gvpe/doc/vpe.5.pod

=head1 NAME

vpe - Overview of the virtual private ethernet suite.

=head1 DESCRIPTION

Vpe is a suite designed to provide a virtual private network for multiple
nodes over an untrusted network.

"Virtual" means that no physical network is created (of course), but an
ethernet is emulated by creating multiple tunnels between the member
nodes.

"Private" means that non-participating nodes cannot decode ("sniff)" nor
inject ("spoof") packets.

In the case of vpe, even participating nodes cannot sniff packets send to
other nodes or spoof packets as if sent from other nodes.

"Network" means that more than two parties can participate in the
network, so for instance it's possible to connect multiple branches of a
company into a single network. Many so-called "vpn" solutions only create
point-to-point tunnels.

=head2 DESIGN GOALS

=over 4 

=item SIMPLE DESIGN

Cipher, HMAC algorithms and other key parameters must be selected
at compile time - this makes it possible to only link in algorithms
you actually need. It also makes the crypto part of the source very
transparent and easy to inspect.

=item EASY TO SETUP

A few lines of config (the config file is shared unmodified between all
hosts) and a single run of C<vpectrl> to generate the keys suffices to
make it work.

=item MAC-BASED SECURITY

Since every host has it's own private key, other hosts cannot spoof
traffic from this host.  That makes it possible to filter packest by MAC
address, e.g. to ensure that packets from a specific IP address come, in
fact, from a specific host.

=back

=head1 PROGRAMS

Vpe comes with two programs: one daemon (C<vped>) and one control program
(C<vpectrl>).

=over 4

=item vpectrl

Is used to generate the keys, check and give an overview of of the
configuration and contorl the daemon (restarting etc.).

=item vped

Is the daemon used to establish and maintain conenctions to the other
network members. It should be run on the gateway machine.

=back

=head1 COMPILETIME CONFIGURATION

Please have a look at the C<vpe.osdep(5)> manpage for platform-specific
information.

Here are a few recipes for compiling your vpe:

=head2 AS LOW PACKET OVERHEAD AS POSSIBLE

   ./configure --enable-hmac-length=4 --enable-rand-length=0

Minimize the header overhead of VPN packets (the above will result in only
4 bytes of overhead over the raw ethernet frame).

=head2 MINIMIZE CPU TIME REQUIRED

   ./configure --enable-cipher=bf --enable-digest=md4

Use the fastest cipher and digest algorithms currently available in vpe.

=head2 MAXIMIZE SECURITY

   ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1

This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
would also be pretty secure ;) and will additionally prefix each packet
with 8 bytes of random data.

In general, remember that AES-128 seems to be more secure and faster than
AES-192 or AES-256, more randomness helps against sniffing and a longer
HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are
better, and Blowfish is a fast cipher (and also quite secure).

=head1 HOW TO SET UP A SIMPLE VPN

In this section I will describe how to get a simple VPN consisting of
three hosts up and running.

=head2 STEP 1: configuration

First you have to create a daemon configuation file and put it into the
configuration directory. This is usually C</etc/vpe>, depending on how you
configured vpe, and can be overwritten using the C<-c> commandline switch.

Put the following lines into C</etc/vpe/vped.conf>:

   udp-port = 50000 # the external port to listen on (configure your firewall)
   mtu = 1400       # minimum MTU of all outgoing interfaces on all hosts
   ifname = vpn0    # the local network device name

   node = first     # just a nickname
   hostname = first.example.net # the DNS name or IP address of the host

   node = second
   hostname = 133.55.82.9

   node = third
   hostname = third.example.net

The only other file neccessary if the C<if-up> script that initializes the
local ethernet interface. Put the following lines into C</etc/vpe/if-up>
and make it execute (C<chmod 755 /etc/vpe/if-up>):

   #!/bin/sh
   ip link set $IFNAME address $MAC mtu $MTU up
   [ $NODENAME = first  ] && ip addr add 10.0.1.1 dev $IFNAME
   [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
   [ $NODENAME = third  ] && ip addr add 10.0.3.1 dev $IFNAME
   ip route add 10.0.0.0/16 dev $IFNAME

This script will give each node a different IP address in the C<10.0/16>
network.  The internal network (e.g. the C<eth0> interface) should then be
set to a subset of that network, e.g.  C<10.0.1.0/24> on node C<first>,
C<10.0.2.0/24> on node C<second>, and so on.

By enabling routing on the gateway host that runs C<vped> all nodes will
be able to reach the other nodes. You can, of course, also use proxy arp
or other means of pseudo-bridging (or even real briding), or (best) full
routing - the choice is yours.

=head2 STEP 2: create the RSA key pairs for all hosts

Run the following command to generate all key pairs (that might take a
while):

   vpectrl -c /etc/vpe -g

This command will put the public keys into C<<
/etc/vpe/pubkeys/I<nodename> >> and the private keys into C<<
/etc/vpe/hostkeys/I<nodename> >>.

=head2 STEP 3: distribute the config files to all nodes

Now distribute the config files to the other nodes. This should be done in two steps, since the
private keys should not be distributed. The example uses rsync-over-ssh

First all the config files without the hostkeys should be distributed:

   rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys
   rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys
   rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys

Then the hostkeys should be copied:

   rsync -avzessh /etc/vpe/hostkeys/first  first.example.net:/etc/hostkey
   rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey
   rsync -avzessh /etc/vpe/hostkeys/third  third.example.net:/etc/hostkey

You should now check the configration by issuing the command C<vpectrl -c
/etc/vpe -s> on each node and verify it's output.

=head2 STEP 4: starting vped

You should then start vped on each node by issuing a command like:

   vped -D -linfo first # first is the nodename

This will make the vped stay in foreground. You should then see
"connection established" messages. If you don't see them check your
firewall and routing (use tcpdump ;).

If this works you should check your networking setup by pinging various
endpoints.

To make vped run more permanently you can either run it as a daemon
(by starting it without the C<-D> switch), or, much better, from your
inittab. I use a line like this on my systems:

   t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1

=head2 STEP 5: enjoy

... and play around. Sending a -HUP (C<vpectrl -kHUP>) to the daemon
will make it try to connect to all other nodes again. If you run it from
inittab, as is recommended, C<vpectrl -k> (or simply C<killall vped>) will
kill the daemon, start it again, making it read it's configuration files
again.

=head1 SEE ALSO

vpe.osdep(5) for OS-depedendent information, vped.conf(5), vpectrl(8), and
for a description of the protocol and routing algorithms, vpe.protocol(7).

=head1 AUTHOR

Marc Lehmann <vpe@plan9.de>

=head1 COPYRIGHTS AND LICENSES

Vpe itself is distributed under the GENERAL PUBLIC LICENSE (see the file
COPYING that should be part of your distribution).

In some configurations it uses modified versions of the tinc vpn suite,
which is also available under the GENERAL PUBLIC LICENSE.

In some configurations (notably darwin), it uses a poll emulation library
that comes with the following license notice:

  Copyright (c) 1995-2002 Brian M. Clapper
  All rights reserved.

  Redistribution and use in source and binary forms are permitted
  provided that: (1) source distributions retain this entire
  copyright notice and comment; (2) modifications made to the
  software are prominently mentioned, and a copy of the original
  software (or a pointer to its location) are included; and (3)
  distributions including binaries display the following
  acknowledgement: "This product includes software developed by Brian
  M. Clapper <bmc@clapper.org>" in the documentation or other
  materials provided with the distribution. The name of the author
  may not be used to endorse or promote products derived from this
  software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.


Revision:	1.4
Committed:	Thu Oct 16 21:57:54 2003 UTC (20 years, 7 months ago) by pcg
Branch:	MAIN
CVS Tags:	poll-based-iom, VPE-1_6_1, VPE_1_4, VPE_1_6, VPE_1_2
Changes since 1.3:	+5 -2 lines
Log Message:	* empty log message *
#	Content
1	=head1 NAME
2
3	vpe - Overview of the virtual private ethernet suite.
4
5	=head1 DESCRIPTION
6
7	Vpe is a suite designed to provide a virtual private network for multiple
8	nodes over an untrusted network.
9
10	"Virtual" means that no physical network is created (of course), but an
11	ethernet is emulated by creating multiple tunnels between the member
12	nodes.
13
14	"Private" means that non-participating nodes cannot decode ("sniff)" nor
15	inject ("spoof") packets.
16
17	In the case of vpe, even participating nodes cannot sniff packets send to
18	other nodes or spoof packets as if sent from other nodes.
19
20	"Network" means that more than two parties can participate in the
21	network, so for instance it's possible to connect multiple branches of a
22	company into a single network. Many so-called "vpn" solutions only create
23	point-to-point tunnels.
24
25	=head2 DESIGN GOALS
26
27	=over 4
28
29	=item SIMPLE DESIGN
30
31	Cipher, HMAC algorithms and other key parameters must be selected
32	at compile time - this makes it possible to only link in algorithms
33	you actually need. It also makes the crypto part of the source very
34	transparent and easy to inspect.
35
36	=item EASY TO SETUP
37
38	A few lines of config (the config file is shared unmodified between all
39	hosts) and a single run of C<vpectrl> to generate the keys suffices to
40	make it work.
41
42	=item MAC-BASED SECURITY
43
44	Since every host has it's own private key, other hosts cannot spoof
45	traffic from this host. That makes it possible to filter packest by MAC
46	address, e.g. to ensure that packets from a specific IP address come, in
47	fact, from a specific host.
48
49	=back
50
51	=head1 PROGRAMS
52
53	Vpe comes with two programs: one daemon (C<vped>) and one control program
54	(C<vpectrl>).
55
56	=over 4
57
58	=item vpectrl
59
60	Is used to generate the keys, check and give an overview of of the
61	configuration and contorl the daemon (restarting etc.).
62
63	=item vped
64
65	Is the daemon used to establish and maintain conenctions to the other
66	network members. It should be run on the gateway machine.
67
68	=back
69
70	=head1 COMPILETIME CONFIGURATION
71
72	Please have a look at the C<vpe.osdep(5)> manpage for platform-specific
73	information.
74
75	Here are a few recipes for compiling your vpe:
76
77	=head2 AS LOW PACKET OVERHEAD AS POSSIBLE
78
79	./configure --enable-hmac-length=4 --enable-rand-length=0
80
81	Minimize the header overhead of VPN packets (the above will result in only
82	4 bytes of overhead over the raw ethernet frame).
83
84	=head2 MINIMIZE CPU TIME REQUIRED
85
86	./configure --enable-cipher=bf --enable-digest=md4
87
88	Use the fastest cipher and digest algorithms currently available in vpe.
89
90	=head2 MAXIMIZE SECURITY
91
92	./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1
93
94	This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
95	would also be pretty secure ;) and will additionally prefix each packet
96	with 8 bytes of random data.
97
98	In general, remember that AES-128 seems to be more secure and faster than
99	AES-192 or AES-256, more randomness helps against sniffing and a longer
100	HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are
101	better, and Blowfish is a fast cipher (and also quite secure).
102
103	=head1 HOW TO SET UP A SIMPLE VPN
104
105	In this section I will describe how to get a simple VPN consisting of
106	three hosts up and running.
107
108	=head2 STEP 1: configuration
109
110	First you have to create a daemon configuation file and put it into the
111	configuration directory. This is usually C</etc/vpe>, depending on how you
112	configured vpe, and can be overwritten using the C<-c> commandline switch.
113
114	Put the following lines into C</etc/vpe/vped.conf>:
115
116	udp-port = 50000 # the external port to listen on (configure your firewall)
117	mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts
118	ifname = vpn0 # the local network device name
119
120	node = first # just a nickname
121	hostname = first.example.net # the DNS name or IP address of the host
122
123	node = second
124	hostname = 133.55.82.9
125
126	node = third
127	hostname = third.example.net
128
129	The only other file neccessary if the C<if-up> script that initializes the
130	local ethernet interface. Put the following lines into C</etc/vpe/if-up>
131	and make it execute (C<chmod 755 /etc/vpe/if-up>):
132
133	#!/bin/sh
134	ip link set $IFNAME address $MAC mtu $MTU up
135	[ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME
136	[ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
137	[ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME
138	ip route add 10.0.0.0/16 dev $IFNAME
139
140	This script will give each node a different IP address in the C<10.0/16>
141	network. The internal network (e.g. the C<eth0> interface) should then be
142	set to a subset of that network, e.g. C<10.0.1.0/24> on node C<first>,
143	C<10.0.2.0/24> on node C<second>, and so on.
144
145	By enabling routing on the gateway host that runs C<vped> all nodes will
146	be able to reach the other nodes. You can, of course, also use proxy arp
147	or other means of pseudo-bridging (or even real briding), or (best) full
148	routing - the choice is yours.
149
150	=head2 STEP 2: create the RSA key pairs for all hosts
151
152	Run the following command to generate all key pairs (that might take a
153	while):
154
155	vpectrl -c /etc/vpe -g
156
157	This command will put the public keys into C<<
158	/etc/vpe/pubkeys/I<nodename> >> and the private keys into C<<
159	/etc/vpe/hostkeys/I<nodename> >>.
160
161	=head2 STEP 3: distribute the config files to all nodes
162
163	Now distribute the config files to the other nodes. This should be done in two steps, since the
164	private keys should not be distributed. The example uses rsync-over-ssh
165
166	First all the config files without the hostkeys should be distributed:
167
168	rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys
169	rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys
170	rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys
171
172	Then the hostkeys should be copied:
173
174	rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey
175	rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey
176	rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey
177
178	You should now check the configration by issuing the command C<vpectrl -c
179	/etc/vpe -s> on each node and verify it's output.
180
181	=head2 STEP 4: starting vped
182
183	You should then start vped on each node by issuing a command like:
184
185	vped -D -linfo first # first is the nodename
186
187	This will make the vped stay in foreground. You should then see
188	"connection established" messages. If you don't see them check your
189	firewall and routing (use tcpdump ;).
190
191	If this works you should check your networking setup by pinging various
192	endpoints.
193
194	To make vped run more permanently you can either run it as a daemon
195	(by starting it without the C<-D> switch), or, much better, from your
196	inittab. I use a line like this on my systems:
197
198	t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1
199
200	=head2 STEP 5: enjoy
201
202	... and play around. Sending a -HUP (C<vpectrl -kHUP>) to the daemon
203	will make it try to connect to all other nodes again. If you run it from
204	inittab, as is recommended, C<vpectrl -k> (or simply C<killall vped>) will
205	kill the daemon, start it again, making it read it's configuration files
206	again.
207
208	=head1 SEE ALSO
209
210	vpe.osdep(5) for OS-depedendent information, vped.conf(5), vpectrl(8), and
211	for a description of the protocol and routing algorithms, vpe.protocol(7).
212
213	=head1 AUTHOR
214
215	Marc Lehmann <vpe@plan9.de>
216
217	=head1 COPYRIGHTS AND LICENSES
218
219	Vpe itself is distributed under the GENERAL PUBLIC LICENSE (see the file
220	COPYING that should be part of your distribution).
221
222	In some configurations it uses modified versions of the tinc vpn suite,
223	which is also available under the GENERAL PUBLIC LICENSE.
224
225	In some configurations (notably darwin), it uses a poll emulation library
226	that comes with the following license notice:
227
228	Copyright (c) 1995-2002 Brian M. Clapper
229	All rights reserved.
230
231	Redistribution and use in source and binary forms are permitted
232	provided that: (1) source distributions retain this entire
233	copyright notice and comment; (2) modifications made to the
234	software are prominently mentioned, and a copy of the original
235	software (or a pointer to its location) are included; and (3)
236	distributions including binaries display the following
237	acknowledgement: "This product includes software developed by Brian
238	M. Clapper <bmc@clapper.org>" in the documentation or other
239	materials provided with the distribution. The name of the author
240	may not be used to endorse or promote products derived from this
241	software without specific prior written permission.
242
243	THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
244	IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
245	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
246
247