Gotaxy

English | 简体中文

✈️ Gotaxy is a lightweight internal network penetration tool developed based on the Go language, which helps developers safely and conveniently expose internal network services to the public network.

"Go beyond NAT, with style."

Core Technologies

• Language: Go 1.24+
• Network: TCP/TLS Protocol
• Database: SQLite (modernc.org/sqlite)
• Multiplexing: xtaci/smux
• Interactive Interface: chzyer/readline

---

🚀 Quick Start

Get the Program

Download the latest version in Release, which provides executable programs, compressed packages, and source codes. It supports running on Linux and Windows environments under AMD64.

Server Startup

./gotaxy-server  # Run the program. If it's Windows, the program name is gotaxy-server.exe. The same applies to the client below.
# If running from source code: 
# go run cmd/server/server.go

Generate Certificate

Gotaxy implements a self-signed CA certificate through a native library: by issuing and signing certificates, it ensures that the identities of both communication parties are trustworthy and that data transmission is encrypted during the internal network penetration process, which is the core mechanism for ensuring the safe use of the tool.

The server and client certificates, in conjunction with the CA root certificate, jointly form a complete secure chain for Gotaxy from "authentication" to "data encryption", ensuring that the internal network penetration process is both secure and reliable.

The server generates the certificate through interactive commands:

gen-ca    [year]  # Generate root CA certificate
gen-certs [day]   # Server and client certificates
# Options:
  year int
        Certificate validity period, in years (default 10)
  day int
        Certificate validity period, in days (default 365)    

Set the server IP, listening port, and the address of the internal network service that needs to be penetrated.

set--ip <ip>
set--port <port>
add-mapping <name> <public_port> <target_addr> # Add a port mapping
open-mapping <name> # Newly added mappings are closed by default and need to be manually opened 

Start the service:

Start # Start the core service of the server and begin to listen for clients. 

Client Connection

Start the client and establish a port forwarding tunnel. The client startup requires the IP address and listening port of the server host, and also needs to carry the TLS certificate generated by the server.

./gotaxy-client start  -h [host] -p <port> [-ca <ca-cert-path>] [-crt <client-cert-path>] [-key <private-key-path>]
# If running through source code: 
# go run cmd/client/client.go -h [host] -p <port> [-ca <ca-cert-path>] [-crt <client-cert-path>] [-key <private-key-path>]
Options:
  -h [host]
        The hostname or IP address of the server (default "127.0.0.1")
  -p <port>
        The port number to connect to (default 9000)
  -ca <ca-cert-path>
        Path to the CA certificate file (default "certs/ca.crt")
  -crt <client-cert-path>
        Path to the client certificate file (default "certs/client.crt")
  -key <private-key-path>
        Path to the client private key file (default "certs/client.key")`)

⚙️ Instructions for Using Server Interaction Commands

The following lists all available commands on the server and their effects:

• gen-ca [time(year)] [-overwrite]

  Validity period: Optional parameter, specifies the validity period of the CA certificate. The default is 10 years.

  -overwrite: Optional parameter, forces overwrite of an existing CA certificate.

  gen-ca 5 -overwrite (Generate a CA certificate valid for 5 years and overwrite the existing one)

• gen-certs [time(day)]

  Validity period: Optional parameter, specifies the validity period of the certificate (in days), default is 365 days.

  Generate certificates with a validity of 30 days: gen-certs 30

• start

  Function: Start the server and check if the certificate exists.

• stop

  Function: Stop the running server

• show-config

  Function: Display the current server IP, listening port, and email configuration.

• show-mapping

  Function: Display all configured port mappings and their statuses.

• set-ip <ip>

  Function: Set the server IP address

  Set IP to 192.168.1.100

• set-port <port>

  Function: Set the listening port of the server, with a range of 1 to 65535.

  set-port 9000

• set-email <email>

  Function: Set the server email address for receiving notifications.

  set-email admin@example.com

• add-mapping <name> <public_port> <target_addr>

  Function: Add a new port mapping configuration

  add-mapping web 8080 127.0.0.1:3000

• del-mapping <name>

  Function: Delete the port mapping with the specified name.

  delete mapping web

• upd-mapping <name> <public_port> <target_addr> <rate>

  Function: Update the port mapping configuration of the specified name.

  upd-mapping web 8080 127.0.0.1:3000 2,097,152 (2MB)

• open-mapping <name>

  Function: Open the port mapping with the specified name.

  Example: open-mapping web

• close-mapping <name>

  Function: Disable the port mapping with the specified name.

  Example: close-mapping web

• heart

  Function: Check the current link status

• mode [vi|emacs]

  Function: Set command-line editing mode

  Switch to vi mode: mode vi

• help

  Function: Display this help information

• exit

  Function: Stop the service and exit the command line interface.

---

Requirements Document

For detailed requirements analysis, please refer to the REQUIREMENTS.md file.

---

Submit Contributions

Welcome to submit Issues and Pull Requests.

If you want to contribute code, please refer to the CONTRIBUTING.md.md file.

Please read COMMIT_CONVENTION.md before submitting code. We follow the Conventional Commits specification.

---

Contribution Wall