- vTUN is a realtively easy way to create VPN tunnels. It is easy to install, configure and use. Unfortunately, I had to spend some time, trying to compile it on my RH 8.0 system.
- I am asssuming that we are using the following setup.
- RedHat 8.0/9.0 kernels comes with support for Tun/Tap driver. Hence you don't need to do anything to enable kernel level support for it. If you do need to rebuild the kernel, take a look at the instructions mentioned here.
- A side Note: The Tun/Tap driver just passes an IP packet back to an appropriate application and vice versa. It does not add any link layer headers (unlike the ethernet device which adds 14 bytes of header), to the packet when it is passed to the application. You can hack into the tun driver (available in /usr/src/linux/drivers/net/tun.c). You can use Chapter 3 and 14 of Linux Device Drivers, 2nd Edition, for more indepth information.
- Download the latest version of vTun from http://vtun.sourceforge.net/
and install it using the
normal #./configure; make; make install commads. On RH 8.0, i faced a problem, where the configuration script
could not locate the /usr/include/linux/if_tun.h file. As a result of this I used to get the following error
Can't allocate tun device . No such file or directory(2)
In order to circumvent this, i executed #aclocal; autoconf commands in the source tree and then followed the normal installation instructions. These commands create a new configure script that will locate the said file. I did not use any RPM's as at the time of this writing as no RPM's were available for my system. - The configuration files for vTun are a bit different for the client(mia) and
Server(zidler). Below I list these files.
The explanations for various options are explained within the file (so one should read the comments).
If in doubt,make full use of man vtund.conf.
The below configuration will set up an IP tunnel. If you would like to use PPP to set up the tunnel, take a look at
vtund with PPP document.
shashank@zidler:~> cat /etc/vtund.conf options { # type stand; # stand(default), inet (used only at server) port 5000; # Server will listen on this port for incoming requests. syslog daemon; # Syslog facility # Path to various programs ppp /usr/sbin/pppd; #Path to the pppd. Use "which pppd" to find this. ifconfig /sbin/ifconfig; route /sbin/route; firewall /sbin/iptables; ip /sbin/ip; } # Default session options default { # type tun; #tun, ether, tty(default), pipe (Used only at Server) # proto tcp; #udp, tcp(default) (Used only at server) # device tun0; compress no; # no, yes, zlib:(1-9), lzo:(1-9); e.g. zlib:1 (default) (Used only at server) encrypt yes; #yes, no (used only at server) stat yes; #yes, no: check /var/log/vtund/SessionName_X speed 0; #By default maximum speed, NO shaping (Used only at server) # keepalive yes; #Used to keep alive the connection. (Used only at server) } # TUN example. Session 'cobra'. IP-Tunnel { passwd abcd1234; # Password type tun; # IP tunnel proto tcp; # UDP protocol compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption keepalive yes; # Keep connection alive stat yes; #yes, no up { # Connection is Up # 10.3.0.1 - local, 10.3.0.2 - remote ifconfig "%% 192.168.254.201 pointopoint 192.168.254.200 mtu 1450"; route "add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.254.200"; }; down { # Connection is down # 10.3.0.1 - local, 10.3.0.2 - remote ifconfig "%% down"; route "del -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.254.200"; }; } --------------------------------------------------------- shashank@mia:~> cat /etc/vtund.conf options { port 5000; # Listen on this port. syslog 7; # Syslog facility # Path to various programs ppp /usr/sbin/pppd; ifconfig /sbin/ifconfig; route /sbin/route; firewall /sbin/tables; ip /sbin/ip; } # Default session options default { # type tun; #tun, ether, tty, pipe # proto tcp; #udp, tcp compress no; # no, yes, zlib, lzo encrypt yes; #yes, no stat yes; #yes, no speed 0; # By default maximum speed, NO shaping } # TUN example. Session 'cobra'. IP-Tunnel { passwd abcd1234; # Password type tun; # IP tunnel proto udp; # UDP protocol compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption keepalive yes; # Keep connection alive # persist yes; up { # Connection is Up ifconfig "%% 192.168.254.200 pointopoint 192.168.254.201 mtu 1450"; route "add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.254.201"; }; down { # Connection is down ifconfig "%% down"; route "del -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.254.201"; }; }Note how I have added/deleted routes in the two files. - Now first start the vtund on the server using the following command.
Use an additional "-n" option to keep the process in
foreground.
shashank@zidler:# vtund -s -f /etc/vtund.conf
NOTE THAT I am using the -f /etc/vtund.conf to specify the configuration file as vtund uses /usr/local/etc/vtund.conf by default(In the man page for vtund, the default configuration file is specified as "/etc/vtund.conf", which is erroneous). You don't need to specify this option, if you use /usr/local/etc/vtund.conf.
- Start the vtund at the client, using the following command. Again you can use an additional "-n" option
to keep the process in foreground.
[shashank@mia shashank]# vtund -f /etc/vtund.conf IP-Tunnel zidler
- You can see the log messages in /var/log/messages unless you have configured something else
in /etc/syslog.conf.
The logs appears as follows:
shashank@zidler:/home/shashank# tail -n 5 /var/log/messages May 31 22:00:29 zidler vtund[5553]: VTUN server ver (Name,0) 05/31/2003 (stand) May 31 22:00:36 zidler vtund[5554]: Session IP-Tunnel[131.193.50.165:55142] opened May 31 22:00:36 zidler vtund[5554]: LZO compression[level 9] initialized May 31 22:00:36 zidler vtund[5554]: BlowFish encryption initialized May 31 22:00:36 zidler /etc/hotplug/net.agent: invoke ifup tun0 -------------------------------------------------------------------- [shashank@mia shashank]# tail -n 6 /var/log/messages May 31 21:51:21 mia vtund[1146]: VTun client ver 2.6 05/31/2003 started May 31 21:51:21 mia vtund[1146]: Connecting to zidler May 31 21:51:21 mia vtund[1146]: Session IP-Tunnel[zidler] opened May 31 21:51:21 mia /etc/hotplug/net.agent: invoke ifup tun0 May 31 21:51:21 mia vtund[1146]: LZO compression[level 9] initialized May 31 21:51:21 mia vtund[1146]: BlowFish encryption initialized
- Use the ifconfig command to check if the interface has come up.
shashank@zidler:/home/shashank# ifconfig --SNIP-- tun0 Link encap:Point-to-Point Protocol inet addr:192.168.254.201 P-t-P:192.168.254.200 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) - Check connectivity using ping. Also check if the routes have properly setup using netstat -rn
- Now comes the experimentation.
- The below diagram traces the path taken by a packet as it travels over the virtual tunnel.
- Each layer of protocol adds some bytes of overhead. This is illustrated in the above diagram.
Note that Tun/Tap driver adds ZERO bytes of overhead. To find out about the overhead instroduced by vtun, I had to hack into the source code (v 1.5.4), as no standard documentation is present. More speciofically look at the following files/functions:-------------------------------------------------------------------------------------------- Source File Purpose Function Name -------------------------------------------------------------------------------------------- lfd_encrypt.c Handles Encryptions int encrypt_buf(...), int int decrypt_buf(...) lfd_lzo.c Handles Compression(lzo) int comp_lzo(...), int decomp_lzo(...) lfd_zlib.c Handles Compression(zlib) int zlib_comp(...), int zlib_decomp(...) lfd_shaper.c Was't doing much at this time, but will be modified in future. -------------------------------------------------------------------------------------------- - You will find that vtun bundles packet(without compression) as:
ushort packet_len (2 Bytes) int padding (1-8 bytes), with first bytes specifying the length of padding. n1-bytes payload
Thus vtun adds a minimum of (1 (padding) + 2) = 3 bytes and Maximum of (8(padding) + 2) = 10 bytes of overhead. If compression is used then this overhead will be further reduced. - If no encryption is used, then vtun layer will not add the padding bytes, thus resulting in only two bytes of overhead.
- Assuming no compression mechanism is used in vTun,
and using the cipher blowfish(Only one supported currently; BLK_SIZE=8 Bytes, KEY=16 Bytes)
, we conducted a series of experiments with varying application input sizes.
The input data for this experiment was totally random.
An example of such data is shown below:
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
The results are presented below (They agree with the calculated value: Note that we operated vtun daemon over TCP. However it can also be operated over UDP.
-------------------------------------------------------- Application Data Data on wire Overhead (No comp) -------------------------------------------------------- 100 204 104 275 372 97 350 452 102 502 604 102 613 716 103 750 852 102 849 948 99 917 1020 103 1010 1108 98 1200 1300 100 -------------------------------------------------------- Average Overhead: 101 --------------------------------------------------------
- I enabled full compression for vtun by specifying the option compress lzo:9; for lzo compression and compress zlib:9; for zlib compression.
- The input data for this experiment was again random. An example of such data is shown below:
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
The experimental results are presented below:---------------------------------------------------------------------------------------- Application Data Data on wire Overhead Data on Wire Overhead (full Comp) (Full Comp) lzo:9 zlib:9 ---------------------------------------------------------------------------------------- 100 204 104 180 80 275 380 105 348 73 350 460 110 412 62 502 612 110 540 38 613 724 111 636 23 750 860 110 748 -2 849 956 107 828 -21 917 1028 111 884 -33 1010 1116 106 964 -46 1200 1308 108 1116 -84 ---------------------------------------------------------------------------------------- Average Overhead: 108.2 9 ---------------------------------------------------------------------------------------- - Using compressionm, it is not possible to estimate the amount of overhead, as the amount of compression really depends on the entropy in the data. It is entirely possible for the data on the wire to be lesser in size to the input data. For e.g. when we used an input data of size 1200 bytes (each having a value "S"), we found that the packet size on the wire was just 130 Bytes.
- vTun tunnels, do not have inbuilt routing mechanisms. As a result the user
has to take care of establishing routes to remote networks. This can be done in the following two ways:
- Static routes can be set up within vtund.conf file as we have done, using the command:
route add -net network/netmask gw gateway-ip
Although this method is simple for small networks, it becomes exceedingly difficult to maintain such routes once your network reaches a decent size (> 5 nodes, say). Hence one should avoid using this method, unless you have a very small network. - Another way is to use a routing software that will set up/tear down the routes automatically. One such software to consider is Gnu Zebra with one of its components: OSPF. At the time of this writing, I could not find much documentation on how to configure zebra, and since I was not working with any complex network architectures, I preferred to use the first method. However, I do plan to include the steps to set up zebra in future.
- Static routes can be set up within vtund.conf file as we have done, using the command:
- vTun supports only one cipher (blowfish) and two different compression algorithms. However it seems that it is quite simple to introduce our own proprietary cipher (by introducing suitable functions in lfd_encrypt.c).
- It is also possible to introduce a proprietary compression algorithm by changing suitable functions in lfd_lzo.c or lfd_zlib.c.
- vTun does not use any HMAC, however you create a module similar to lfd_encrypt.c for adding
and additional MAC. Take a look at the structure lfd_mod:
struct lfd_mod { char *name; int (*alloc)(struct vtun_host *host); int (*encode)(int len, char *in, char **out); int (*avail_encode)(void); int (*decode)(int len, char *in, char **out); int (*avail_decode)(void); int (*free)(void); struct lfd_mod *next; struct lfd_mod *prev; };
- The vTun solution for forming VPN's is highly unscalable.
- For e.g. If a company has 'N' different sites, then it would be necessary to have O(N^2) point-to-point PPP-over-SSH links and each site will have to maintain an entry in the routing table for (N-1) other sites. I think a full mesh will be necessary in this case, as the complexity of maintaining any other network infrastructure will be prohibitively high.