-
Notifications
You must be signed in to change notification settings - Fork 4
SecureVpnWithTapio
Suppose we have two machines called righthere and overthere. Both machines are supposed to have a non-privledged user called vpn. We also assume the tapio, secretbox programs and one of the ucspi suites have been previously compiled and installed on both machines, accessible in their search PATHs. Moreover at least one of the machines must have some form of generating a 32-bit hexadecimal key, we will use openssl for our example.
On righthere
, do as root:
ip tuntap add tap0 mode tap user vpn group vpn
ip link set tap0 up
ip addr add 192.168.33.1/30 dev tap0
Do the same at overthere
, changing the IP address to 192.168.33.2
in the last line above.
To avoid packet fragmentation using the UDP protocol, set the MTU to 1416.
ip link set tap0 mtu 1416
To generate your 32-bit key execute:
openssl rand -hex 32 > Key
Note that this file must be copied to both machines as the key must be identical.
On righthere
, run this as the vpn user:
udplisten 0 5555 secretbox -K Key -- tapio tap0
On overthere
, run this as the vpn user:
udpconnect -6 righthere 5555 secretbox -K Key -- tapio tap0
If you want to use a streaming service such as TCP, change the transport program (udpconnect
and udplisten
in the code above) to the transport program of your choice and add the unbundle
program before the secretbox
program.
tcplisten 0 5555 unbundle secretbox -K key -- tapio tap0
tcpconnect -6 righthere 5555 unbundle secretbox -K Key -- tapio tap0
You can also use Dan Bernstein's original ucspi-tcp suite like so:
tcpserver 0 5555 unbundle secrebot tapio tap0
tcpclient righthere 5555 sh -c 'unbundle secretbox tapio tap0 <&6 1>&7'
Note that 5555
can be any port you specify, however to use a port below 1024 you must be root.
For cryptanalysis tests the xorbox
program can be used instead of secretbox
udplisten 0 5555 xorbox -K Key -- tapio tap0
udpconnect -6 righthere 5555 xorbox -K Key -- tapio tap0
The xorbox program will allow for MTUs up to 1456.
To check if the VPN is set up correctly and functioning we will use a simple ping
On righthere
:
ping 192.168.33.2
On overthere
:
ping 192.168.33.1
To test for packet fragmentation we will use tcpdump and a noncompressible file.
on overthere
:
nc -l -p 5556 > /dev/null
on righthere
:
Prompt 1
`tcpdump -vvv -nei any '((ip[6:2] > 0) and (not ip[6] = 64))'
Prompt 2
cat /dev/urandom | nc 192.168.33.2 5556
If any messages appear on prompt 1, set the MTU on tap0 to a lower value to avoid fragmentation.