pedramktb
diff --git a/‎.github/workflows/lint_and_test.yml‎ renamed to ‎.github/workflows/lint_test_and_build.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/lint_and_test.yml‎ renamed to ‎.github/workflows/lint_test_and_build.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 0 deletions b/‎.gitignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 78 additions & 4 deletions b/‎README.md‎
Lines changed: 78 additions & 4 deletions
diff --git a/‎Taskfile.yml‎
Lines changed: 152 additions & 1 deletion b/‎Taskfile.yml‎
Lines changed: 152 additions & 1 deletion
@@ -25,3 +25,4 @@ jobs:
       - run: task deps
       - run: task lint
       - run: task test
+      - run: task e2e:tun
@@ -0,0 +1,5 @@
+/.task/
+/build/
+
+# e2e working directory created by Task e2e:tun
+/.e2e/
@@ -44,7 +44,7 @@ Notes:
 rawClient, rawServer := net.Pipe()
 defer rawClient.Close(); defer rawServer.Close()
 
-client := netx.NewFramedConn(rawClient)                 // default max frame size 16KiB
+client := netx.NewFramedConn(rawClient)                 // default max frame size 32KiB
 server := netx.NewFramedConn(rawServer, netx.WithMaxFrameSize(64<<10))
 
 msg := []byte("hello frame")
@@ -153,10 +153,84 @@ If `Logger` is nil, the server/tunnel use `slog.Default()`.
 - Unhandled connections are dropped immediately after all routes decline.
 - `Shutdown(ctx)` will close listeners, then wait for tracked connections until `ctx` is done, after which remaining connections are force‑closed.
 
-## Testing
+## CLI
 
-The repository includes unit and end‑to‑end tests (UDP over TCP, TLS routing, graceful shutdown). Run:
+An extendable CLI is available at `cmd/netx` with an initial `tun` subcommand to relay between chainable endpoints.
+
+Build:
 
 ```bash
-go test ./...
+task build
 ```
+
+Install and use:
+
+```bash
+go install github.com/pedramktb/go-netx/cmd/netx@latest
+
+# Show help
+netx tun -h
+
+# Example: TCP TLS server to TCP TLS+buffered+framed+aesgcm client
+netx tun \
+  --from tcp+tls[cert=server.crt,key=server.key]://:9000 \
+  --to tcp+tls[cert=client.crt]+buffered[size=8192]+framed[maxsize=4096]+aesgcm[key=00112233445566778899aabbccddeeff]://example.com:9443
+
+# Example: UDP DTLS server to UDP aesgcm client
+netx tun \
+  --from udp+dtls[cert=server.crt,key=server.key]://:4444 \
+  --to udp+aesgcm[key=00112233445566778899aabbccddeeff]://10.0.0.10:5555
+```
+
+Options:
+
+- `--from <chain>://listenAddr` - Incoming side chain URI (required)
+- `--to <chain>://connectAddr` - Peer side chain URI (required)
+- `--log <level>` - Log level: debug|info|warn|error (default: info)
+- `-h` - Show help
+
+Chain syntax:
+
+Chains use the form `<chain>://host:port` where `<chain>` is a `+`-separated list starting with a base transport (`tcp` or `udp`), optionally followed by wrappers with parameters in brackets.
+
+**Supported base transports:**
+
+- `tcp` - TCP listener or dialer
+- `udp` - UDP listener or dialer
+
+**Supported wrappers:**
+
+- `tls` - Transport Layer Security
+  - Server params: `cert`, `key`
+  - Client params: `cert` (optional, for SPKI pinning), `servername` (required if cert not provided)
+
+- `utls` - TLS with client fingerprint camouflage via uTLS
+  - Client-side only
+  - Params: `cert` (optional, for SPKI pinning), `servername` (required if cert not provided), `hello` (optional: chrome, firefox, ios, android, safari, edge, randomized, randomizednoalpn; default: chrome)
+
+- `dtls` - Datagram Transport Layer Security
+  - Server params: `cert`, `key`
+  - Client params: `cert` (optional, for SPKI pinning), `servername` (required if cert not provided)
+
+- `tlspsk` - TLS with pre-shared key (TLS 1.2, cipher: TLS_PSK_WITH_AES_256_CBC_SHA)
+  - Params: `key`, `identity`
+
+- `dtlspsk` - DTLS with pre-shared key (cipher: TLS_PSK_WITH_AES_128_GCM_SHA256)
+  - Params: `key`, `identity`
+
+- `aesgcm` - AES-GCM encryption with passive IV exchange
+  - Params: `key`, `maxpacket` (optional, default: 32768)
+
+- `buffered` - Buffered read/write for better performance
+  - Params: `size` (optional, default: 4096)
+
+- `framed` - Length-prefixed frames for packet semantics over streams
+  - Params: `maxsize` (optional, default: 32768)
+
+- `ssh` - SSH tunneling via "direct-tcpip" channels
+  - Server params: `key` (optional, required with pass), `pass` (optional), `pubkey` (optional, required if no pass)
+  - Client params: `pubkey`, `pass` (optional), `key` (optional, required if no pass)
+
+**Notes:**
+- All passwords, keys and certificates must be provided as hex-encoded strings.
+- When using `cert` for client-side `tls`/`utls`/`dtls`, default validation is disabled and a manual SPKI (SubjectPublicKeyInfo) hash comparison is performed against the provided certificate. This is certificate pinning and will fail if the server presents a different key.
@@ -2,7 +2,7 @@ version: '3'
 
 tasks:
   default:
-   cmds:
+    cmds:
       - task --list
 
   deps:
@@ -20,3 +20,154 @@ tasks:
     desc: Run tests
     cmds:
       - go test ./...
+
+  build:
+    desc: Build binaries and libraries
+    cmds:
+      # Linux binaries and shared libraries
+      - env GOOS=linux GOARCH=amd64 go build -o build/netx_linux_x64 cmd/netx/*.go
+      - env GOOS=linux GOARCH=arm64 go build -o build/netx_linux_arm64 cmd/netx/*.go
+      # - env GOOS=linux GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-linux-gnu-gcc go build -buildmode=c-shared -o build/libnetx_linux_x64.so cmd/netx/lib/main.go
+      # - env GOOS=linux GOARCH=arm64 CGO_ENABLED=1 CC=aarch64-linux-gnu-gcc go build -buildmode=c-shared -o build/libnetx_linux_arm64.so cmd/netx/lib/main.go
+      # # Windows binaries and shared libraries
+      - env GOOS=windows GOARCH=amd64 go build -o build/netx_windows_x64.exe cmd/netx/*.go
+      - env GOOS=windows GOARCH=arm64 go build -o build/netx_windows_arm64.exe cmd/netx/*.go
+      # - env GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -o build/libnetx_windows_x64.dll cmd/netx/lib/main.go
+      # # aarch64-w64-mingw32-gcc is experimental and not available
+      # # - env GOOS=windows GOARCH=arm64 CGO_ENABLED=1 CC=aarch64-w64-mingw32-gcc go build -buildmode=c-shared -o build/libnetx_windows_arm64.dll cmd/lib/main.go
+      # # macOS binaries
+      - env GOOS=darwin GOARCH=amd64 go build -o build/netx_macos_x64 cmd/netx/*.go
+      - env GOOS=darwin GOARCH=arm64 go build -o build/netx_macos_arm64 cmd/netx/*.go
+      # # Android shared libraries
+      # - env GOOS=android GOARCH=amd64 CGO_ENABLED=1 CC=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin/x86_64-linux-android26-clang go build -buildmode=c-shared -o build/libnetx_android_x64.so cmd/netx/lib/main.go
+      # - env GOOS=android GOARCH=arm64 CGO_ENABLED=1 CC=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android26-clang go build -buildmode=c-shared -o build/libnetx_android_arm64.so cmd/netx/lib/main.go
+    sources:
+      - '**/*.go'
+      - go.mod
+      - go.sum
+    generates:
+      - build/netx_linux_x64
+      - build/netx_linux_arm64
+      - build/libnetx_linux_x64.so
+      - build/libnetx_linux_arm64.so
+      - build/netx_windows_x64.exe
+      - build/netx_windows_arm64.exe
+      - build/libnetx_windows_x64.dll
+      - build/netx_macos_x64
+      - build/netx_macos_arm64
+      - build/libnetx_android_x64.so
+      - build/libnetx_android_arm64.so
+
+  build-apple-libs:
+    desc: Build Apple libraries (optional, requires mac toolchains)
+    cmds:
+      - env GOOS=darwin GOARCH=amd64 CGO_ENABLED=1 go build -buildmode=c-shared -o build/libnetx_macos_x64.dylib cmd/netx/lib/main.go
+      - env GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build -buildmode=c-shared -o build/libnetx_macos_arm64.dylib cmd/netx/lib/main.go
+      - |
+        mkdir -p build
+        export CC=$(xcrun -find -sdk iphonesimulator clang)
+        export CXX=$(xcrun -find -sdk iphonesimulator clang++)
+        export SDKROOT=$(xcrun --sdk iphonesimulator --show-sdk-path)
+        export CFLAGS="-arch x86_64 -isysroot $SDKROOT -mios-simulator-version-min=10.0"
+        export LDFLAGS="-arch x86_64 -isysroot $SDKROOT -mios-simulator-version-min=10.0"
+        env GOOS=darwin GOARCH=amd64 CGO_ENABLED=1 go build -buildmode=c-archive -o build/libnetx_ios_x64.a cmd/netx/lib/main.go
+      - |
+        mkdir -p build
+        export CC=$(xcrun -find -sdk iphoneos clang)
+        export CXX=$(xcrun -find -sdk iphoneos clang++)
+        export SDKROOT=$(xcrun --sdk iphoneos --show-sdk-path)
+        export CFLAGS="-arch arm64 -isysroot $SDKROOT -mios-version-min=10.0"
+        export LDFLAGS="-arch arm64 -isysroot $SDKROOT -mios-version-min=10.0"
+        env GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build -buildmode=c-archive -o build/libnetx_ios_arm64.a cmd/netx/lib/main.go
+    sources:
+      - '**/*.go'
+      - go.mod
+      - go.sum
+    generates:
+      - build/libnetx_macos_x64.dylib
+      - build/libnetx_macos_arm64.dylib
+      - build/libnetx_ios_x64.a
+      - build/libnetx_ios_arm64.a
+
+  e2e:tun:
+    desc: Run CLI end-to-end tun tests locally (uses .e2e working dir).
+    cmds:
+      - |
+        set -euo pipefail
+        ROOT=$(pwd)
+        WORK=.e2e
+        mkdir -p "$WORK"
+
+        echo "Building netx binary..."
+        go build -o "$WORK/netx" ./cmd/netx
+        chmod +x "$WORK/netx"
+        cd "$WORK"
+
+        echo "Generating certs and keys..."
+        openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 1 -nodes -subj "/CN=localhost" >/dev/null 2>&1
+        openssl rand -hex 32 > psk.hex
+        cp psk.hex aes.hex
+        echo y | ssh-keygen -t ed25519 -f ssh_server_key -N "" -C "e2e-server" >/dev/null 2>&1
+        echo y | ssh-keygen -t ed25519 -f ssh_client_key -N "" -C "e2e-client" >/dev/null 2>&1
+
+        echo "Building echo servers and clients..."
+        go build -tags e2e -o tcp_echo "$ROOT/internal/tools/e2e/tcp_echo"
+        go build -tags e2e -o udp_echo "$ROOT/internal/tools/e2e/udp_echo"
+        go build -tags e2e -o tcp_client "$ROOT/internal/tools/e2e/tcp_client"
+        go build -tags e2e -o udp_client "$ROOT/internal/tools/e2e/udp_client"
+
+        # Use isolated ports to avoid conflicts with external demos
+        TE=48080; UE=48081
+        STLS=49000; SDTLS=49100; SDTLSP=49300; SAESCT=49400; SAESCU=49500; SFR=49600; STLSPSK=49200; SSSH=49700; SUTLS=49800
+        CTLS=50000; CDTLS=50010; CDTLSP=50011; CAESCT=50002; CAESCU=50012; CFR=50003; CTLSPSK=50001; CSSH=50004; CUTLS=50005
+
+        echo "Starting echo servers..."
+        ./tcp_echo 127.0.0.1:${TE} > tcp_echo.log 2>&1 &
+        ./udp_echo 127.0.0.1:${UE} > udp_echo.log 2>&1 &
+
+        echo "Starting server tunnels..."
+        ./netx tun --from "tcp+tls[cert=$(xxd -p server.crt | tr -d '\n'),key=$(xxd -p server.key | tr -d '\n')]://127.0.0.1:${STLS}"   --to "tcp://127.0.0.1:${TE}"  --log info > tls_server.log         2>&1 &
+        ./netx tun --from "udp+dtls[cert=$(xxd -p server.crt | tr -d '\n'),key=$(xxd -p server.key | tr -d '\n')]://127.0.0.1:${SDTLS}" --to "udp://127.0.0.1:${UE}"  --log info > dtls_server.log        2>&1 &
+        ./netx tun --from "udp+dtlspsk[identity=i,key=$(cat psk.hex)]://127.0.0.1:${SDTLSP}"                                --to "udp://127.0.0.1:${UE}"  --log info > dtlspsk_server.log     2>&1 &
+        ./netx tun --from "tcp+buffered[size=8192]+framed[maxsize=4096]+aesgcm[key=$(cat aes.hex)]://127.0.0.1:${SAESCT}"   --to "tcp://127.0.0.1:${TE}"  --log info > aesgcm_tcp_server.log  2>&1 &
+        ./netx tun --from "udp+aesgcm[key=$(cat aes.hex)]://127.0.0.1:${SAESCU}"                                            --to "udp://127.0.0.1:${UE}"  --log info > aesgcm_udp_server.log  2>&1 &
+        ./netx tun --from "tcp+framed[maxsize=4096]://127.0.0.1:${SFR}"                                                     --to "udp://127.0.0.1:${UE}"  --log info > framed_tcp_server.log  2>&1 &
+        ./netx tun --from "tcp+tlspsk[identity=i,key=$(cat psk.hex)]://127.0.0.1:${STLSPSK}"                                --to "tcp://127.0.0.1:${TE}"  --log info > tlspsk_server.log      2>&1 &
+        ./netx tun --from "tcp+ssh[key=$(xxd -p ssh_server_key | tr -d '\n'),pubkey=$(xxd -p ssh_client_key.pub | tr -d '\n')]://127.0.0.1:${SSSH}"                       --to "tcp://127.0.0.1:${TE}"  --log info > ssh_server.log         2>&1 &
+        ./netx tun --from "tcp+tls[cert=$(xxd -p server.crt | tr -d '\n'),key=$(xxd -p server.key | tr -d '\n')]://127.0.0.1:${SUTLS}"  --to "tcp://127.0.0.1:${TE}"  --log info > utls_server.log        2>&1 &
+
+        echo "Starting client tunnels..."
+        ./netx tun --from "tcp://127.0.0.1:${CTLS}"     --to "tcp+tls[cert=$(xxd -p server.crt | tr -d '\n')]://127.0.0.1:${STLS}"                                  --log info > tls_client.log         2>&1 &
+        ./netx tun --from "udp://127.0.0.1:${CDTLS}"    --to "udp+dtls[cert=$(xxd -p server.crt | tr -d '\n')]://127.0.0.1:${SDTLS}"                                --log info > dtls_client.log        2>&1 &
+        ./netx tun --from "udp://127.0.0.1:${CDTLSP}"   --to "udp+dtlspsk[identity=i,key=$(cat psk.hex)]://127.0.0.1:${SDTLSP}"                               --log info > dtlspsk_client.log     2>&1 &
+        ./netx tun --from "tcp://127.0.0.1:${CAESCT}"   --to "tcp+buffered[size=8192]+framed[maxsize=4096]+aesgcm[key=$(cat aes.hex)]://127.0.0.1:${SAESCT}"  --log info > aesgcm_tcp_client.log  2>&1 &
+        ./netx tun --from "udp://127.0.0.1:${CAESCU}"   --to "udp+aesgcm[key=$(cat aes.hex)]://127.0.0.1:${SAESCU}"                                           --log info > aesgcm_udp_client.log  2>&1 &
+        ./netx tun --from "udp://127.0.0.1:${CFR}"      --to "tcp+framed[maxsize=4096]://127.0.0.1:${SFR}"                                                    --log info > framed_tcp_client.log  2>&1 &
+        ./netx tun --from "tcp://127.0.0.1:${CTLSPSK}"  --to "tcp+tlspsk[identity=i,key=$(cat psk.hex)]://127.0.0.1:${STLSPSK}"                               --log info > tlspsk_client.log      2>&1 &
+        ./netx tun --from "tcp://127.0.0.1:${CSSH}"     --to "tcp+ssh[pubkey=$(xxd -p ssh_server_key.pub | tr -d '\n'),key=$(xxd -p ssh_client_key | tr -d '\n')]://127.0.0.1:${SSSH}"                      --log info > ssh_client.log         2>&1 &
+        ./netx tun --from "tcp://127.0.0.1:${CUTLS}"    --to "tcp+utls[cert=$(xxd -p server.crt | tr -d '\n'),hello=chrome]://127.0.0.1:${SUTLS}"                   --log info > utls_client.log        2>&1 &
+
+        sleep 2
+
+        echo "Running tests..."
+        pass=0; fail=0
+        run_tcp(){ name=$1; addr=$2; msg=$3; out=$(./tcp_client "$addr" "$msg" || true); if [ "$out" = "$msg" ]; then echo "PASS $name"; pass=$((pass+1)); else echo "FAIL $name -> got: $out"; fail=$((fail+1)); fi }
+        run_udp(){ name=$1; addr=$2; msg=$3; out=$(./udp_client "$addr" "$msg" || true); if [ "$out" = "$msg" ]; then echo "PASS $name"; pass=$((pass+1)); else echo "FAIL $name -> got: $out"; fail=$((fail+1)); fi }
+        run_tcp TLS           127.0.0.1:${CTLS}     hello_tls
+        run_udp DTLS          127.0.0.1:${CDTLS}    hello_dtls
+        run_udp DTLSPSK       127.0.0.1:${CDTLSP}   hello_dtlspsk
+        run_tcp AESGCM_TCP    127.0.0.1:${CAESCT}   hello_aesgcm_tcp
+        run_udp AESGCM_UDP    127.0.0.1:${CAESCU}   hello_aesgcm_udp
+        run_udp FRAMED_TCP_BR 127.0.0.1:${CFR}      hello_udp_over_tcp
+        run_tcp SSH           127.0.0.1:${CSSH}     hello_ssh
+        run_tcp UTLS          127.0.0.1:${CUTLS}    hello_utls
+        run_tcp TLSPSK        127.0.0.1:${CTLSPSK}  hello_tlspsk
+        echo "RESULTS: pass=$pass fail=$fail"
+
+        echo "Cleaning up..."
+        pkill netx || true
+        pkill tcp_echo || true
+        pkill udp_echo || true
+
+        echo "Done."
+        [ "$fail" -eq 0 ]
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +/.task/
 +/build/
++
 +# e2e working directory created by Task e2e:tun
 +/.e2e/