ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/README
Revision: 1.5
Committed: Fri Mar 28 20:30:54 2003 UTC (21 years, 8 months ago) by pcg
Branch: MAIN
CVS Tags: poll-based-iom, VPE_0_9, VPE_1_2, VPE_1_4, VPE_1_6, VPE-1_6_1, VPE_1_0
Changes since 1.4: +1 -1 lines
Log Message:
*** empty log message ***

File Contents

# Content
1
2 ==== NAME ====
3
4 vpe - Overview of the virtual private ethernet suite.
5
6
7 ==== DESCRIPTION ====
8
9 Vpe is a suite designed to provide a virtual private network for
10 multiple nodes over an untrusted network.
11
12 "Virtual" means that no physical network is created (of course), but an
13 ethernet is emulated by creating multiple tunnels between the member
14 nodes.
15
16 "Private" means that non-participating nodes cannot decode ("sniff)" nor
17 inject ("spoof") packets.
18
19 In the case of vpe, even participating nodes cannot sniff packets send
20 to other nodes or spoof packets as if sent from other nodes.
21
22 "Network" means that more than two parties can participate in the
23 network, so for instance it's possible to connect multiple branches of a
24 company into a single network. Many so-called "vpn" solutions only
25 create point-to-point tunnels.
26
27
28 == DESIGN GOALS ==
29
30 : SIMPLE DESIGN
31 Cipher, HMAC algorithms and other key parameters must be selected at
32 compile time - this makes it possible to only link in algorithms you
33 actually need. It also makes the crypto part of the source very
34 transparent and easy to inspect.
35
36 : EASY TO SETUP
37 A few lines of config (the config file is shared unmodified between
38 all hosts) and a single run of ``vpectrl'' to generate the keys
39 suffices to make it work.
40
41 : MAC-BASED SECURITY
42 Since every host has it's own private key, other hosts cannot spoof
43 traffic from this host. That makes it possible to filter packest by
44 MAC address, e.g. to ensure that packets from a specific IP address
45 come, in fact, from a specific host.
46
47
48 ==== PROGRAMS ====
49
50 Vpe comes with two programs: one daemon (``vped'') and one control
51 program (``vpectrl'').
52
53 : vpectrl
54 Is used to generate the keys, check and give an overview of of the
55 configuration and contorl the daemon (restarting etc.).
56
57 : vped
58 Is the daemon used to establish and maintain conenctions to the
59 other network members. It should be run on the gateway machine.
60
61
62 ==== COMPILETIME CONFIGURATION ====
63
64 Here are a few recipes for compiling your vpe:
65
66
67 == AS LOW PACKET OVERHEAD AS POSSIBLE ==
68
69 ./configure --enable-hmac-length=4 --enable-rand-length=0
70
71 Minimize the header overhead of VPN packets (the above will result in
72 only 4 bytes of overhead over the raw ethernet frame).
73
74
75 == MINIMIZE CPU TIME REQUIRED ==
76
77 ./configure --enable-cipher=bf --enable-digest=md4
78
79 Use the fastest cipher and digest algorithms currently available in vpe.
80
81
82 == MAXIMIZE SECURITY ==
83
84 ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1
85
86 This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
87 would also be pretty secure ;) and will additionally prefix each packet
88 with 8 bytes of random data.
89
90 In general, remember that AES-128 seems to be more secure and faster
91 than AES-192 or AES-256, more randomness helps against sniffing and a
92 longer HMAC helps against spoofing. MD4 is a fast digest, SHA1 or
93 RIPEMD160 are better, and Blowfish is a fast cipher (and also quite
94 secure).
95
96
97 ==== HOW TO SET UP A SIMPLE VPN ====
98
99 In this section I will describe how to get a simple VPN consisting of
100 three hosts up and running.
101
102
103 == STEP 1: configuration ==
104
105 First you have to create a daemon configuation file and put it into the
106 configuration directory. This is usually ``/etc/vpe'', depending on how
107 you configured vpe, and can be overwritten using the ``-c'' commandline
108 switch.
109
110 Put the following lines into ``/etc/vpe/vped.conf'':
111
112 udp-port = 50000 # the external port to listen on (configure your firewall)
113 mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts
114 ifname = vpn0 # the local network device name
115
116 node = first # just a nickname
117 hostname = first.example.net # the DNS name or IP address of the host
118
119 node = second
120 hostname = 133.55.82.9
121
122 node = third
123 hostname = third.example.net
124
125 The only other file neccessary if the ``if-up'' script that initializes
126 the local ethernet interface. Put the following lines into
127 ``/etc/vpe/if-up'' and make it execute (``chmod 755 /etc/vpe/if-up''):
128
129 #!/bin/sh
130 ip link set $IFNAME address $MAC mtu $MTU up
131 [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME
132 [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
133 [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME
134 ip route add 10.0.0.0/16 dev $IFNAME
135
136 This script will give each node a different IP address in the
137 ``10.0/16'' network. The internal network (e.g. the ``eth0'' interface)
138 should then be set to a subset of that network, e.g. ``10.0.1.0/24'' on
139 node ``first'', ``10.0.2.0/24'' on node ``second'', and so on.
140
141 By enabling routing on the gateway host that runs ``vped'' all nodes
142 will be able to reach the other nodes. You can, of course, also use
143 proxy arp or other means of pseudo-bridging (or even real briding), or
144 (best) full routing - the choice is yours.
145
146
147 == STEP 2: create the RSA key pairs for all hosts ==
148
149 Run the following command to generate all key pairs (that might take a
150 while):
151
152 vpectrl -c /etc/vpe -g
153
154 This command will put the public keys into
155 ``/etc/vpe/pubkeys/*nodename*'' and the private keys into
156 ``/etc/vpe/hostkeys/*nodename*''.
157
158
159 == STEP 3: distribute the config files to all nodes ==
160
161 Now distribute the config files to the other nodes. This should be done
162 in two steps, since the private keys should not be distributed. The
163 example uses rsync-over-ssh
164
165 First all the config files without the hostkeys should be distributed:
166
167 rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys
168 rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys
169 rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys
170
171 Then the hostkeys should be copied:
172
173 rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey
174 rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey
175 rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey
176
177 You should now check the configration by issuing the command ``vpectrl
178 -c /etc/vpe -s'' on each node and verify it's output.
179
180
181 == STEP 4: starting vped ==
182
183 You should then start vped on each node by issuing a command like:
184
185 vped -D -linfo first # first is the nodename
186
187 This will make the vped stay in foreground. You should then see
188 "connection established" messages. If you don't see them check your
189 firewall and routing (use tcpdump ;).
190
191 If this works you should check your networking setup by pinging various
192 endpoints.
193
194 To make vped run more permanently you can either run it as a daemon (by
195 starting it without the ``-D'' switch), or, much better, from your
196 inittab. I use a line like this on my systems:
197
198 t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1
199
200
201 == STEP 5: enjoy ==
202
203 ... and play around. Sending a -HUP (``vpectrl -kHUP'') to the daemon
204 will make it try to connect to all other nodes again. If you run it from
205 inittab, as is recommended, ``vpectrl -k'' (or simply ``killall vped'')
206 will kill the daemon, start it again, making it read it's configuration
207 files again.
208
209
210 ==== SEE ALSO ====
211
212 vpe(5), vped.conf(5), vpectrl(8).
213
214
215 ==== AUTHOR ====
216
217 Marc Lehmann <vpe@plan9.de>
218