Merge pull request #244 from compscidr/feature/linux-local-demo

compscidr · web-flow · commit 0663eed9b61d · 2026-04-29T13:18:34.000-07:00
Add a runnable local Linux demo (server + client + curl)
diff --git a/README.md b/README.md
@@ -94,6 +94,116 @@ val response = kanonProxy.takeResponse()
 
 There are more examples of usage in the [tests](core/src/test/kotlin/com/jasonernst/kanonproxy).
 
+## Local Linux demo
+
+An end-to-end demo on a single Linux host: a kanonproxy server, a kanonproxy
+client tunneling a TUN device to that server, and a `curl` issued through the
+proxy.
+
+[![Local Linux demo](https://img.youtube.com/vi/_ypo_3PYqTM/maxresdefault.jpg)](https://youtu.be/_ypo_3PYqTM)
+
+(Click to watch on YouTube — the steps below produce what the video shows.)
+
+Prerequisites:
+- Linux with `iproute2` and `sudo` (TUN setup and `--interface` both need root)
+- JDK 21 (the Gradle wrapper handles Gradle itself)
+- `./gradlew :server:assemble :client:assemble` succeeds
+
+### Path A — scripted (one-shot)
+
+```bash
+bash client/scripts/demo.sh           # uses 1.1.1.1 as the curl target
+bash client/scripts/demo.sh 9.9.9.9   # or pick your own HTTP-reachable IP
+```
+
+The script will:
+1. Run `client/scripts/tuntap.sh` to create the persistent `kanon` TUN device
+   (`10.0.1.1/24`, MTU 1024).
+2. Start the proxy server with `./gradlew :server:run --args="8080"` (UDP
+   listener on port 8080) — logs to `build/demo-logs/server.log`.
+3. Start the proxy client with `./gradlew :client:run --args="127.0.0.1 8080"` —
+   logs to `build/demo-logs/client.log`.
+4. Run `sudo curl -v --interface kanon http://<target>/`. `--interface kanon`
+   uses `SO_BINDTODEVICE` to pin curl's socket to the TUN, so curl's packets
+   go into the proxy without touching the kernel's main route table. The
+   server's own outbound TCP socket stays unbound and follows the normal
+   default route — that's what prevents the server from looping back into
+   its own VPN.
+
+The server and client stay running after the script finishes, so you can fire
+more requests against the same proxy:
+```bash
+sudo curl -v --interface kanon http://example.com/
+sudo curl -v --interface kanon http://1.1.1.1/
+```
+Each call creates a new session — look for `New session: ...` lines in
+`tail -f build/demo-logs/server.log`.
+
+Tear-down:
+```bash
+bash client/scripts/cleanup.sh
+```
+This SIGTERMs the server/client/Gradle workers (then SIGKILLs anything left),
+retries `ip tuntap del` to handle any fd-release race, and removes the TUN
+interface. It's idempotent — safe to rerun.
+
+### Path B — manual (4 terminals)
+
+Use this if you want to see each piece's output live, or to debug a failure
+from path A.
+
+**Terminal 1 — TUN device:**
+```bash
+bash client/scripts/tuntap.sh "$USER"
+ip addr show kanon          # expect: kanon, inet 10.0.1.1/24, MTU 1024
+```
+
+**Terminal 2 — server:**
+```bash
+./gradlew :server:run --args="8080"
+# expect log: "Server listening on default port: 8080"
+# verify in another shell:  ss -lun | grep 8080
+```
+
+**Terminal 3 — client:**
+```bash
+./gradlew :client:run --args="127.0.0.1 8080"
+# expect logs: "Opened TUN/TAP device" and "Created TUN/TAP device"
+```
+
+**Terminal 4 — curl through the proxy:**
+```bash
+sudo curl -v --max-time 15 --interface kanon http://1.1.1.1/
+```
+Success looks like a real HTTP response from `1.1.1.1` (almost certainly a
+`301 Moved Permanently` to HTTPS — that proves the round trip).
+
+Tear-down:
+```bash
+# Ctrl-C terminal 3 (client), then terminal 2 (server)
+bash client/scripts/cleanup.sh
+ip link show kanon || echo "kanon gone"
+```
+If cleanup ever reports `kanon interface is still present`, run
+`sudo lsof /dev/net/tun` to find what's still holding the fd.
+
+### Watching packets while the demo runs
+
+`kanon` is a regular kernel interface, so on Linux the easiest capture is
+plain libpcap on the device itself. The in-process pcap-ng dumpers
+([packetdumper](https://github.com/compscidr/packetdumper)) are also exposed
+in case you want to see the proxy's egress side (and they're what the Android
+app uses where you can't `tcpdump` the VPN interface from your laptop):
+
+```bash
+sudo wireshark -k -i kanon                  # client/TUN leg, native libpcap
+wireshark -k -i TCP@127.0.0.1:19000         # client-side in-process dumper (same packets)
+wireshark -k -i TCP@127.0.0.1:19001         # server-side dumper (proxy's outbound to public Internet)
+```
+
+See [Debugging with Wireshark](#debugging-with-wireshark) below for more on
+the in-process dumpers.
+
 ## Debugging with Wireshark
 
 Both the reference server/client and the Android sample app embed a
diff --git a/client/build.gradle.kts b/client/build.gradle.kts
@@ -2,12 +2,17 @@ plugins {
     alias(libs.plugins.jetbrains.kotlin.jvm)
     alias(libs.plugins.kotlinter)
     id("java-library")
+    id("application")
     id("jacoco")
     alias(libs.plugins.git.version)
     alias(libs.plugins.sonatype.maven.central)
     alias(libs.plugins.gradleup.nmcp.aggregation)
 }
 
+application {
+    mainClass.set("com.jasonernst.kanonproxy.LinuxProxyClient")
+}
+
 tasks.withType<Test>().configureEach {
     finalizedBy("jacocoTestReport")
     testLogging {
diff --git a/client/scripts/cleanup.sh b/client/scripts/cleanup.sh
@@ -1,12 +1,60 @@
-#!/bin/bash
-# Kill and java -jar invoked processes, delete kanon namespace, delete kanon interface
-sudo pkill -f "java -jar"
-sudo pkill -f "java -Djava.library.path"
-{
-  # try to cleanup old interfaces first
-  # hide output of these - we'll get a failure message if the bump interface doesn't exist
-  # and we don't care if it doesn't
-  sudo ip link set dev kanon down
-  sudo ip tuntap del dev kanon mode tun
-  rm *.jar *.so
-} &> /dev/null
+#!/usr/bin/env bash
+# Kill kanonproxy processes, drop any routes pointed at the kanon device,
+# and delete the kanon TUN interface. Idempotent: safe to run when nothing
+# is up.
+
+# Kill the JVM processes that hold the TUN fd. Scope by current user so we
+# don't accidentally take out unrelated JVMs on the host that happen to have
+# matching strings on their command line. Use SIGTERM first so the JVM has
+# a chance to release the TUN fd cleanly, then SIGKILL anything that didn't
+# exit.
+CURRENT_UID="$(id -u)"
+PATTERNS=("ProxyServer" "LinuxProxyClient" "GradleWorkerMain" "java -jar" "java -Djava.library.path")
+
+kill_matching() {
+    local signal="$1"
+    local pattern="$2"
+    local pids
+    pids="$(pgrep -u "$CURRENT_UID" -f -- "$pattern" 2>/dev/null || true)"
+    [ -n "$pids" ] || return 0
+    sudo kill "$signal" $pids 2>/dev/null || true
+}
+
+for pat in "${PATTERNS[@]}"; do
+    kill_matching -TERM "$pat"
+done
+# Give the JVMs a moment to actually release the TUN fd. Without this,
+# `ip tuntap del` can race the kernel cleanup and leave the interface
+# stuck in a DOWN state.
+sleep 1
+for pat in "${PATTERNS[@]}"; do
+    kill_matching -KILL "$pat"
+done
+
+if ip link show kanon &>/dev/null; then
+    # drop any host routes still pointed at kanon (added by older demo.sh
+    # versions; the current demo doesn't add routes)
+    ip route show | awk '/dev kanon/ {print $1}' | while read -r net; do
+        sudo ip route del "$net" dev kanon 2>/dev/null || true
+    done
+
+    sudo ip link set dev kanon down 2>/dev/null || true
+
+    # Retry the delete a few times — even after pkill -9, the kernel may
+    # need a tick before all references to the tun fd drop.
+    for _ in 1 2 3 4 5; do
+        if sudo ip tuntap del dev kanon mode tun 2>/dev/null; then
+            break
+        fi
+        sleep 1
+    done
+
+    if ip link show kanon &>/dev/null; then
+        echo "warning: kanon interface is still present; something may still hold its fd" >&2
+        echo "         try:  sudo lsof /dev/net/tun" >&2
+    else
+        echo "kanon interface removed"
+    fi
+else
+    echo "kanon interface not present, nothing to remove"
+fi
diff --git a/client/scripts/demo.sh b/client/scripts/demo.sh
@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Bring up a local Linux kanonproxy demo end-to-end:
+#   1. Create the kanon TUN device
+#   2. Start the proxy server (UDP :8080)
+#   3. Start the proxy client (tunnels TUN traffic to 127.0.0.1:8080)
+#   4. Issue a curl pinned to the kanon device so its outbound packets
+#      go through the proxy, while the server's own outbound TCP socket
+#      uses the normal default route (no loop).
+#
+# Usage: bash client/scripts/demo.sh [target-ip]
+#   target-ip defaults to 1.1.1.1 (Cloudflare). Whatever you pick must
+#   speak HTTP on port 80 since this demo issues a plain HTTP curl.
+#
+# Run client/scripts/cleanup.sh afterwards to tear everything down.
+
+set -euo pipefail
+
+TARGET="${1:-1.1.1.1}"
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+LOG_DIR="${REPO_ROOT}/build/demo-logs"
+mkdir -p "$LOG_DIR"
+
+cd "$REPO_ROOT"
+
+echo "[1/4] Creating kanon TUN device (sudo will be required)..."
+bash client/scripts/tuntap.sh "$USER"
+
+echo "[2/4] Starting proxy server on UDP :8080 (logs: $LOG_DIR/server.log)..."
+./gradlew --no-daemon -q :server:run --args="8080" \
+    > "$LOG_DIR/server.log" 2>&1 &
+SERVER_PID=$!
+echo "      server pid=$SERVER_PID"
+
+echo "[3/4] Waiting for server to start listening..."
+SERVER_READY=0
+for i in $(seq 1 30); do
+    if ! kill -0 "$SERVER_PID" 2>/dev/null; then
+        echo "      server process exited before binding UDP :8080; see $LOG_DIR/server.log" >&2
+        exit 1
+    fi
+    if ss -lun | grep -q ":8080"; then
+        echo "      server is listening"
+        SERVER_READY=1
+        break
+    fi
+    sleep 1
+done
+
+if [ "$SERVER_READY" -ne 1 ]; then
+    echo "      timed out waiting for server to bind UDP :8080; see $LOG_DIR/server.log" >&2
+    exit 1
+fi
+
+echo "[3.5/4] Starting proxy client (logs: $LOG_DIR/client.log)..."
+./gradlew --no-daemon -q :client:run --args="127.0.0.1 8080" \
+    > "$LOG_DIR/client.log" 2>&1 &
+CLIENT_PID=$!
+echo "      client pid=$CLIENT_PID"
+sleep 3
+
+echo "[4/4] curl --interface kanon http://$TARGET/  (sudo for SO_BINDTODEVICE)..."
+echo "---- curl -v --interface kanon http://$TARGET/ ----"
+sudo curl -v --max-time 15 --interface kanon "http://$TARGET/" || true
+echo "---- end curl ----"
+
+cat <<EOF
+
+Demo finished. Server (pid=$SERVER_PID) and client (pid=$CLIENT_PID) are still
+running so you can attach Wireshark:
+    wireshark -k -i TCP@127.0.0.1:19000   # client-side dumper
+    wireshark -k -i TCP@127.0.0.1:19001   # server-side dumper
+
+To tear everything down:
+    bash client/scripts/cleanup.sh
+
+Logs: $LOG_DIR/{server,client}.log
+EOF
diff --git a/client/src/main/kotlin/com/jasonernst/kanonproxy/LinuxProxyClient.kt b/client/src/main/kotlin/com/jasonernst/kanonproxy/LinuxProxyClient.kt
@@ -34,7 +34,7 @@ class LinuxProxyClient(
                     staticLogger.debug("Using default server: 127.0.0.1 $DEFAULT_PORT")
                     val datagramChannel = DatagramChannel.open()
                     datagramChannel.configureBlocking(false)
-                    datagramChannel.connect(InetSocketAddress("10.0.0.114", DEFAULT_PORT))
+                    datagramChannel.connect(InetSocketAddress("127.0.0.1", DEFAULT_PORT))
                     LinuxProxyClient(datagramChannel = datagramChannel, packetDumper = packetDumper)
                 } else {
                     if (args.size != 2) {
diff --git a/server/build.gradle.kts b/server/build.gradle.kts
@@ -2,12 +2,17 @@ plugins {
     alias(libs.plugins.jetbrains.kotlin.jvm)
     alias(libs.plugins.kotlinter)
     id("java-library")
+    id("application")
     id("jacoco")
     alias(libs.plugins.git.version)
     alias(libs.plugins.sonatype.maven.central)
     alias(libs.plugins.gradleup.nmcp.aggregation)
 }
 
+application {
+    mainClass.set("com.jasonernst.kanonproxy.ProxyServer")
+}
+
 java {
     sourceCompatibility = JavaVersion.VERSION_21
     targetCompatibility = JavaVersion.VERSION_21
