add private mode (#897)

--------- Co-authored-by: Sijie.Sun <sunsijie@buaa.edu.cn>
2025-12-12 04:37:23 +08:00 · 2025-06-02 06:47:17 +08:00
parent b469f8197a
commit b5dfc7374c
12 changed files with 42 additions and 1 deletions
--- a/easytier-gui/README.md
+++ b/easytier-gui/README.md
@@ -18,7 +18,11 @@ cd ../tauri-plugin-vpnservice
 pnpm install
 pnpm build

-cd ../easytier-gui
+cd ../easytier-web/frontend-lib
+pnpm install
+pnpm build
+
+cd ../../easytier-gui
 pnpm install
 pnpm tauri build
 ```
--- a/easytier-web/frontend-lib/src/components/Config.vue
+++ b/easytier-web/frontend-lib/src/components/Config.vue
@@ -157,6 +157,7 @@ const bool_flags: BoolFlag[] = [
  { field: 'disable_encryption', help: 'disable_encryption_help' },
  { field: 'disable_udp_hole_punching', help: 'disable_udp_hole_punching_help' },
  { field: 'enable_magic_dns', help: 'enable_magic_dns_help' },
+  { field: 'enable_private_mode', help: 'enable_private_mode_help' },
 ]

 </script>
--- a/easytier-web/frontend-lib/src/locales/cn.yaml
+++ b/easytier-web/frontend-lib/src/locales/cn.yaml
@@ -116,6 +116,10 @@ enable_magic_dns: 启用魔法DNS
 enable_magic_dns_help: |
  启用魔法DNS，允许通过EasyTier的DNS服务器访问其他节点的虚拟IPv4地址， 如 node1.et.net。

+enable_private_mode: 启用私有模式
+enable_private_mode_help: |
+  启用私有模式，则不允许使用了与本网络不相同的网络名称和密码的节点通过本节点进行握手或中转。
+
 relay_network_whitelist: 网络白名单
 relay_network_whitelist_help: |
  仅转发白名单网络的流量，支持通配符字符串。多个网络名称间可以使用英文空格间隔。
--- a/easytier-web/frontend-lib/src/locales/en.yaml
+++ b/easytier-web/frontend-lib/src/locales/en.yaml
@@ -115,6 +115,10 @@ enable_magic_dns: Enable Magic DNS
 enable_magic_dns_help: |
  Enable magic dns, all nodes in the network can access each other by domain name, e.g.: node1.et.net.

+enable_private_mode: Enable Private Mode
+enable_private_mode_help: |
+  Enable private mode, nodes with different network names or passwords from this network are not allowed to perform handshake or relay through this node.
+
 relay_network_whitelist: Network Whitelist
 relay_network_whitelist_help: |
  Only forward traffic from the whitelist networks, supporting wildcard strings, multiple network names can be separated by spaces.
--- a/easytier-web/frontend-lib/src/types/network.ts
+++ b/easytier-web/frontend-lib/src/types/network.ts
@@ -64,6 +64,7 @@ export interface NetworkConfig {
  mapped_listeners: string[]

  enable_magic_dns?: boolean
+  enable_private_mode?: boolean
 }

 export function DEFAULT_NETWORK_CONFIG(): NetworkConfig {
@@ -121,6 +122,7 @@ export function DEFAULT_NETWORK_CONFIG(): NetworkConfig {
    mtu: null,
    mapped_listeners: [],
    enable_magic_dns: false,
+    enable_private_mode: false,
  }
 }

--- a/easytier/locales/app.yml
+++ b/easytier/locales/app.yml
@@ -155,6 +155,9 @@ core_clap:
  accept_dns:
    en: "if true, enable magic dns. with magic dns, you can access other nodes with a domain name, e.g.: <hostname>.et.net. magic dns will modify your system dns settings, enable it carefully."
    zh-CN: "如果为true，则启用魔法DNS。使用魔法DNS，您可以使用域名访问其他节点，例如：<hostname>.et.net。魔法DNS将修改您的系统DNS设置，请谨慎启用。"
+  private_mode:
+    en: "if true, nodes with different network names or passwords from this network are not allowed to perform handshake or relay through this node."
+    zh-CN: "如果为true，则不允许使用了与本网络不相同的网络名称和密码的节点通过本节点进行握手或中转"

 core_app:
  panic_backtrace_save:
--- a/easytier/src/common/config.rs
+++ b/easytier/src/common/config.rs
@@ -37,6 +37,7 @@ pub fn gen_default_flags() -> Flags {
        disable_kcp_input: false,
        disable_relay_kcp: true,
        accept_dns: false,
+        private_mode: false,
    }
 }

--- a/easytier/src/easytier-core.rs
+++ b/easytier/src/easytier-core.rs
@@ -452,6 +452,13 @@ struct Cli {
        help = t!("core_clap.accept_dns").to_string(),
    )]
    accept_dns: Option<bool>,
+
+    #[arg(
+        long,
+        env = "ET_PRIVATE_MODE",
+        help = t!("core_clap.private_mode").to_string(),
+    )]
+    private_mode: Option<bool>,
 }

 rust_i18n::i18n!("locales", fallback = "en");
@@ -770,6 +777,7 @@ impl TryFrom<&Cli> for TomlConfigLoader {
        f.enable_kcp_proxy = cli.enable_kcp_proxy.unwrap_or(f.enable_kcp_proxy);
        f.disable_kcp_input = cli.disable_kcp_input.unwrap_or(f.disable_kcp_input);
        f.accept_dns = cli.accept_dns.unwrap_or(f.accept_dns);
+        f.private_mode = cli.private_mode.unwrap_or(f.private_mode);
        cfg.set_flags(f);

        if !cli.exit_nodes.is_empty() {
--- a/easytier/src/launcher.rs
+++ b/easytier/src/launcher.rs
@@ -676,6 +676,10 @@ impl NetworkConfig {
            flags.mtu = mtu as u32;
        }

+        if let Some(enable_private_mode) = self.enable_private_mode {
+            flags.private_mode = enable_private_mode;
+        }
+
        cfg.set_flags(flags);
        Ok(cfg)
    }
--- a/easytier/src/peers/peer_manager.rs
+++ b/easytier/src/peers/peer_manager.rs
@@ -422,6 +422,13 @@ impl PeerManager {
        tracing::info!("add tunnel as server start");
        let mut peer = PeerConn::new(self.my_peer_id, self.global_ctx.clone(), tunnel);
        peer.do_handshake_as_server().await?;
+        if self.global_ctx.config.get_flags().private_mode
+            && peer.get_network_identity().network_name != self.global_ctx.get_network_identity().network_name
+        {
+            return Err(Error::SecretKeyError(
+                "private mode is turned on, network identity not match".to_string(),
+            ));
+        }
        if peer.get_network_identity().network_name
            == self.global_ctx.get_network_identity().network_name
        {
--- a/easytier/src/proto/common.proto
+++ b/easytier/src/proto/common.proto
@@ -33,6 +33,8 @@ message FlagsInConfig {

  // enable magic dns or not
  bool accept_dns = 22;
+  // enable private mode
+  bool private_mode = 23;
 }

 message RpcDescriptor {
--- a/easytier/src/proto/web.proto
+++ b/easytier/src/proto/web.proto
@@ -65,6 +65,7 @@ message NetworkConfig {
    repeated string mapped_listeners = 41;

    optional bool enable_magic_dns = 42;
+    optional bool enable_private_mode = 43;
 }

 message MyNodeInfo {