- vTUN is a realtively easy way to create VPN tunnels. It is easy to install, configure and use. Unfortunately, I had to spend some time, trying to compile it on my RH 8.0 system.
- I am asssuming that we are using the following setup.
- To install/configure vTun on your machines, follows the instructions listed here.
- Red Hat 8.0/9.0 comes with inbuilt support for ppp. Just check that you have version 2.4.2 (or higher) using
rpm -qi ppp. This version was released as a part of the PPP project, that has
inbuilt MPPE (Microsoft Point-to-Point Encryption) support.
Earlier PPP versions (realeased by the PPP project) did not have this support (and probably no one in the PPP core project team wanted to put it in). Hence another independent team had realsed their own ppp code (Ver 2.4.0) having MPPE support.
So if you have this older version (> 2.4.0), consider upgrading it to the newer version as many option names have been changed in the newer 2.4.2 version. For more information, refer to this site. - I will assume that you have ppp v2.4.2 installed and up and running.
- FIRST CONFIGURE THE SERVER PROPERLY: vTund has very limited functionality here.
It is only necessary to start a server process that can accept request and start the pppd.
Below I list the /etc/vtund.conf file. Make full use of man vtund.conf to get help.
shashank@zidler:/etc# cat vtund.conf options { port 5000; # Listen on this port. syslog daemon; # Syslog facility # Path to various programs ppp /usr/sbin/pppd; ifconfig /sbin/ifconfig; route /sbin/route; firewall /sbin/tables; ip /sbin/ip; } # Default session options default { # type tun; #tun, ether, tty(default), pipe # proto tcp; #udp, tcp compress no; # no, yes, zlib, lzo encrypt yes; #yes, no stat yes; #yes, no: check /var/log/vtund/SessionName_X speed 0; # By default maximum speed, NO shaping } IP-Tunnel { --SNIP--Discussed in http://mia.ece.uic.edu/~papers/volans/vtund.html } PPP-Tunnel { passwd qwer1234; # Password to authenticate the vtund client type tty; # PPP tunnel. proto tcp; # Use UDP or TCP protocol # compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption keepalive yes; # Keep connection alive stat yes; #yes, no up { # Connection is Up ppp "file /etc/ppp/options.vtund"; }; down { # Connection is down }; }Note: In this configuration file, I am asking ppp to get all the options from the file /etc/ppp/options.vtund. Below i have listed the options that i have used for pppd specified in the /etc/ppp/options.vtund . More information about these options can be got from man pppd or from this document (Point iv).noauth lock #debug #dump #logfd 2 #To Enable PPP compression Comment the following line. --START-- noccp novj novjccomp nopcomp noaccomp #To Enable PPP compression Comment the following line. --END-- #localip:remoteip 192.168.254.201:192.168.254.200 #The 6th parameter to the /etc/ppp/ip-up and /etc/ppp/ip-down scripts. #This can be used to set up routing table. ipparam 192.168.0.0
- Start the vtund on the server using the folloing command. Use an additional -n option to keep the process in
foreground.
shashank@zidler:# vtund -s -f /etc/vtund.conf
NOTE: I am using the -f /etc/vtund.conf to specify the location of configuration file, which is always better than guessing the default location. - CONFIGURE THE CLIENT PROPERLY: Below I have shown the /etc/vtund.conf file for the client.
[shashank@mia /etc]# cat vtund.conf options { --SNIP--- same as server } # Default session options default { --SNIP-- same as server } # TUN example. IP-Tunnel { --SNIP--Discussed in http://mia.ece.uic.edu/~papers/volans/vtund.html } # PPP tunnel example. PPP-Tunnel { passwd qwer1234; # Password type tty; # PPP tunnel. proto tcp; # UDP/TCP protocol # compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption # keepalive yes; # Keep connection alive # persist yes; up { # Connection is Up ppp "file /etc/ppp/options.vtund"; }; down { # Connection is down }; }Similar to the server, I have specified an options file for the client in /etc/ppp/options.vtund file:noauth lock debug dump #logfd 1 logfile /var/log/vtund.log passive updetach #To Enable PPP compression Comment the following line. --START-- noccp novj novjccomp nopcomp noaccomp #To Enable PPP compression Comment the following line. --END-- #The 6th parameter to the /etc/ppp/ip-up and /etc/ppp/ip-down scripts. #This can be used to set up routing table. ipparam 192.168.2.0
- Start the vtund at the client, using the following command. Again you can use an additional -n option
to keep the process in foreground.
[shashank@mia shashank]# vtund -f /etc/vtund.conf PPP-Tunnel zidler
- You can see the log messages in /var/log/messages
unless you have configured something else in /etc/syslog.conf.
The logs appears as follows:
shashank@zidler:/home/shashank# tail -n 5 /var/log/messages May 31 22:00:29 zidler vtund[5553]: VTUN server ver (Name,0) 05/31/2003 (stand) May 31 22:00:36 zidler vtund[5554]: Session IP-Tunnel[131.193.50.165:55142] opened May 31 22:00:36 zidler vtund[5554]: LZO compression[level 9] initialized May 31 22:00:36 zidler vtund[5554]: BlowFish encryption initialized May 31 22:00:36 zidler /etc/hotplug/net.agent: invoke ifup tun0 -------------------------------------------------------------------- [shashank@mia shashank]# tail -n 6 /var/log/messages May 31 21:51:21 mia vtund[1146]: VTun client ver 2.6 05/31/2003 started May 31 21:51:21 mia vtund[1146]: Connecting to zidler May 31 21:51:21 mia vtund[1146]: Session IP-Tunnel[zidler] opened May 31 21:51:21 mia /etc/hotplug/net.agent: invoke ifup tun0 May 31 21:51:21 mia vtund[1146]: LZO compression[level 9] initialized May 31 21:51:21 mia vtund[1146]: BlowFish encryption initialized
- Use the ifconfig command to check if the interface has come up.
shashank@zidler:/home/shashank# ifconfig --SNIP-- ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.254.201 P-t-P:192.168.254.200 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:240 (240.0 b) TX bytes:234 (234.0 b) - Check connectivity using ping. Also check if the routes have properly setup using netstat -rn
- The below diagram traces the path taken by a packet as it travels over the virtual tunnel.
- NOTE: Each layer of protocol adds some bytes of overhead. This is illustrated in the above diagram.
The PPP layer adds some header and trailer. The header consists of a flag (0x7e), followed by 1 to 4 bytes of header (negotiable). The trailer consists of 2 bytes of CRC, followed by ending flag (0x7e). Thus the PPP layer adds a maximum of 8 Bytes and a minimum of 5 bytes. - To find out about the overhead instroduced by vtun layer,
I had to hack into the source code (v 1.5.4), as no standard documentation is present. More specifically look
at the following files/functions:
-------------------------------------------------------------------------------------------- Source File Purpose Function Name -------------------------------------------------------------------------------------------- linkfd.c Calls all the below modules int lfd_run_down(..),int lfd_run_up(...) lfd_encrypt.c Handles Encrypt/decrypt int encrypt_buf(...), int int decrypt_buf(...) lfd_lzo.c Handles Comp/Decomp(lzo) int comp_lzo(...), int decomp_lzo(...) lfd_zlib.c Handles Comp/Decomp(zlib) int zlib_comp(...), int zlib_decomp(...) lfd_shaper.c Was't doing much at this time, but will be modified in future. -------------------------------------------------------------------------------------------- - You will find that vtun bundles packet(without compression) as:
ushort packet_len (2 Bytes) int padding (1-8 bytes), with first bytes specifying the length of padding. n1-bytes payload
Thus vtun adds a minimum of (1 (padding) + 2) = 3 bytes and Maximum of (8(padding) + 2) = 10 bytes of overhead. The padding bytes ARE NOT added if no encryption is used, thus resulting in only two bytes of overhead. If compression is used then this overhead will be further reduced. NOTE: The encryption algorithm may add some extra BLK_SZE bytes of padding. - Assuming no compression mechanism is used in PPP and vTun,
and using the cipher blowfish(only one supported currently; BLK_SIZE=8 Bytes, KEY=16 Bytes)
, we conducted a series of experiments with varying application input sizes.
The input data for this experiment was totally random.
An example of such data is shown below:
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
The results are presented below (They agree with the calculated value: Note that we operated vtun daemon over TCP. However it can also be operated over UDP).
-------------------------------------------------------- Application Data Data on wire Overhead (No comp) -------------------------------------------------------- 100 212 112 275 388 113 350 460 110 502 622 120 613 724 111 750 868 118 849 964 115 917 1036 119 1010 1132 122 1200 1316 116 -------------------------------------------------------- Average Overhead: 115.6 --------------------------------------------------------
- Three sets of experiments were performed:
- Enable lzo:9 compression at the vtun layer using the option: compress lzo:9; in /etc/vtund.conf.
- Enable zlib:9 compression at the vtun layer using the option: compress zlib:9;/etc/vtund.conf.
- Enable ppp compression at the PPP layer using by NOT specifying the options noccp, novj, novjccomp nopcomp, noaccomp in /etc/ppp/options.vtund, and disabling compression at vtun layer.
- The input data for this experiment was again random. An example of such data is shown below:
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
The experimental results are presented below:---------------------------------------------------------------------------------------- App Data on wire Overhead Data on Wire Overhead Data on wire Overhead Data (full Comp) (Full Comp) (Ful Comp) lzo:9 zlib:9 PPP ---------------------------------------------------------------------------------------- 100 212 112 188 88 188 88 275 396 121 356 81 356 81 350 468 118 420 70 420 70 502 628 126 548 46 548 46 613 740 127 644 31 644 31 750 876 126 764 14 756 6 849 972 123 836 -13 836 -13 917 1044 127 900 -17 892 -25 1010 1140 130 980 -30 972 -38 1200 1332 132 1132 -68 1124 -76 ---------------------------------------------------------------------------------------- Average Overhead: 124.2 20.2 17 ---------------------------------------------------------------------------------------- - Using compressionm, it is not possible to estimate the amount of overhead, as the amount of compression really depends on the entropy in the data. It is entirely possible for the data on the wire to be lesser in size to the input data. For e.g. when we used an input data of size 1200 bytes (each having a value "S"), we found that the packet size on the wire was just 130 Bytes.
- vTun tunnels, do not have inbuilt routing mechanisms. As a result the user
has to take care of establishing routes to remote networks. This can be done in the following two ways:
- Static routes can be set up within vtund.conf file as we have done, using the command:
route add -net network/netmask gw gateway-ip
Although this method is simple for small networks, it becomes exceedingly difficult to maintain such routes once your network reaches a decent size (> 5 nodes, say). Hence one should avoid using this method, unless you have a very small network. - Another way is to use a routing software that will set up/tear down the routes automatically. One such software to consider is Gnu Zebra with one of its components: OSPF. At the time of this writing, I could not find much documentation on how to configure zebra, and since I was not working with any complex network architectures, I preferred to use the first method. However, I do plan to include the steps to set up zebra in future.
- Static routes can be set up within vtund.conf file as we have done, using the command:
- vTun supports only one cipher (blowfish) and two different compression algorithms. However it seems that it is quite simple to introduce our own proprietary cipher (by introducing suitable functions in lfd_encrypt.c).
- It is also possible to introduce a proprietary compression algorithm by changing suitable functions in lfd_lzo.c or lfd_zlib.c.
- vTun does not use any HMAC, however you create a module similar to lfd_encrypt.c for adding
an additional MAC. Take a look at the structure lfd_mod:
struct lfd_mod { char *name; int (*alloc)(struct vtun_host *host); int (*encode)(int len, char *in, char **out); int (*avail_encode)(void); int (*decode)(int len, char *in, char **out); int (*avail_decode)(void); int (*free)(void); struct lfd_mod *next; struct lfd_mod *prev; };
- The vTun solution for forming VPN's is highly unscalable.
- For e.g. If a company has 'N' different sites, then it would be necessary to have O(N^2) point-to-point PPP-over-SSH links and each site will have to maintain an entry in the routing table for (N-1) other sites. I think a full mesh will be necessary in this case, as the complexity of maintaining any other network infrastructure will be prohibitively high.