Skip to content

Add Windows Service support for TCP tunnel #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Windows Service support for TCP tunnel #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ac35591
Add Windows Service support
ZetaTwo Dec 12, 2024
160fe40
Merge branch 'main' into windows-svc
ZetaTwo Aug 15, 2025
92c974f
Fix merge bug
ZetaTwo Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 4 additions & 70 deletions cmd/pomerium-cli/tcp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,87 +1,21 @@
//go:build !windows

package main

import (
"context"
"crypto/tls"
"fmt"
"io"
"os"
"os/signal"
"syscall"

"github.com/spf13/cobra"

"github.com/pomerium/cli/tunnel"
)

var tcpCmdOptions struct {
listen string
pomeriumURL string
}

func init() {
addBrowserFlags(tcpCmd)
addServiceAccountFlags(tcpCmd)
addTLSFlags(tcpCmd)
flags := tcpCmd.Flags()
flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0",
"local address to start a listener on")
flags.StringVar(&tcpCmdOptions.pomeriumURL, "pomerium-url", "",
"the URL of the pomerium server to connect to")
rootCmd.AddCommand(tcpCmd)
addTcpFlags(flags)
}

var tcpCmd = &cobra.Command{
Use: "tcp destination",
Short: "creates a TCP tunnel through Pomerium",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
destinationAddr, proxyURL, err := tunnel.ParseURLs(args[0], tcpCmdOptions.pomeriumURL)
if err != nil {
return err
}
cacheLastURL(proxyURL.String())

var tlsConfig *tls.Config
if proxyURL.Scheme == "https" {
tlsConfig, err = getTLSConfig()
if err != nil {
return err
}
}

c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
ctx, cancel := context.WithCancel(context.Background())
go func() {
<-c
cancel()
}()

tun := tunnel.New(
tunnel.WithBrowserCommand(browserOptions.command),
tunnel.WithDestinationHost(destinationAddr),
tunnel.WithProxyHost(proxyURL.Host),
tunnel.WithServiceAccount(serviceAccountOptions.serviceAccount),
tunnel.WithServiceAccountFile(serviceAccountOptions.serviceAccountFile),
tunnel.WithTLSConfig(tlsConfig),
)

if tcpCmdOptions.listen == "-" {
err = tun.Run(ctx, readWriter{Reader: os.Stdin, Writer: os.Stdout}, tunnel.LogEvents())
} else {
err = tun.RunListener(ctx, tcpCmdOptions.listen)
}
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error())
os.Exit(1)
}

return nil
return runTcpForever(args[0])
},
}

type readWriter struct {
io.Reader
io.Writer
}
92 changes: 92 additions & 0 deletions cmd/pomerium-cli/tcp_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
package main

import (
"context"
"crypto/tls"
"fmt"
"io"
"os"
"os/signal"
"syscall"

"github.com/pomerium/cli/tunnel"
"github.com/spf13/pflag"
)

var tcpCmdOptions struct {
listen string
pomeriumURL string
}

func addTcpFlags(flags *pflag.FlagSet) {
addBrowserFlags(tcpCmd)
addServiceAccountFlags(tcpCmd)
addTLSFlags(tcpCmd)
flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0",
"local address to start a listener on")
flags.StringVar(&tcpCmdOptions.pomeriumURL, "pomerium-url", "",
"the URL of the pomerium server to connect to")
rootCmd.AddCommand(tcpCmd)
}

func runTcpForever(destination string) error {
c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
ctx, cancel := context.WithCancel(context.Background())
go func() {
<-c
cancel()
}()

return runTcp(ctx, destination)
}

func runTcp(ctx context.Context, destination string) error {
destinationAddr, proxyURL, err := tunnel.ParseURLs(destination, tcpCmdOptions.pomeriumURL)
if err != nil {
return err
}
cacheLastURL(proxyURL.String())

var tlsConfig *tls.Config
if proxyURL.Scheme == "https" {
tlsConfig, err = getTLSConfig()
if err != nil {
return err
}
}

c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
ctx, cancel := context.WithCancel(context.Background())
go func() {
<-c
cancel()
}()

tun := tunnel.New(
tunnel.WithBrowserCommand(browserOptions.command),
tunnel.WithDestinationHost(destinationAddr),
tunnel.WithProxyHost(proxyURL.Host),
tunnel.WithServiceAccount(serviceAccountOptions.serviceAccount),
tunnel.WithServiceAccountFile(serviceAccountOptions.serviceAccountFile),
tunnel.WithTLSConfig(tlsConfig),
)

if tcpCmdOptions.listen == "-" {
err = tun.Run(ctx, readWriter{Reader: os.Stdin, Writer: os.Stdout}, tunnel.LogEvents())
} else {
err = tun.RunListener(ctx, tcpCmdOptions.listen)
}
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error())
os.Exit(1)
}

return nil
}

type readWriter struct {
io.Reader
io.Writer
}
96 changes: 96 additions & 0 deletions cmd/pomerium-cli/tcp_windows.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
//go:build windows

package main

import (
"context"
"fmt"
"log"

"github.com/spf13/cobra"

"golang.org/x/sys/windows/svc"
"golang.org/x/sys/windows/svc/debug"
)

var tcpWindowsCmdOptions struct {
service bool
}

func init() {
flags := tcpCmd.Flags()
addTcpFlags(flags)
flags.BoolVar(&tcpWindowsCmdOptions.service, "service", false, "emulate Windows service mode")
}

type pomeriumCliService struct {
destination string
}

func (m *pomeriumCliService) Execute(args []string, r <-chan svc.ChangeRequest, status chan<- svc.Status) (bool, uint32) {

const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown

status <- svc.Status{State: svc.StartPending}

ctx, cancel := context.WithCancel(context.Background())

go runTcp(ctx, m.destination)

status <- svc.Status{State: svc.Running, Accepts: cmdsAccepted}

loop:
for {
select {
case c := <-r:
switch c.Cmd {
case svc.Interrogate:
status <- c.CurrentStatus
case svc.Stop, svc.Shutdown:
status <- svc.Status{State: svc.StopPending}
log.Print("Shutting down Pomerium tunnel service...")
cancel()
break loop
default:
log.Printf("Unexpected service control request #%d", c)
}
}
}

status <- svc.Status{State: svc.Stopped}
return false, 0
}

func runService(name string, destination string, isDebug bool) error {
if isDebug {
err := debug.Run(name, &pomeriumCliService{destination})
if err != nil {
return fmt.Errorf("Error running service in debug mode: %w", err)
}
} else {
err := svc.Run(name, &pomeriumCliService{destination})
if err != nil {
return fmt.Errorf("Error running service in Service Control mode: %w", err)
}
}
return nil
}

var tcpCmd = &cobra.Command{
Use: "tcp destination",
Short: "creates a TCP tunnel through Pomerium",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {

isService, err := svc.IsWindowsService()
if err != nil {
return fmt.Errorf("Could not determine service status: %w", err)
}

if isService || *&tcpWindowsCmdOptions.service {
return runService("Pomerium CLI", args[0], !isService)
} else {
return runTcpForever(args[0])
}
},
}