Skip to content

SecureVpnWithTapio

Jump to bottom
mac edited this page Mar 30, 2016 · 1 revision

A secure VPN with tapio, secretbox and ucspi.

Suppose we have two machines called righthere and overthere. Both machines are supposed to have a non-privledged user called vpn. We also assume the tapio, secretbox programs and one of the ucspi suites have been previously compiled and installed on both machines, accessible in their search PATHs. Moreover at least one of the machines must have some form of generating a 32-bit hexadecimal key, we will use openssl for our example.

Initial setup

On righthere, do as root:

ip tuntap add tap0 mode tap user vpn group vpn
ip link set tap0 up
ip addr add 192.168.33.1/30 dev tap0

Do the same at overthere, changing the IP address to 192.168.33.2 in the last line above.

To avoid packet fragmentation using the UDP protocol, set the MTU to 1416.

ip link set tap0 mtu 1416

To generate your 32-bit key execute:

openssl rand -hex 32 > Key

Note that this file must be copied to both machines as the key must be identical.

Starting the VPN

On righthere, run this as the vpn user:

udplisten 0 5555 secretbox -K Key -- tapio tap0

On overthere, run this as the vpn user:

udpconnect -6 righthere 5555 secretbox -K Key -- tapio tap0

Using a different transport program

If you want to use a streaming service such as TCP, change the transport program (udpconnect and udplisten in the code above) to the transport program of your choice and add the unbundle program before the secretbox program.

tcplisten 0 5555 unbundle secretbox -K key -- tapio tap0
tcpconnect -6 righthere 5555 unbundle secretbox -K Key -- tapio tap0

You can also use Dan Bernstein's original ucspi-tcp suite like so:

tcpserver 0 5555 unbundle secrebot tapio tap0
tcpclient righthere 5555 sh -c 'unbundle secretbox tapio tap0 <&6 1>&7'

Note that 5555 can be any port you specify, however to use a port below 1024 you must be root.

For cryptanalysis tests the xorbox program can be used instead of secretbox

udplisten 0 5555 xorbox -K Key -- tapio tap0
udpconnect -6 righthere 5555 xorbox -K Key -- tapio tap0

The xorbox program will allow for MTUs up to 1456.

Testing

To check if the VPN is set up correctly and functioning we will use a simple ping
On righthere:

ping 192.168.33.2

On overthere:

ping 192.168.33.1

To test for packet fragmentation we will use tcpdump and a noncompressible file.

on overthere:

nc -l -p 5556 > /dev/null

on righthere:
Prompt 1

`tcpdump -vvv -nei any '((ip[6:2] > 0) and (not ip[6] = 64))'

Prompt 2

cat /dev/urandom | nc 192.168.33.2 5556

If any messages appear on prompt 1, set the MTU on tap0 to a lower value to avoid fragmentation.

Clone this wiki locally