bump version to v2.2.2

1. add config generator to easytier-web
2. add command to show tcp/kcp proxy entries

.github/workflows/docker.yml

@@ -11,7 +11,7 @@ on:
       image_tag:
         description: 'Tag for this image build'
         type: string
-        default: 'v1.2.0'
+        default: 'v2.2.2'
         required: true
       mark_latest:
         description: 'Mark this image as latest'
@@ -39,6 +39,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: login github container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Download artifact
         id: download-artifact
         uses: dawidd6/action-download-artifact@v6
@@ -58,4 +64,6 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           file: .github/workflows/Dockerfile
-          tags: easytier/easytier:${{ inputs.image_tag }}${{ inputs.mark_latest && ',easytier/easytier:latest' || '' }},
+          tags: |
+            easytier/easytier:${{ inputs.image_tag }}${{ inputs.mark_latest && ',easytier/easytier:latest' || '' }},
+            ghcr.io/${{ github.actor }}/easytier:${{ inputs.image_tag }}${{ inputs.mark_latest && ',easytier/easytier:latest' || '' }},

.github/workflows/release.yml

@@ -21,7 +21,7 @@ on:
       version:
         description: 'Version for this release'
         type: string
-        default: 'v2.2.0'
+        default: 'v2.2.2'
         required: true
       make_latest:
         description: 'Mark this release as latest'

Cargo.lock

@@ -1874,7 +1874,7 @@ checksum = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
 
 [[package]]
 name = "easytier"
-version = "2.2.0"
+version = "2.2.2"
 dependencies = [
  "aes-gcm",
  "anyhow",
@@ -1968,8 +1968,8 @@ dependencies = [
  "url",
  "uuid",
  "wildmatch",
+ "windows 0.52.0",
  "windows-service",
- "windows-sys 0.52.0",
  "winreg 0.52.0",
  "zerocopy",
  "zip",
@@ -1977,7 +1977,7 @@ dependencies = [
 
 [[package]]
 name = "easytier-gui"
-version = "2.2.0"
+version = "2.2.2"
 dependencies = [
  "anyhow",
  "chrono",
@@ -2022,7 +2022,7 @@ dependencies = [
 
 [[package]]
 name = "easytier-web"
-version = "0.1.0"
+version = "2.2.2"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -3563,7 +3563,7 @@ dependencies = [
 [[package]]
 name = "kcp-sys"
 version = "0.1.0"
-source = "git+https://github.com/EasyTier/kcp-sys#9ce5c08807378ad0486291928994c4f80878c196"
+source = "git+https://github.com/EasyTier/kcp-sys#0f0a0558391ba391c089806c23f369651f6c9eeb"
 dependencies = [
  "anyhow",
  "auto_impl",
@@ -9061,6 +9061,16 @@ dependencies = [
  "windows-targets 0.48.5",
 ]
 
+[[package]]
+name = "windows"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e48a53791691ab099e5e2ad123536d0fff50652600abaf43bbf952894110d0be"
+dependencies = [
+ "windows-core 0.52.0",
+ "windows-targets 0.52.6",
+]
+
 [[package]]
 name = "windows"
 version = "0.58.0"

easytier-gui/package.json

@@ -1,7 +1,7 @@
 {
   "name": "easytier-gui",
   "type": "module",
-  "version": "2.2.0",
+  "version": "2.2.2",
   "private": true,
   "packageManager": "pnpm@9.12.1+sha512.e5a7e52a4183a02d5931057f7a0dbff9d5e9ce3161e33fa68ae392125b79282a8a8a470a51dfc8a0ed86221442eb2fb57019b0990ed24fab519bf0e1bc5ccfc4",
   "scripts": {

easytier-gui/src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "easytier-gui"
-version = "2.2.0"
+version = "2.2.2"
 description = "EasyTier GUI"
 authors = ["you"]
 edition = "2021"

easytier-gui/src-tauri/src/lib.rs

@@ -89,6 +89,7 @@ fn get_os_hostname() -> Result<String, String> {
 
 #[tauri::command]
 fn set_logging_level(level: String) -> Result<(), String> {
+    #[allow(static_mut_refs)]
     let sender = unsafe { LOGGER_LEVEL_SENDER.as_ref().unwrap() };
     sender.send(level).map_err(|e| e.to_string())?;
     Ok(())
@@ -188,7 +189,10 @@ pub fn run() {
             let Ok(Some(logger_reinit)) = utils::init_logger(config, true) else {
                 return Ok(());
             };
-            unsafe { LOGGER_LEVEL_SENDER.replace(logger_reinit) };
+            #[allow(static_mut_refs)]
+            unsafe {
+                LOGGER_LEVEL_SENDER.replace(logger_reinit)
+            };
 
             // for tray icon, menu need to be built in js
             #[cfg(not(target_os = "android"))]

easytier-gui/src-tauri/tauri.conf.json

@@ -17,7 +17,7 @@
     "createUpdaterArtifacts": false
   },
   "productName": "easytier-gui",
-  "version": "2.2.0",
+  "version": "2.2.2",
   "identifier": "com.kkrainbow.easytier",
   "plugins": {},
   "app": {

easytier-web/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "easytier-web"
-version = "0.1.0"
+version = "2.2.2"
 edition = "2021"
 description = "Config server for easytier. easytier-core gets config from this and web frontend use it as restful api server."
 

easytier-web/frontend-lib/src/locales/cn.yaml

@@ -75,13 +75,13 @@ latency_first: 开启延迟优先模式
 latency_first_help: 忽略中转跳数，选择总延迟最低的路径
 
 use_smoltcp: 使用用户态协议栈
-use_smoltcp_help: 使用用户态 TCP/IP 协议栈，避免操作系统防火墙问题导致无法子网代理。
+use_smoltcp_help: 使用用户态 TCP/IP 协议栈，避免操作系统防火墙问题导致无法子网代理 / KCP代理。
 
 enable_kcp_proxy: 启用 KCP 代理
 enable_kcp_proxy_help: 将 TCP 流量转为 KCP 流量，降低传输延迟，提升传输速度。
 
 disable_kcp_input: 禁用 KCP 输入
-disable_kcp_input_help: 禁用 KCP 入站流量，其他开启 KCP 代理的节点无法连接到本节点。
+disable_kcp_input_help: 禁用 KCP 入站流量，其他开启 KCP 代理的节点仍然使用 TCP 连接到本节点。
 
 disable_p2p: 禁用 P2P
 disable_p2p_help: 禁用 P2P 模式，所有流量通过手动指定的服务器中转。

easytier-web/frontend-lib/src/locales/en.yaml

@@ -68,6 +68,29 @@ upload_bytes: Upload
 download_bytes: Download
 loss_rate: Loss Rate
 
+flags_switch: Feature Switch
+
+latency_first: Enable Latency-First Mode
+latency_first_help: Ignore hop count and select the path with the lowest total latency
+
+use_smoltcp: Use User-Space Protocol Stack
+use_smoltcp_help: Use a user-space TCP/IP stack to avoid issues with operating system firewalls blocking subnet or KCP proxy functionality.
+
+enable_kcp_proxy: Enable KCP Proxy
+enable_kcp_proxy_help: Convert TCP traffic to KCP traffic to reduce latency and boost transmission speed.
+
+disable_kcp_input: Disable KCP Input
+disable_kcp_input_help: Disable inbound KCP traffic, while nodes with KCP proxy enabled continue to connect using TCP.
+
+disable_p2p: Disable P2P
+disable_p2p_help: Disable P2P mode; route all traffic through a manually specified relay server.
+
+bind_device: Bind to Physical Device Only
+bind_device_help: Use only the physical network interface to prevent EasyTier from connecting via virtual networks.
+
+no_tun: No TUN Mode
+no_tun_help: Do not use a TUN interface, suitable for environments without administrator privileges. This node is only accessible; accessing other nodes requires SOCKS5.
+
 status:
   version: Version
   local: Local

easytier-web/frontend-lib/src/modules/api.ts

@@ -1,6 +1,7 @@
 import axios, { AxiosError, AxiosInstance, AxiosResponse, InternalAxiosRequestConfig } from 'axios';
 import { Md5 } from 'ts-md5'
 import { UUID } from './utils';
+import { NetworkConfig } from '../types/network';
 
 export interface ValidateConfigResponse {
     toml_config: string;
@@ -37,6 +38,15 @@ export interface ListNetworkInstanceIdResponse {
     disabled_inst_ids: Array<UUID>,
 }
 
+export interface GenerateConfigRequest {
+    config: NetworkConfig;
+}
+
+export interface GenerateConfigResponse {
+    toml_config?: string;
+    error?: string;
+}
+
 export class ApiClient {
     private client: AxiosInstance;
     private authFailedCb: Function | undefined;
@@ -193,6 +203,18 @@ export class ApiClient {
     public captcha_url() {
         return this.client.defaults.baseURL + '/auth/captcha';
     }
+
+    public async generate_config(config: GenerateConfigRequest): Promise<GenerateConfigResponse> {
+        try {
+            const response = await this.client.post<any, GenerateConfigResponse>('/generate-config', config);
+            return response;
+        } catch (error) {
+            if (error instanceof AxiosError) {
+                return { error: error.response?.data };
+            }
+            return { error: 'Unknown error: ' + error };
+        }
+    }
 }
 
 export default ApiClient;

easytier-web/frontend/src/components/ConfigGenerator.vue

@@ -0,0 +1,39 @@
+<script setup lang="ts">
+import { NetworkTypes } from 'easytier-frontend-lib';
+import { ref } from 'vue';
+import { Api } from 'easytier-frontend-lib'
+
+const defaultApiHost = 'https://config-server.easytier.cn'
+const api = new Api.ApiClient(defaultApiHost);
+
+const newNetworkConfig = ref<NetworkTypes.NetworkConfig>(NetworkTypes.DEFAULT_NETWORK_CONFIG());
+const toml_config = ref<string>("Press 'Run Network' to generate TOML configuration");
+
+const generateConfig = (config: NetworkTypes.NetworkConfig) => {
+    api.generate_config({
+        config: config
+    }).then((res) => {
+        if (res.error) {
+            toml_config.value = res.error;
+        } else if (res.toml_config) {
+            toml_config.value = res.toml_config;
+        } else {
+            toml_config.value = "Api server returned an unexpected response";
+        }
+    });
+};
+
+</script>
+
+<template>
+    <div class="flex items-center justify-center m-5">
+        <div class="flex w-full">
+            <div class="w-1/2 p-4">
+                <Config :cur-network="newNetworkConfig" @run-network="generateConfig" />
+            </div>
+            <div class="w-1/2 p-4 bg-gray-100">
+                <pre class="whitespace-pre-wrap">{{ toml_config }}</pre>
+            </div>
+        </div>
+    </div>
+</template>

easytier-web/frontend/src/main.ts

@@ -15,6 +15,7 @@ import DeviceManagement from './components/DeviceManagement.vue'
 import Dashboard from './components/Dashboard.vue'
 import DialogService from 'primevue/dialogservice';
 import ToastService from 'primevue/toastservice';
+import ConfigGenerator from './components/ConfigGenerator.vue'
 
 const routes = [
     {
@@ -66,6 +67,10 @@ const routes = [
             }
         }
     },
+    {
+        path: '/config_generator',
+        component: ConfigGenerator,
+    }
 ]
 
 const router = createRouter({

easytier-web/src/restful/mod.rs

@@ -6,11 +6,14 @@ mod users;
 use std::{net::SocketAddr, sync::Arc};
 
 use axum::http::StatusCode;
+use axum::routing::post;
 use axum::{extract::State, routing::get, Json, Router};
 use axum_login::tower_sessions::{ExpiredDeletion, SessionManagerLayer};
 use axum_login::{login_required, AuthManagerLayerBuilder, AuthzBackend};
 use axum_messages::MessagesManagerLayer;
+use easytier::common::config::ConfigLoader;
 use easytier::common::scoped_task::ScopedTask;
+use easytier::launcher::NetworkConfig;
 use easytier::proto::rpc_types;
 use network::NetworkApi;
 use sea_orm::DbErr;
@@ -48,6 +51,17 @@ struct GetSummaryJsonResp {
     device_count: u32,
 }
 
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
+struct GenerateConfigRequest {
+    config: NetworkConfig,
+}
+
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
+struct GenerateConfigResponse {
+    error: Option<String>,
+    toml_config: Option<String>,
+}
+
 #[derive(Debug, serde::Deserialize, serde::Serialize)]
 pub struct Error {
     message: String,
@@ -131,6 +145,24 @@ impl RestfulServer {
         .into())
     }
 
+    async fn handle_generate_config(
+        Json(req): Json<GenerateConfigRequest>,
+    ) -> Result<Json<GenerateConfigResponse>, HttpHandleError> {
+        let config = req.config.gen_config();
+        match config {
+            Ok(c) => Ok(GenerateConfigResponse {
+                error: None,
+                toml_config: Some(c.dump()),
+            }
+            .into()),
+            Err(e) => Ok(GenerateConfigResponse {
+                error: Some(format!("{:?}", e)),
+                toml_config: None,
+            }
+            .into()),
+        }
+    }
+
     pub async fn start(&mut self) -> Result<(), anyhow::Error> {
         let listener = TcpListener::bind(self.bind_addr).await?;
 
@@ -178,6 +210,10 @@ impl RestfulServer {
             .route_layer(login_required!(Backend))
             .merge(auth::router())
             .with_state(self.client_mgr.clone())
+            .route(
+                "/api/v1/generate-config",
+                post(Self::handle_generate_config),
+            )
             .layer(MessagesManagerLayer)
             .layer(auth_layer)
             .layer(tower_http::cors::CorsLayer::very_permissive())

easytier/Cargo.toml

@@ -3,7 +3,7 @@ name = "easytier"
 description = "A full meshed p2p VPN, connecting all your devices in one network with one command."
 homepage = "https://github.com/EasyTier/EasyTier"
 repository = "https://github.com/EasyTier/EasyTier"
-version = "2.2.0"
+version = "2.2.2"
 edition = "2021"
 authors = ["kkrainbow"]
 keywords = ["vpn", "p2p", "network", "easytier"]
@@ -204,12 +204,15 @@ netlink-packet-core = { version = "0.7.0" }
 netlink-packet-utils = "0.5.2"
 
 [target.'cfg(windows)'.dependencies]
-windows-sys = { version = "0.52", features = [
-    "Win32_Networking_WinSock",
-    "Win32_NetworkManagement_IpHelper",
+windows = { version = "0.52.0", features = [
     "Win32_Foundation",
+    "Win32_NetworkManagement_WindowsFirewall",
+    "Win32_System_Com",
+    "Win32_Networking",
+    "Win32_System_Ole",
+    "Win32_Networking_WinSock",
     "Win32_System_IO",
-] }
+]}
 encoding = "0.2"
 winreg = "0.52"
 windows-service = "0.7.0"

easytier/locales/app.yml

@@ -100,8 +100,8 @@ core_clap:
     en: "do not create TUN device, can use subnet proxy to access node"
     zh-CN: "不创建TUN设备，可以使用子网代理访问节点"
   use_smoltcp:
-    en: "enable smoltcp stack for subnet proxy"
-    zh-CN: "为子网代理启用smoltcp堆栈"
+    en: "enable smoltcp stack for subnet proxy and kcp proxy"
+    zh-CN: "为子网代理和 KCP 代理启用smoltcp堆栈"
   manual_routes:
     en: "assign routes cidr manually, will disable subnet proxy and wireguard routes propagated from peers. e.g.: 192.168.0.0/16"
     zh-CN: "手动分配路由CIDR，将禁用子网代理和从对等节点传播的wireguard路由。例如：192.168.0.0/16"
@@ -143,7 +143,7 @@ core_clap:
   enable_kcp_proxy:
     en: "proxy tcp streams with kcp, improving the latency and throughput on the network with udp packet loss."
     zh-CN: "使用 KCP 代理 TCP 流，提高在 UDP 丢包网络上的延迟和吞吐量。"
-  disable-kcp-input:
+  disable_kcp_input:
     en: "do not allow other nodes to use kcp to proxy tcp streams to this node. when a node with kcp proxy enabled accesses this node, the original tcp connection is preserved."
     zh-CN: "不允许其他节点使用 KCP 代理 TCP 流到此节点。开启 KCP 代理的节点访问此节点时，依然使用原始 TCP 连接。"
 

easytier/src/arch/windows.rs

@@ -1,26 +1,27 @@
-use std::{
-    ffi::c_void,
-    io::{self, ErrorKind},
-    mem,
-    net::SocketAddr,
-    os::windows::io::AsRawSocket,
-    ptr,
-};
+use std::{io, net::SocketAddr, os::windows::io::AsRawSocket};
 
+use anyhow::Context;
 use network_interface::NetworkInterfaceConfig;
-use windows_sys::{
-    core::PCSTR,
+use windows::{
+    core::BSTR,
     Win32::{
         Foundation::{BOOL, FALSE},
+        NetworkManagement::WindowsFirewall::{
+            INetFwPolicy2, INetFwRule, NET_FW_ACTION_ALLOW, NET_FW_PROFILE2_PRIVATE,
+            NET_FW_PROFILE2_PUBLIC, NET_FW_RULE_DIR_IN, NET_FW_RULE_DIR_OUT,
+        },
         Networking::WinSock::{
             htonl, setsockopt, WSAGetLastError, WSAIoctl, IPPROTO_IP, IPPROTO_IPV6,
             IPV6_UNICAST_IF, IP_UNICAST_IF, SIO_UDP_CONNRESET, SOCKET, SOCKET_ERROR,
         },
+        System::Com::{
+            CoCreateInstance, CoInitializeEx, CoUninitialize, CLSCTX_ALL, COINIT_MULTITHREADED,
+        },
     },
 };
 
 pub fn disable_connection_reset<S: AsRawSocket>(socket: &S) -> io::Result<()> {
-    let handle = socket.as_raw_socket() as SOCKET;
+    let handle = SOCKET(socket.as_raw_socket() as usize);
 
     unsafe {
         // Ignoring UdpSocket's WSAECONNRESET error
@@ -39,21 +40,18 @@ pub fn disable_connection_reset<S: AsRawSocket>(socket: &S) -> io::Result<()> {
         let ret = WSAIoctl(
             handle,
             SIO_UDP_CONNRESET,
-            &enable as *const _ as *const c_void,
-            mem::size_of_val(&enable) as u32,
-            ptr::null_mut(),
+            Some(&enable as *const _ as *const std::ffi::c_void),
+            std::mem::size_of_val(&enable) as u32,
+            None,
             0,
             &mut bytes_returned as *mut _,
-            ptr::null_mut(),
+            None,
             None,
         );
 
         if ret == SOCKET_ERROR {
-            use std::io::Error;
-
-            // Error occurs
             let err_code = WSAGetLastError();
-            return Err(Error::from_raw_os_error(err_code));
+            return Err(std::io::Error::from_raw_os_error(err_code.0));
         }
     }
 
@@ -63,7 +61,7 @@ pub fn disable_connection_reset<S: AsRawSocket>(socket: &S) -> io::Result<()> {
 pub fn interface_count() -> io::Result<usize> {
     let ifaces = network_interface::NetworkInterface::show().map_err(|e| {
         io::Error::new(
-            ErrorKind::NotFound,
+            io::ErrorKind::NotFound,
             format!("Failed to get interfaces. error: {}", e),
         )
     })?;
@@ -73,7 +71,7 @@ pub fn interface_count() -> io::Result<usize> {
 pub fn find_interface_index(iface_name: &str) -> io::Result<u32> {
     let ifaces = network_interface::NetworkInterface::show().map_err(|e| {
         io::Error::new(
-            ErrorKind::NotFound,
+            io::ErrorKind::NotFound,
             format!("Failed to get interfaces. {}, error: {}", iface_name, e),
         )
     })?;
@@ -82,7 +80,7 @@ pub fn find_interface_index(iface_name: &str) -> io::Result<u32> {
     }
     tracing::error!("Failed to find interface index for {}", iface_name);
     Err(io::Error::new(
-        ErrorKind::NotFound,
+        io::ErrorKind::NotFound,
         format!("{}", iface_name),
     ))
 }
@@ -92,7 +90,7 @@ pub fn set_ip_unicast_if<S: AsRawSocket>(
     addr: &SocketAddr,
     iface: &str,
 ) -> io::Result<()> {
-    let handle = socket.as_raw_socket() as SOCKET;
+    let handle = SOCKET(socket.as_raw_socket() as usize);
 
     let if_index = find_interface_index(iface)?;
 
@@ -100,30 +98,23 @@ pub fn set_ip_unicast_if<S: AsRawSocket>(
         // https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ip-socket-options
         let ret = match addr {
             SocketAddr::V4(..) => {
-                // Interface index is in network byte order for IPPROTO_IP.
                 let if_index = htonl(if_index);
-                setsockopt(
-                    handle,
-                    IPPROTO_IP as i32,
-                    IP_UNICAST_IF as i32,
-                    &if_index as *const _ as PCSTR,
-                    mem::size_of_val(&if_index) as i32,
-                )
+                let if_index_bytes = if_index.to_ne_bytes();
+                setsockopt(handle, IPPROTO_IP.0, IP_UNICAST_IF, Some(&if_index_bytes))
             }
             SocketAddr::V6(..) => {
-                // Interface index is in host byte order for IPPROTO_IPV6.
+                let if_index_bytes = if_index.to_ne_bytes();
                 setsockopt(
                     handle,
-                    IPPROTO_IPV6 as i32,
-                    IPV6_UNICAST_IF as i32,
-                    &if_index as *const _ as PCSTR,
-                    mem::size_of_val(&if_index) as i32,
+                    IPPROTO_IPV6.0,
+                    IPV6_UNICAST_IF,
+                    Some(&if_index_bytes),
                 )
             }
         };
 
         if ret == SOCKET_ERROR {
-            let err = io::Error::from_raw_os_error(WSAGetLastError());
+            let err = std::io::Error::from_raw_os_error(WSAGetLastError().0);
             tracing::error!(
                 "set IP_UNICAST_IF / IPV6_UNICAST_IF interface: {}, index: {}, error: {}",
                 iface,
@@ -152,4 +143,95 @@ pub fn setup_socket_for_win<S: AsRawSocket>(
     }
 
     Ok(())
-}
+}
+
+struct ComInitializer;
+
+impl ComInitializer {
+    fn new() -> windows::core::Result<Self> {
+        unsafe { CoInitializeEx(None, COINIT_MULTITHREADED)? };
+        Ok(Self)
+    }
+}
+
+impl Drop for ComInitializer {
+    fn drop(&mut self) {
+        unsafe {
+            CoUninitialize();
+        }
+    }
+}
+
+pub fn do_add_self_to_firewall_allowlist(inbound: bool) -> anyhow::Result<()> {
+    let _com = ComInitializer::new()?;
+    // 创建防火墙策略实例
+    let policy: INetFwPolicy2 = unsafe {
+        CoCreateInstance(
+            &windows::Win32::NetworkManagement::WindowsFirewall::NetFwPolicy2,
+            None,
+            CLSCTX_ALL,
+        )
+    }?;
+
+    // 创建防火墙规则实例
+    let rule: INetFwRule = unsafe {
+        CoCreateInstance(
+            &windows::Win32::NetworkManagement::WindowsFirewall::NetFwRule,
+            None,
+            CLSCTX_ALL,
+        )
+    }?;
+
+    // 设置规则属性
+    let exe_path = std::env::current_exe()
+        .with_context(|| "Failed to get current executable path when adding firewall rule")?
+        .to_string_lossy()
+        .replace(r"\\?\", "");
+
+    let name = BSTR::from(format!(
+        "EasyTier {} ({})",
+        exe_path,
+        if inbound { "Inbound" } else { "Outbound" }
+    ));
+    let desc = BSTR::from("Allow EasyTier to do subnet proxy and kcp proxy");
+    let app_path = BSTR::from(&exe_path);
+
+    unsafe {
+        rule.SetName(&name)?;
+        rule.SetDescription(&desc)?;
+        rule.SetApplicationName(&app_path)?;
+        rule.SetAction(NET_FW_ACTION_ALLOW)?;
+        if inbound {
+            rule.SetDirection(NET_FW_RULE_DIR_IN)?; // 允许入站连接
+        } else {
+            rule.SetDirection(NET_FW_RULE_DIR_OUT)?; // 允许出站连接
+        }
+        rule.SetEnabled(windows::Win32::Foundation::VARIANT_TRUE)?;
+        rule.SetProfiles(NET_FW_PROFILE2_PRIVATE.0 | NET_FW_PROFILE2_PUBLIC.0)?;
+        rule.SetGrouping(&BSTR::from("EasyTier"))?;
+
+        // 获取规则集合并添加新规则
+        let rules = policy.Rules()?;
+        rules.Remove(&name)?; // 先删除同名规则
+        rules.Add(&rule)?;
+    }
+
+    Ok(())
+}
+
+pub fn add_self_to_firewall_allowlist() -> anyhow::Result<()> {
+    do_add_self_to_firewall_allowlist(true)?;
+    do_add_self_to_firewall_allowlist(false)?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_add_self_to_firewall_allowlist() {
+        let res = add_self_to_firewall_allowlist();
+        assert!(res.is_ok());
+    }
+}

easytier/src/common/ifcfg/netlink.rs

@@ -377,16 +377,18 @@ impl IfConfiguerTrait for NetlinkIfConfiger {
 
     async fn remove_ipv4_route(
         &self,
-        _name: &str,
+        name: &str,
         address: Ipv4Addr,
         cidr_prefix: u8,
     ) -> Result<(), Error> {
         let routes = Self::list_routes()?;
+        let ifidx = NetlinkIfConfiger::get_interface_index(name)?;
 
         for msg in routes {
             let other_route: Route = msg.clone().into();
             if other_route.destination == std::net::IpAddr::V4(address)
                 && other_route.prefix == cidr_prefix
+                && other_route.ifindex == Some(ifidx)
             {
                 send_netlink_req_and_wait_one_resp(RouteNetlinkMessage::DelRoute(msg), true)?;
                 return Ok(());

easytier/src/connector/udp_hole_punch/sym_to_cone.rs

@@ -580,13 +580,15 @@ pub mod tests {
         )
         .await;
 
+        println!("start punching {:?}", p_a.list_routes().await);
+
         wait_for_condition(
             || async {
                 wait_route_appear_with_cost(p_a.clone(), p_c.my_peer_id(), Some(1))
                     .await
                     .is_ok()
             },
-            Duration::from_secs(5),
+            Duration::from_secs(10),
         )
         .await;
         println!("{:?}", p_a.list_routes().await);

easytier/src/easytier-cli.rs

@@ -20,7 +20,8 @@ use easytier::{
             DumpRouteRequest, GetVpnPortalInfoRequest, ListConnectorRequest,
             ListForeignNetworkRequest, ListGlobalForeignNetworkRequest, ListPeerRequest,
             ListPeerResponse, ListRouteRequest, ListRouteResponse, NodeInfo, PeerManageRpc,
-            PeerManageRpcClientFactory, ShowNodeInfoRequest, VpnPortalRpc,
+            PeerManageRpcClientFactory, ShowNodeInfoRequest, TcpProxyEntryState,
+            TcpProxyEntryTransportType, TcpProxyRpc, TcpProxyRpcClientFactory, VpnPortalRpc,
             VpnPortalRpcClientFactory,
         },
         common::NatType,
@@ -50,14 +51,24 @@ struct Cli {
 
 #[derive(Subcommand, Debug)]
 enum SubCommand {
+    #[command(about = "show peers info")]
     Peer(PeerArgs),
+    #[command(about = "manage connectors")]
     Connector(ConnectorArgs),
+    #[command(about = "do stun test")]
     Stun,
+    #[command(about = "show route info")]
     Route(RouteArgs),
+    #[command(about = "show global peers info")]
     PeerCenter,
+    #[command(about = "show vpn portal (wireguard) info")]
     VpnPortal,
+    #[command(about = "inspect self easytier-core status")]
     Node(NodeArgs),
+    #[command(about = "manage easytier-core as a system service")]
     Service(ServiceArgs),
+    #[command(about = "show tcp/kcp proxy status")]
+    Proxy,
 }
 
 #[derive(Args, Debug)]
@@ -114,7 +125,9 @@ enum ConnectorSubCommand {
 
 #[derive(Subcommand, Debug)]
 enum NodeSubCommand {
+    #[command(about = "show node info")]
     Info,
+    #[command(about = "show node config")]
     Config,
 }
 
@@ -135,10 +148,15 @@ struct ServiceArgs {
 
 #[derive(Subcommand, Debug)]
 enum ServiceSubCommand {
+    #[command(about = "register easytier-core as a system service")]
     Install(InstallArgs),
+    #[command(about = "unregister easytier-core system service")]
     Uninstall,
+    #[command(about = "check easytier-core system service status")]
     Status,
+    #[command(about = "start easytier-core system service")]
     Start,
+    #[command(about = "stop easytier-core system service")]
     Stop,
 }
 
@@ -153,13 +171,17 @@ struct InstallArgs {
     #[arg(long, default_value = "false")]
     disable_autostart: bool,
 
-    #[arg(long)]
+    #[arg(long, help = "path to easytier-core binary")]
     core_path: Option<PathBuf>,
 
     #[arg(long)]
     service_work_dir: Option<PathBuf>,
 
-    #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+    #[arg(
+        trailing_var_arg = true,
+        allow_hyphen_values = true,
+        help = "args to pass to easytier-core"
+    )]
     core_args: Option<Vec<OsString>>,
 }
 
@@ -221,6 +243,19 @@ impl CommandHandler {
             .with_context(|| "failed to get vpn portal client")?)
     }
 
+    async fn get_tcp_proxy_client(
+        &self,
+        transport_type: &str,
+    ) -> Result<Box<dyn TcpProxyRpc<Controller = BaseController>>, Error> {
+        Ok(self
+            .client
+            .lock()
+            .unwrap()
+            .scoped_client::<TcpProxyRpcClientFactory<BaseController>>(transport_type.to_string())
+            .await
+            .with_context(|| "failed to get vpn portal client")?)
+    }
+
     async fn list_peers(&self) -> Result<ListPeerResponse, Error> {
         let client = self.get_peer_manager_client().await?;
         let request = ListPeerRequest::default();
@@ -647,12 +682,22 @@ impl Service {
             environment: None,
         };
         if self.status()? != ServiceStatus::NotInstalled {
-            return Err(anyhow::anyhow!("Service is already installed"));
+            return Err(anyhow::anyhow!(
+                "Service is already installed! Service Name: {}",
+                self.lable
+            ));
         }
 
         self.service_manager
-            .install(ctx)
-            .map_err(|e| anyhow::anyhow!("failed to install service: {}", e))
+            .install(ctx.clone())
+            .map_err(|e| anyhow::anyhow!("failed to install service: {:?}", e))?;
+
+        println!(
+            "Service installed successfully! Service Name: {}",
+            self.lable
+        );
+
+        Ok(())
     }
 
     pub fn uninstall(&self) -> Result<(), Error> {
@@ -769,7 +814,8 @@ impl Service {
         writeln!(unit_content, "Type=simple")?;
         writeln!(unit_content, "WorkingDirectory={work_dir}")?;
         writeln!(unit_content, "ExecStart={target_app} {args}")?;
-        writeln!(unit_content, "Restart=Always")?;
+        writeln!(unit_content, "Restart=always")?;
+        writeln!(unit_content, "RestartSec=1")?;
         writeln!(unit_content, "LimitNOFILE=infinity")?;
         writeln!(unit_content)?;
         writeln!(unit_content, "[Install]")?;
@@ -1088,6 +1134,57 @@ async fn main() -> Result<(), Error> {
                 }
             }
         }
+        SubCommand::Proxy => {
+            let mut entries = vec![];
+            let client = handler.get_tcp_proxy_client("tcp").await?;
+            let ret = client
+                .list_tcp_proxy_entry(BaseController::default(), Default::default())
+                .await;
+            entries.extend(ret.unwrap_or_default().entries);
+
+            let client = handler.get_tcp_proxy_client("kcp_src").await?;
+            let ret = client
+                .list_tcp_proxy_entry(BaseController::default(), Default::default())
+                .await;
+            entries.extend(ret.unwrap_or_default().entries);
+
+            let client = handler.get_tcp_proxy_client("kcp_dst").await?;
+            let ret = client
+                .list_tcp_proxy_entry(BaseController::default(), Default::default())
+                .await;
+            entries.extend(ret.unwrap_or_default().entries);
+
+            #[derive(tabled::Tabled)]
+            struct TableItem {
+                src: String,
+                dst: String,
+                start_time: String,
+                state: String,
+                transport_type: String,
+            }
+
+            let table_rows = entries
+                .iter()
+                .map(|e| TableItem {
+                    src: SocketAddr::from(e.src.unwrap_or_default()).to_string(),
+                    dst: SocketAddr::from(e.dst.unwrap_or_default()).to_string(),
+                    start_time: chrono::DateTime::<chrono::Utc>::from_timestamp_millis(
+                        (e.start_time * 1000) as i64,
+                    )
+                    .unwrap()
+                    .with_timezone(&chrono::Local)
+                    .format("%Y-%m-%d %H:%M:%S")
+                    .to_string(),
+                    state: format!("{:?}", TcpProxyEntryState::try_from(e.state).unwrap()),
+                    transport_type: format!(
+                        "{:?}",
+                        TcpProxyEntryTransportType::try_from(e.transport_type).unwrap()
+                    ),
+                })
+                .collect::<Vec<_>>();
+
+            println!("{}", tabled::Table::new(table_rows).with(Style::modern()));
+        }
     }
 
     Ok(())

easytier/src/easytier-core.rs

@@ -323,7 +323,7 @@ struct Cli {
 
     #[arg(
         long,
-        help = t!("core_clap.enable_kcp_proxy").to_string(),
+        help = t!("core_clap.disable_kcp_input").to_string(),
         default_value = "false"
     )]
     disable_kcp_input: bool,

easytier/src/gateway/icmp_proxy.rs

@@ -6,6 +6,7 @@ use std::{
     time::Duration,
 };
 
+use anyhow::Context;
 use pnet::packet::{
     icmp::{self, echo_reply::MutableEchoReplyPacket, IcmpCode, IcmpTypes, MutableIcmpPacket},
     ip::IpNextHeaderProtocols,
@@ -212,7 +213,7 @@ impl IcmpProxy {
             Err(e) => {
                 tracing::warn!("create icmp socket failed: {:?}", e);
                 if !self.global_ctx.no_tun() {
-                    return Err(e);
+                    return Err(anyhow::anyhow!("create icmp socket failed: {:?}", e).into());
                 }
             }
         }
@@ -281,10 +282,15 @@ impl IcmpProxy {
         dst_ip: Ipv4Addr,
         icmp_packet: &icmp::echo_request::EchoRequestPacket,
     ) -> Result<(), Error> {
-        self.socket.lock().unwrap().as_ref().unwrap().send_to(
-            icmp_packet.packet(),
-            &SocketAddrV4::new(dst_ip.into(), 0).into(),
-        )?;
+        self.socket
+            .lock()
+            .unwrap()
+            .as_ref()
+            .with_context(|| "icmp socket not created")?
+            .send_to(
+                icmp_packet.packet(),
+                &SocketAddrV4::new(dst_ip.into(), 0).into(),
+            )?;
 
         Ok(())
     }

easytier/src/gateway/kcp_proxy.rs

@@ -1,18 +1,24 @@
 use std::{
     net::{IpAddr, Ipv4Addr, SocketAddr},
-    sync::Arc,
+    sync::{Arc, Weak},
     time::Duration,
 };
 
 use anyhow::Context;
 use bytes::Bytes;
+use dashmap::DashMap;
 use kcp_sys::{
-    endpoint::{KcpEndpoint, KcpPacketReceiver},
+    endpoint::{ConnId, KcpEndpoint, KcpPacketReceiver},
     ffi_safe::KcpConfig,
     packet_def::KcpPacket,
     stream::KcpStream,
 };
-use pnet::packet::{ip::IpNextHeaderProtocols, ipv4::Ipv4Packet};
+use pnet::packet::{
+    ip::IpNextHeaderProtocols,
+    ipv4::Ipv4Packet,
+    tcp::{TcpFlags, TcpPacket},
+    Packet as _,
+};
 use prost::Message;
 use tokio::{io::copy_bidirectional, task::JoinSet};
 
@@ -26,7 +32,14 @@ use crate::{
         global_ctx::{ArcGlobalCtx, GlobalCtx},
     },
     peers::{peer_manager::PeerManager, NicPacketFilter, PeerPacketFilter},
-    proto::peer_rpc::KcpConnData,
+    proto::{
+        cli::{
+            ListTcpProxyEntryRequest, ListTcpProxyEntryResponse, TcpProxyEntry, TcpProxyEntryState,
+            TcpProxyEntryTransportType, TcpProxyRpc,
+        },
+        peer_rpc::KcpConnData,
+        rpc_types::{self, controller::BaseController},
+    },
     tunnel::packet_def::{PacketType, PeerManagerHeader, ZCPacket},
 };
 
@@ -101,8 +114,9 @@ pub struct NatDstKcpConnector {
 impl NatDstConnector for NatDstKcpConnector {
     type DstStream = KcpStream;
 
-    async fn connect(&self, nat_dst: SocketAddr) -> Result<Self::DstStream> {
+    async fn connect(&self, src: SocketAddr, nat_dst: SocketAddr) -> Result<Self::DstStream> {
         let conn_data = KcpConnData {
+            src: Some(src.into()),
             dst: Some(nat_dst.into()),
         };
 
@@ -138,7 +152,6 @@ impl NatDstConnector for NatDstKcpConnector {
     }
 
     fn check_packet_from_peer_fast(&self, _cidr_set: &CidrSet, _global_ctx: &GlobalCtx) -> bool {
-        // if kcp is turned off, the filter will not be added to the pipeline
         true
     }
 
@@ -146,10 +159,14 @@ impl NatDstConnector for NatDstKcpConnector {
         &self,
         _cidr_set: &CidrSet,
         _global_ctx: &GlobalCtx,
-        _hdr: &PeerManagerHeader,
+        hdr: &PeerManagerHeader,
         _ipv4: &Ipv4Packet,
     ) -> bool {
-        true
+        return hdr.from_peer_id == hdr.to_peer_id;
+    }
+
+    fn transport_type(&self) -> TcpProxyEntryTransportType {
+        TcpProxyEntryTransportType::Kcp
     }
 }
 
@@ -186,21 +203,45 @@ impl NicPacketFilter for TcpProxyForKcpSrc {
             return true;
         }
 
-        let Some(my_ipv4) = self.0.get_global_ctx().get_ipv4() else {
-            return false;
-        };
-
         let data = zc_packet.payload();
         let ip_packet = Ipv4Packet::new(data).unwrap();
         if ip_packet.get_version() != 4
-        // TODO: how to support net to net kcp proxy?
-            || ip_packet.get_source() != my_ipv4.address()
             || ip_packet.get_next_level_protocol() != IpNextHeaderProtocols::Tcp
-            || !self.check_dst_allow_kcp_input(&ip_packet.get_destination()).await
         {
             return false;
         }
 
+        // if no connection is established, only allow SYN packet
+        let tcp_packet = TcpPacket::new(ip_packet.payload()).unwrap();
+        let is_syn = tcp_packet.get_flags() & TcpFlags::SYN != 0
+            && tcp_packet.get_flags() & TcpFlags::ACK == 0;
+        if is_syn {
+            // only check dst feature flag when SYN packet
+            if !self
+                .check_dst_allow_kcp_input(&ip_packet.get_destination())
+                .await
+            {
+                return false;
+            }
+        } else {
+            // if not syn packet, only allow established connection
+            if !self.0.is_tcp_proxy_connection(SocketAddr::new(
+                IpAddr::V4(ip_packet.get_source()),
+                tcp_packet.get_source(),
+            )) {
+                return false;
+            }
+        }
+
+        if let Some(my_ipv4) = self.0.get_global_ctx().get_ipv4() {
+            // this is a net-to-net packet, only allow it when smoltcp is enabled
+            // because the syn-ack packet will not be through and handled by the tun device when
+            // the source ip is in the local network
+            if ip_packet.get_source() != my_ipv4.address() && !self.0.is_smoltcp_enabled() {
+                return false;
+            }
+        };
+
         zc_packet.mut_peer_manager_header().unwrap().to_peer_id = self.0.get_my_peer_id().into();
 
         true
@@ -254,11 +295,16 @@ impl KcpProxySrc {
             .await;
         self.tcp_proxy.0.start(false).await.unwrap();
     }
+
+    pub fn get_tcp_proxy(&self) -> Arc<TcpProxy<NatDstKcpConnector>> {
+        self.tcp_proxy.0.clone()
+    }
 }
 
 pub struct KcpProxyDst {
     kcp_endpoint: Arc<KcpEndpoint>,
     peer_manager: Arc<PeerManager>,
+    proxy_entries: Arc<DashMap<ConnId, TcpProxyEntry>>,
     tasks: JoinSet<()>,
 }
 
@@ -278,6 +324,7 @@ impl KcpProxyDst {
         Self {
             kcp_endpoint: Arc::new(kcp_endpoint),
             peer_manager,
+            proxy_entries: Arc::new(DashMap::new()),
             tasks,
         }
     }
@@ -286,6 +333,7 @@ impl KcpProxyDst {
     async fn handle_one_in_stream(
         mut kcp_stream: KcpStream,
         global_ctx: ArcGlobalCtx,
+        proxy_entries: Arc<DashMap<ConnId, TcpProxyEntry>>,
     ) -> Result<()> {
         let mut conn_data = kcp_stream.conn_data().clone();
         let parsed_conn_data = KcpConnData::decode(&mut conn_data)
@@ -298,6 +346,21 @@ impl KcpProxyDst {
             ))?
             .into();
 
+        let conn_id = kcp_stream.conn_id();
+        proxy_entries.insert(
+            conn_id,
+            TcpProxyEntry {
+                src: parsed_conn_data.src,
+                dst: parsed_conn_data.dst,
+                start_time: chrono::Local::now().timestamp() as u64,
+                state: TcpProxyEntryState::ConnectingDst.into(),
+                transport_type: TcpProxyEntryTransportType::Kcp.into(),
+            },
+        );
+        crate::defer! {
+            proxy_entries.remove(&conn_id);
+        }
+
         if Some(dst_socket.ip()) == global_ctx.get_ipv4().map(|ip| IpAddr::V4(ip.address())) {
             dst_socket = format!("127.0.0.1:{}", dst_socket.port()).parse().unwrap();
         }
@@ -306,7 +369,13 @@ impl KcpProxyDst {
 
         let _g = global_ctx.net_ns.guard();
         let connector = NatDstTcpConnector {};
-        let mut ret = connector.connect(dst_socket).await?;
+        let mut ret = connector
+            .connect("0.0.0.0:0".parse().unwrap(), dst_socket)
+            .await?;
+
+        if let Some(mut e) = proxy_entries.get_mut(&kcp_stream.conn_id()) {
+            e.state = TcpProxyEntryState::Connected.into();
+        }
 
         copy_bidirectional(&mut ret, &mut kcp_stream).await?;
         Ok(())
@@ -315,6 +384,7 @@ impl KcpProxyDst {
     async fn run_accept_task(&mut self) {
         let kcp_endpoint = self.kcp_endpoint.clone();
         let global_ctx = self.peer_manager.get_global_ctx().clone();
+        let proxy_entries = self.proxy_entries.clone();
         self.tasks.spawn(async move {
             while let Ok(conn) = kcp_endpoint.accept().await {
                 let stream = KcpStream::new(&kcp_endpoint, conn)
@@ -322,8 +392,9 @@ impl KcpProxyDst {
                     .unwrap();
 
                 let global_ctx = global_ctx.clone();
+                let proxy_entries = proxy_entries.clone();
                 tokio::spawn(async move {
-                    let _ = Self::handle_one_in_stream(stream, global_ctx).await;
+                    let _ = Self::handle_one_in_stream(stream, global_ctx, proxy_entries).await;
                 });
             }
         });
@@ -339,3 +410,30 @@ impl KcpProxyDst {
             .await;
     }
 }
+
+#[derive(Clone)]
+pub struct KcpProxyDstRpcService(Weak<DashMap<ConnId, TcpProxyEntry>>);
+
+impl KcpProxyDstRpcService {
+    pub fn new(kcp_proxy_dst: &KcpProxyDst) -> Self {
+        Self(Arc::downgrade(&kcp_proxy_dst.proxy_entries))
+    }
+}
+
+#[async_trait::async_trait]
+impl TcpProxyRpc for KcpProxyDstRpcService {
+    type Controller = BaseController;
+    async fn list_tcp_proxy_entry(
+        &self,
+        _: BaseController,
+        _request: ListTcpProxyEntryRequest, // Accept request of type HelloRequest
+    ) -> std::result::Result<ListTcpProxyEntryResponse, rpc_types::error::Error> {
+        let mut reply = ListTcpProxyEntryResponse::default();
+        if let Some(tcp_proxy) = self.0.upgrade() {
+            for item in tcp_proxy.iter() {
+                reply.entries.push(item.value().clone());
+            }
+        }
+        Ok(reply)
+    }
+}

easytier/src/gateway/tcp_proxy.rs

@@ -10,9 +10,9 @@ use pnet::packet::MutablePacket;
 use pnet::packet::Packet;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4};
 use std::sync::atomic::{AtomicBool, AtomicU16};
-use std::sync::Arc;
+use std::sync::{Arc, Weak};
 use std::time::{Duration, Instant};
-use tokio::io::{copy_bidirectional, AsyncRead, AsyncWrite};
+use tokio::io::{copy_bidirectional, AsyncRead, AsyncWrite, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpSocket, TcpStream};
 use tokio::sync::{mpsc, Mutex};
 use tokio::task::JoinSet;
@@ -24,6 +24,12 @@ use crate::common::join_joinset_background;
 
 use crate::peers::peer_manager::PeerManager;
 use crate::peers::{NicPacketFilter, PeerPacketFilter};
+use crate::proto::cli::{
+    ListTcpProxyEntryRequest, ListTcpProxyEntryResponse, TcpProxyEntry, TcpProxyEntryState,
+    TcpProxyEntryTransportType, TcpProxyRpc,
+};
+use crate::proto::rpc_types;
+use crate::proto::rpc_types::controller::BaseController;
 use crate::tunnel::packet_def::{PacketType, PeerManagerHeader, ZCPacket};
 
 use super::CidrSet;
@@ -35,7 +41,7 @@ use super::tokio_smoltcp::{self, channel_device, Net, NetConfig};
 pub(crate) trait NatDstConnector: Send + Sync + Clone + 'static {
     type DstStream: AsyncRead + AsyncWrite + Unpin + Send;
 
-    async fn connect(&self, dst: SocketAddr) -> Result<Self::DstStream>;
+    async fn connect(&self, src: SocketAddr, dst: SocketAddr) -> Result<Self::DstStream>;
     fn check_packet_from_peer_fast(&self, cidr_set: &CidrSet, global_ctx: &GlobalCtx) -> bool;
     fn check_packet_from_peer(
         &self,
@@ -44,6 +50,7 @@ pub(crate) trait NatDstConnector: Send + Sync + Clone + 'static {
         hdr: &PeerManagerHeader,
         ipv4: &Ipv4Packet,
     ) -> bool;
+    fn transport_type(&self) -> TcpProxyEntryTransportType;
 }
 
 #[derive(Debug, Clone)]
@@ -53,7 +60,7 @@ pub struct NatDstTcpConnector;
 impl NatDstConnector for NatDstTcpConnector {
     type DstStream = TcpStream;
 
-    async fn connect(&self, nat_dst: SocketAddr) -> Result<Self::DstStream> {
+    async fn connect(&self, _src: SocketAddr, nat_dst: SocketAddr) -> Result<Self::DstStream> {
         let socket = TcpSocket::new_v4().unwrap();
         if let Err(e) = socket.set_nodelay(true) {
             tracing::warn!("set_nodelay failed, ignore it: {:?}", e);
@@ -90,19 +97,13 @@ impl NatDstConnector for NatDstTcpConnector {
 
         true
     }
+
+    fn transport_type(&self) -> TcpProxyEntryTransportType {
+        TcpProxyEntryTransportType::Tcp
+    }
 }
 
-#[derive(Debug, Clone, Copy, PartialEq)]
-enum NatDstEntryState {
-    // receive syn packet but not start connecting to dst
-    SynReceived,
-    // connecting to dst
-    ConnectingDst,
-    // connected to dst
-    Connected,
-    // connection closed
-    Closed,
-}
+type NatDstEntryState = TcpProxyEntryState;
 
 #[derive(Debug)]
 pub struct NatDstEntry {
@@ -110,6 +111,7 @@ pub struct NatDstEntry {
     src: SocketAddr,
     dst: SocketAddr,
     start_time: Instant,
+    start_time_local: chrono::DateTime<chrono::Local>,
     tasks: Mutex<JoinSet<()>>,
     state: AtomicCell<NatDstEntryState>,
 }
@@ -121,10 +123,21 @@ impl NatDstEntry {
             src,
             dst,
             start_time: Instant::now(),
+            start_time_local: chrono::Local::now(),
             tasks: Mutex::new(JoinSet::new()),
             state: AtomicCell::new(NatDstEntryState::SynReceived),
         }
     }
+
+    fn into_pb(&self, transport_type: TcpProxyEntryTransportType) -> TcpProxyEntry {
+        TcpProxyEntry {
+            src: Some(self.src.clone().into()),
+            dst: Some(self.dst.clone().into()),
+            start_time: self.start_time_local.timestamp() as u64,
+            state: self.state.load().into(),
+            transport_type: transport_type.into(),
+        }
+    }
 }
 
 enum ProxyTcpStream {
@@ -145,6 +158,20 @@ impl ProxyTcpStream {
         }
     }
 
+    pub async fn shutdown(&mut self) -> Result<()> {
+        match self {
+            Self::KernelTcpStream(stream) => {
+                stream.shutdown().await?;
+                Ok(())
+            }
+            #[cfg(feature = "smoltcp")]
+            Self::SmolTcpStream(stream) => {
+                stream.shutdown().await?;
+                Ok(())
+            }
+        }
+    }
+
     pub async fn copy_bidirectional<D: AsyncRead + AsyncWrite + Unpin>(
         &mut self,
         dst: &mut D,
@@ -452,7 +479,10 @@ impl<C: NatDstConnector> TcpProxy<C> {
 
     async fn get_proxy_listener(&self) -> Result<ProxyTcpListener> {
         #[cfg(feature = "smoltcp")]
-        if self.global_ctx.get_flags().use_smoltcp || self.global_ctx.no_tun() {
+        if self.global_ctx.get_flags().use_smoltcp
+            || self.global_ctx.no_tun()
+            || cfg!(target_os = "android")
+        {
             // use smoltcp network stack
             self.local_port
                 .store(8899, std::sync::atomic::Ordering::Relaxed);
@@ -641,7 +671,7 @@ impl<C: NatDstConnector> TcpProxy<C> {
         };
 
         let _guard = global_ctx.net_ns.guard();
-        let Ok(dst_tcp_stream) = connector.connect(nat_dst).await else {
+        let Ok(dst_tcp_stream) = connector.connect(nat_entry.src, nat_dst).await else {
             tracing::error!("connect to dst failed: {:?}", nat_entry);
             nat_entry.state.store(NatDstEntryState::Closed);
             Self::remove_entry_from_all_conn_map(conn_map, addr_conn_map, nat_entry);
@@ -676,7 +706,15 @@ impl<C: NatDstConnector> TcpProxy<C> {
             let ret = src_tcp_stream.copy_bidirectional(&mut dst_tcp_stream).await;
             tracing::info!(nat_entry = ?nat_entry_clone, ret = ?ret, "nat tcp connection closed");
             nat_entry_clone.state.store(NatDstEntryState::Closed);
+
+            let ret = src_tcp_stream.shutdown().await;
+            tracing::info!(nat_entry = ?nat_entry_clone, ret = ?ret, "src tcp stream shutdown");
+
+            let ret = dst_tcp_stream.shutdown().await;
+            tracing::info!(nat_entry = ?nat_entry_clone, ret = ?ret, "dst tcp stream shutdown");
+
             drop(src_tcp_stream);
+            drop(dst_tcp_stream);
 
             // sleep later so the fin packet can be processed
             tokio::time::sleep(Duration::from_secs(10)).await;
@@ -795,4 +833,49 @@ impl<C: NatDstConnector> TcpProxy<C> {
     pub fn get_peer_manager(&self) -> &Arc<PeerManager> {
         &self.peer_manager
     }
+
+    pub fn is_tcp_proxy_connection(&self, src: SocketAddr) -> bool {
+        self.syn_map.contains_key(&src) || self.addr_conn_map.contains_key(&src)
+    }
+
+    pub fn list_proxy_entries(&self) -> Vec<TcpProxyEntry> {
+        let mut entries: Vec<TcpProxyEntry> = Vec::new();
+        let transport_type = self.connector.transport_type();
+        for entry in self.syn_map.iter() {
+            entries.push(entry.value().as_ref().into_pb(transport_type));
+        }
+        for entry in self.conn_map.iter() {
+            entries.push(entry.value().as_ref().into_pb(transport_type));
+        }
+        entries
+    }
+}
+
+#[derive(Clone)]
+pub struct TcpProxyRpcService<C: NatDstConnector> {
+    tcp_proxy: Weak<TcpProxy<C>>,
+}
+
+#[async_trait::async_trait]
+impl<C: NatDstConnector> TcpProxyRpc for TcpProxyRpcService<C> {
+    type Controller = BaseController;
+    async fn list_tcp_proxy_entry(
+        &self,
+        _: BaseController,
+        _request: ListTcpProxyEntryRequest, // Accept request of type HelloRequest
+    ) -> std::result::Result<ListTcpProxyEntryResponse, rpc_types::error::Error> {
+        let mut reply = ListTcpProxyEntryResponse::default();
+        if let Some(tcp_proxy) = self.tcp_proxy.upgrade() {
+            reply.entries = tcp_proxy.list_proxy_entries();
+        }
+        Ok(reply)
+    }
+}
+
+impl<C: NatDstConnector> TcpProxyRpcService<C> {
+    pub fn new(tcp_proxy: Arc<TcpProxy<C>>) -> Self {
+        Self {
+            tcp_proxy: Arc::downgrade(&tcp_proxy),
+        }
+    }
 }

easytier/src/gateway/tokio_smoltcp/socket_allocator.rs

@@ -2,6 +2,7 @@ use parking_lot::Mutex;
 use smoltcp::{
     iface::{SocketHandle as InnerSocketHandle, SocketSet},
     socket::tcp,
+    time::Duration,
 };
 use std::{
     ops::{Deref, DerefMut},
@@ -53,6 +54,8 @@ impl SocketAlloctor {
         let tx_buffer = tcp::SocketBuffer::new(vec![0; self.buffer_size.tcp_tx_size]);
         let mut tcp = tcp::Socket::new(rx_buffer, tx_buffer);
         tcp.set_nagle_enabled(false);
+        tcp.set_keep_alive(Some(Duration::from_secs(10)));
+        tcp.set_timeout(Some(Duration::from_secs(60)));
 
         tcp
     }

easytier/src/instance/instance.rs

@@ -17,8 +17,8 @@ use crate::connector::direct::DirectConnectorManager;
 use crate::connector::manual::{ConnectorManagerRpcService, ManualConnectorManager};
 use crate::connector::udp_hole_punch::UdpHolePunchConnector;
 use crate::gateway::icmp_proxy::IcmpProxy;
-use crate::gateway::kcp_proxy::{KcpProxyDst, KcpProxySrc};
-use crate::gateway::tcp_proxy::{NatDstTcpConnector, TcpProxy};
+use crate::gateway::kcp_proxy::{KcpProxyDst, KcpProxyDstRpcService, KcpProxySrc};
+use crate::gateway::tcp_proxy::{NatDstTcpConnector, TcpProxy, TcpProxyRpcService};
 use crate::gateway::udp_proxy::UdpProxy;
 use crate::peer_center::instance::PeerCenterInstance;
 use crate::peers::peer_conn::PeerConnId;
@@ -380,15 +380,6 @@ impl Instance {
             self.check_dhcp_ip_conflict();
         }
 
-        self.run_rpc_server().await?;
-
-        // run after tun device created, so listener can bind to tun device, which may be required by win 10
-        self.ip_proxy = Some(IpProxy::new(
-            self.get_global_ctx(),
-            self.get_peer_manager(),
-        )?);
-        self.run_ip_proxy().await?;
-
         if self.global_ctx.get_flags().enable_kcp_proxy {
             let src_proxy = KcpProxySrc::new(self.get_peer_manager()).await;
             src_proxy.start().await;
@@ -401,6 +392,13 @@ impl Instance {
             self.kcp_proxy_dst = Some(dst_proxy);
         }
 
+        // run after tun device created, so listener can bind to tun device, which may be required by win 10
+        self.ip_proxy = Some(IpProxy::new(
+            self.get_global_ctx(),
+            self.get_peer_manager(),
+        )?);
+        self.run_ip_proxy().await?;
+
         self.udp_hole_puncher.lock().await.run().await?;
 
         self.peer_center.init().await;
@@ -419,6 +417,8 @@ impl Instance {
         #[cfg(feature = "socks5")]
         self.socks5_server.run().await?;
 
+        self.run_rpc_server().await?;
+
         Ok(())
     }
 
@@ -541,6 +541,26 @@ impl Instance {
         s.registry()
             .register(VpnPortalRpcServer::new(vpn_portal_rpc), "");
 
+        if let Some(ip_proxy) = self.ip_proxy.as_ref() {
+            s.registry().register(
+                TcpProxyRpcServer::new(TcpProxyRpcService::new(ip_proxy.tcp_proxy.clone())),
+                "tcp",
+            );
+        }
+        if let Some(kcp_proxy) = self.kcp_proxy_src.as_ref() {
+            s.registry().register(
+                TcpProxyRpcServer::new(TcpProxyRpcService::new(kcp_proxy.get_tcp_proxy())),
+                "kcp_src",
+            );
+        }
+
+        if let Some(kcp_proxy) = self.kcp_proxy_dst.as_ref() {
+            s.registry().register(
+                TcpProxyRpcServer::new(KcpProxyDstRpcService::new(kcp_proxy)),
+                "kcp_dst",
+            );
+        }
+
         let _g = self.global_ctx.net_ns.guard();
         Ok(s.serve().await.with_context(|| "rpc server start failed")?)
     }

easytier/src/instance/virtual_nic.rs

@@ -349,6 +349,15 @@ impl VirtualNic {
         {
             let dev_name = self.global_ctx.get_flags().dev_name;
 
+            match crate::arch::windows::add_self_to_firewall_allowlist() {
+                Ok(_) => tracing::info!("add_self_to_firewall_allowlist successful!"),
+                Err(e) => {
+                    println!("Failed to add Easytier to firewall allowlist, Subnet proxy and KCP proxy may not work properly. error: {}", e);
+                    println!("You can add firewall rules manually, or use --use-smoltcp to run with user-space TCP/IP stack.");
+                    println!("");
+                }
+            }
+
             match checkreg(&dev_name) {
                 Ok(_) => tracing::trace!("delete successful!"),
                 Err(e) => tracing::error!("An error occurred: {}", e),

easytier/src/launcher.rs

@@ -256,7 +256,7 @@ impl EasyTierLauncher {
                 fetch_node_info,
             ));
             if let Err(e) = ret {
-                error_msg.write().unwrap().replace(e.to_string());
+                error_msg.write().unwrap().replace(format!("{:?}", e));
             }
             instance_alive.store(false, std::sync::atomic::Ordering::Relaxed);
             notifier.notify_one();

easytier/src/proto/cli.proto

@@ -177,3 +177,39 @@ service VpnPortalRpc {
   rpc GetVpnPortalInfo(GetVpnPortalInfoRequest)
       returns (GetVpnPortalInfoResponse);
 }
+
+enum TcpProxyEntryTransportType {
+  TCP = 0;
+  KCP = 1;
+}
+
+enum TcpProxyEntryState {
+    Unknown = 0;
+    // receive syn packet but not start connecting to dst
+    SynReceived = 1;
+    // connecting to dst
+    ConnectingDst = 2;
+    // connected to dst
+    Connected = 3;
+    // connection closed
+    Closed = 4;
+}
+
+message TcpProxyEntry {
+  common.SocketAddr src = 1;
+  common.SocketAddr dst = 2;
+  uint64 start_time = 3;
+  TcpProxyEntryState state = 4;
+  TcpProxyEntryTransportType transport_type = 5;
+}
+
+message ListTcpProxyEntryRequest {}
+
+message ListTcpProxyEntryResponse {
+  repeated TcpProxyEntry entries = 1;
+}
+
+service TcpProxyRpc {
+  rpc ListTcpProxyEntry(ListTcpProxyEntryRequest)
+      returns (ListTcpProxyEntryResponse);
+}

easytier/src/proto/common.rs

@@ -101,7 +101,11 @@ impl From<cidr::Ipv4Inet> for Ipv4Inet {
 
 impl From<Ipv4Inet> for cidr::Ipv4Inet {
     fn from(value: Ipv4Inet) -> Self {
-        cidr::Ipv4Inet::new(value.address.unwrap().into(), value.network_length as u8).unwrap()
+        cidr::Ipv4Inet::new(
+            value.address.unwrap_or_default().into(),
+            value.network_length as u8,
+        )
+        .unwrap()
     }
 }
 
@@ -168,6 +172,9 @@ impl From<std::net::SocketAddr> for SocketAddr {
 
 impl From<SocketAddr> for std::net::SocketAddr {
     fn from(value: SocketAddr) -> Self {
+        if value.ip.is_none() {
+            return "0.0.0.0:0".parse().unwrap();
+        }
         match value.ip.unwrap() {
             socket_addr::Ip::Ipv4(ip) => std::net::SocketAddr::V4(std::net::SocketAddrV4::new(
                 std::net::Ipv4Addr::from(ip),

easytier/src/proto/peer_rpc.proto

@@ -207,5 +207,6 @@ message HandshakeRequest {
 }
 
 message KcpConnData {
+  common.SocketAddr src = 1;
   common.SocketAddr dst = 4;
 }

easytier/src/tests/three_node.rs

@@ -366,6 +366,7 @@ pub async fn subnet_proxy_three_node_test(
     #[values(true, false)] relay_by_public_server: bool,
     #[values(true, false)] enable_kcp_proxy: bool,
     #[values(true, false)] disable_kcp_input: bool,
+    #[values(true, false)] dst_enable_kcp_proxy: bool,
 ) {
     let insts = init_three_node_ex(
         proto,
@@ -374,6 +375,7 @@ pub async fn subnet_proxy_three_node_test(
                 let mut flags = cfg.get_flags();
                 flags.no_tun = no_tun;
                 flags.disable_kcp_input = disable_kcp_input;
+                flags.enable_kcp_proxy = dst_enable_kcp_proxy;
                 cfg.set_flags(flags);
                 cfg.add_proxy_cidr("10.1.2.0/24".parse().unwrap());
             }
@@ -518,12 +520,13 @@ pub async fn proxy_three_node_disconnect_test(#[values("tcp", "wg")] proto: &str
             }));
             wait_for_condition(
                 || async {
-                    insts[0]
+                    insts[2]
                         .get_peer_manager()
-                        .list_routes()
+                        .get_peer_map()
+                        .list_peers_with_conn()
                         .await
                         .iter()
-                        .find(|r| r.peer_id == inst4.peer_id())
+                        .find(|r| **r == inst4.peer_id())
                         .is_none()
                 },
                 // 0 down, assume last packet is recv in -0.01
@@ -532,6 +535,21 @@ pub async fn proxy_three_node_disconnect_test(#[values("tcp", "wg")] proto: &str
                 Duration::from_secs(11),
             )
             .await;
+
+            wait_for_condition(
+                || async {
+                    insts[0]
+                        .get_peer_manager()
+                        .list_routes()
+                        .await
+                        .iter()
+                        .find(|r| r.peer_id == inst4.peer_id())
+                        .is_none()
+                },
+                Duration::from_secs(7),
+            )
+            .await;
+
             set_link_status("net_d", true);
         }
     });