Lucky is an internal network penetration tool for the OpenWrt platform, with functional modules including port forwarding, dynamic domain name (DDNS), web services, Stun internal network penetration, network wake-up, scheduled tasks, ACME automatic certificates, and network storage. It can help you expose internal network services to the public network, achieving global acceleration access. Lucky Stun supports various internal network penetration methods, including TCP, UDP, HTTP, and HTTPS, and is very easy to install and use.

Project address: https://github.com/gdy666/luci-app-lucky

Project documentation: https://lucky666.cn//

What is Gost?#

Gost (GO Simple Tunnel) v3 is a secure tunnel implemented in GO language, supporting various network protocols and proxy methods. Its design goal is to provide a simple, flexible, and efficient network proxy solution. Gost can be used to build various network topologies, such as forward proxy, reverse proxy, tunnel proxy, etc.

Project address: https://github.com/go-gost/gost

Project documentation: https://gost.run/

Advantages of STUN Reverse Sourcing#

Dual-stack support: Supports both IPv4 and IPv6 sourcing, allowing you to choose between single-stack or dual-stack modes as needed.
No public IP required: Achieves NAT penetration through the STUN protocol, allowing internal network devices to provide services efficiently.
Efficient forwarding: Uses high-performance GOST v3 as the forwarding tool, ensuring stable connections and low latency.
Lightweight operation: Few dependencies, simple configuration, suitable for deployment in various environments.
Flexible configuration: Supports custom ports, paths, and other parameters, making it easy to integrate with other services.

Example of Implementation Principle#

The local port for sourcing is 20000, the VPS port is 10000, the sourcing domain name is v4.stun.com, and the WebSocket path is /3b451552-e776-45c5-9b98-bde3ab99bf75.

Lucky Usage#

Install Lucky#

Visit https://github.com/gdy666/luci-app-lucky/releases

Enable Cloudflare DDNS and Origin Rules API Permissions#

Visit https://dash.cloudflare.com/profile/api-tokens

Configure Lucky DDNS#

Configure Lucky STUN#

From the addresses obtained earlier, they are:

https://dash.cloudflare.com/api/v4/zones/9e2e0b9615d909773cc9a407f07ea3b5/rulesets/3a0e7a54d59c4be1ba1f528b16da130f
rules/e06c807701174c43b8c7f9f9240a0969

Combine them together, separated by a /, to form a new address:

https://dash.cloudflare.com/api/v4/zones/9e2e0b9615d909773cc9a407f07ea3b5/rulesets/3a0e7a54d59c4be1ba1f528b16da130f/rules/e06c807701174c43b8c7f9f9240a0969

Modify the above address by changing dash to api, and api to client, to form a formal API address for Origin rules:

https://api.cloudflare.com/client/v4/zones/9e2e0b9615d909773cc9a407f07ea3b5/rulesets/3a0e7a54d59c4be1ba1f528b16da130f/rules/e06c807701174c43b8c7f9f9240a0969

Interface address: The previously combined API address for Origin rules

Request method: PATCH

Request headers:

Authorization: Bearer <replace with API TOKEN>
Content-Type:application/json

Request body:

{
    "expression": "(http.host contains \"<replace with ddns domain>\")",
    "action": "route",
    "description": "Lucky STUN IPv4 (<replace with ddns domain>)",
    "action_parameters": {
        "origin": {
            "port": #{port}
        }
    }
}

Successful interface call contains the string:

"success": true

Configure STUN Telegram Notifications (Optional)#

Notifications require a TG bot token and chat ID. You can refer to the following post to obtain them: Get Telegram Bot Token and Chat ID.
Since you cannot send messages directly to Telegram, use Worker for forwarding and set a custom domain.

Worker program:

// Set your Telegram Bot token here
const BOT_TOKEN = '<replace with tg bot token>';

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  // Construct the target URL
  const url = new URL(request.url);
  const targetUrl = `https://api.telegram.org/bot${BOT_TOKEN}/sendMessage${url.search}`;

  // Create a new request, preserving the original request's method, headers, and body
  const modifiedRequest = new Request(targetUrl, {
    method: request.method,
    headers: request.headers,
    body: request.body
  });

  // Send the request to the Telegram API and return the response
  try {
    const response = await fetch(modifiedRequest);
    
    // Create a new response, copying the original response's status and headers
    const modifiedResponse = new Response(response.body, response);
    
    // Add CORS headers if needed
    modifiedResponse.headers.set('Access-Control-Allow-Origin', '*');

    return modifiedResponse;
  } catch (error) {
    return new Response('Error: ' + error.message, { status: 500 });
  }
}

Interface address: The custom domain of the Worker

Request method: POST

Request headers:

Content-Type: application/json

Request body:

{
    "chat_id": "<replace with tg chat ID>",
    "text": {
        "Device": "Lucky STUN",
        "message": {
            "time": "#{time}",
            "addr": "#{ipAddr}",
            "rule name": "#{ruleName}"
        }
    }
}

Successful interface call contains the string:

"ok":true

Local OpenWRT Operation#

gost -D -L "relay+ws://:20000?path=/3b451552-e776-45c5-9b98-bde3ab99bf75&bind=true"

Note: The command will occupy the foreground terminal when executed, causing the terminal to be blocked and unable to perform other operations. Therefore, if you plan to execute it manually, it is recommended to use screen or similar terminal multiplexing tools. This way, you can assign a separate screen session to the process, allowing it to run in the background while you still have free access and control, without affecting the use of other terminal sessions.

Command explanation:
gost:

-D: This flag enables debug mode, providing detailed logs for troubleshooting.
-L "relay+ws://:20000?path=/3b451552-e776-45c5-9b98-bde3ab99bf75&bind=true": This specifies the local listening address and port, using the WebSocket protocol. The path parameter is used to specify the WebSocket path, and the Relay service is enabled with the BIND feature, using UDP-over-TCP.

Remote VPS Operation#

gost -D -L socks5://[::1]:10000

gost -D -L rtcp://:30000/[::1]:10000 -F "relay+ws://v4.stun.com:80?path=/3b451552-e776-45c5-9b98-bde3ab99bf7&host=v4.stun.com"

Command explanation:
gost:

-D: This flag enables debug mode, providing detailed logs for troubleshooting.
-L socks5://[::1]:10000: This specifies the local listening address and port, using the SOCKS5 protocol. [::1] is the loopback address, and 10000 is the port number.
-L relay+rtcp://:30000/[::1]:10000: This specifies the local listening address and port, using the RTCP protocol. 30000 is the local port (such as used in home or company soft routers), and [::1]:10000 is the remote address and port (VPS side).
-F "ws://v4.stun.com:80?path=/3b451552-e776-45c5-9b98-bde3ab99bf7&host=v4.stun.com": This specifies the forwarding address, using the WebSocket protocol. The path and host parameters are used to specify the WebSocket path and host.

Project One-Click Script Deployment#

Interactive Installation#

Both server and client use:

bash <(wget -qO- https://raw.githubusercontent.com/fscarmen/stun_return/main/stun_return.sh)

Quick Parameter Installation#

Install server:

bash <(wget -qO- https://raw.githubusercontent.com/fscarmen/stun_return/main/stun_return.sh) \
  -s \                        # Install server
  -p server-origin-port \     # Specify the local service port
  -w your-ws-path \           # Specify WebSocket path (for communication with sourcing domain)
  -4 your-IPv4-domain.com \   # IPv4 sourcing domain
  -6 your-IPv6-domain.com \   # IPv6 sourcing domain

Client installation:

bash <(wget -qO- https://raw.githubusercontent.com/fscarmen/stun_return/main/stun_return.sh) \
  -c \                        # Install client
  -w your-ws-path \           # Specify WebSocket path (for communication with sourcing domain)
  -4 your-IPv4-domain.com \   # IPv4 sourcing domain
  -r your-IPv4-return-port \  # IPv4 return port
  -6 your-IPv6-domain.com \   # IPv6 sourcing domain
  -e your-IPv6-return-port    # IPv6 return port

Uninstallation method:

bash <(wget -qO- https://raw.githubusercontent.com/fscarmen/stun_return/main/stun_return.sh) -u

For more parameters, please refer to the project README.md: https://www.github.com/fscarmen/stun_return

fscarmen