Lightweight VPN solution-sigmavpn

Source: Internet
Author: User
Tags secure vpn

Sigmavpn is a lightweight VPN solution designed to provide a simple and secure vpn tunnel for UNIX systems. Its official http://code.google.com/p/sigmavpn,

This article is based on the operations in the above document.

 

1. sigmavpn is modular. It is easy to create new interfaces and encryption/encoding schemes.

2. sigmavpn is very small. There are only several hundred lines of pure C code.

3. The sigmavpn is easy to configure and allows multiple tunnels to be added to a configuration file.

 

1.
Introduction

Sigmavpn supports multiple concurrent tunnels and provides flexible Terminal/protocol settings. Configuration items are usually stored in a file named sigmavpn. conf. The configuration file is in ini format.

1.1.
Protocols

Protocols specifies the encoding/decoding method or encryption/Decryption Method before sending and receiving packets. Currently, several protocols are supported:

  • Nacltai: a robust encryption method based on curve25519xsalsa20poly1305.NaCl
    Library
    Provides encryption Interfaces
  • Nacl0: a weak encryption method based on curve25519xsalsa20poly1305.NaCl
    Library
    Provides encryption Interfaces
  • Raw: unencrypted, original data packet
1.2.
Interfaces

Interfaces
Specifies the input and output interfaces of Sigma executable files. Currently supported options:

  • UDP: UDP protocol
  • Tuntap: tun/TAP Driver Interface, used to create a virtual Nic
1.3. Local and peer Interfaces

Generally, you need two interfaces: local and peer. The Local interface is your tunnel entrance, and the peer interface is the tunnel itself. Therefore, the local end is usually in plain text, while the peer end is encrypted.

Sigma processes data packet transmission and encryption and decryption between two interfaces.

You <-> Local <-> Protocol
<-> Remote
<->... <-> Remote
<-> Protocol
<-> Local <-> peer

 

1.4.
Protocol and interfaces

Generally, a configuration contains two interfaces (one local interface and one peer interface) and one protocol. Let's take a look at a typical encrypted VPN settings:

  • Local tuntap Interface
  • Nacltai Protocol
  • Remote UDP Interface

A tunnel is configured. The result is:

  • Data Packets originating from the local tun/TAP device will be encrypted with nacltai, and then sent out through UDP
  • Packets received through UDP will be decrypted using nacltai, and then sent to your tun/TAP Device
2. Compile and install

To compile sigmavpn, You need to download the source code and then execute the compilation and installation script provided in the source code package.

The following tools are used to compile the script:

  • Curl or wget
  • Bzip2
  • GCC, binutils and friends
  • Bash (the compiling script is written in bash syntax, or you can change it to another shell)
2.1. Obtain source code

Stable source code packages are generally released after testing. We recommend that you use them. The source code package is published on Google Code.

# Wget http://sigmavpn.googlecode.com/files/sigmavpn-0.2.tar.gz
# Tar zxf sigmavpn-0.2.tar.gz
# Cd sigmavpn-0.2

Developers can obtain the latest source code from the GIT repository.

# Git clone https://code.google.com/p/sigmavpn/
# Cd sigmavpn

 

2.2. Compile 2.2.1.
Encryption Scheme

If you need the NaCl encryption interface-- With-NaClParameter. Compiling NaCl will provide nacl0 and nacltai encryption methods to improve tunnel security. Compilation of NaCl is time-consuming. After the NaCl library is compiled, A naclkeypair executable file is provided, which can generate random keys to establish an encryption tunnel.

# Sh build. Sh
-- With-NaCl

2.2.2. plaintext Scheme

Without-- With-NaClParameter compilation will not compile the library related to the NaCl or use the encryption scheme.

# Sh build. Sh

 

2.3. Installation

Run the following command to compile and install the sigmavpn-related modules in the system directory.

# Sudo sh install. Sh

3. configuration item description

The Sigma configuration file is quite simple in ini format. Each section represents a session and describes related configuration options using a series of key-value pairs.

3.1. General options

Note:Sigmavpn is sensitive to the order of configuration parameters in the configuration file sigmavpn. conf. For example, proto should be defined before other PROTO _ options; local should be defined before other local _ options; peer should be defined before other peer _ options.

Option

Optional Value

Description

PROTO

Raw, nacl0, nacltai

Set encryption/Decryption protocols (sigmavpn and nacltai on the Android platform are equivalent to tai64)

Local

Tuntap, UDP

Set the local interface (usually tuntap ).

Peer

Tuntap, UDP

Set the interface (usually UDP) used by the peer ).

3.2. nacl0/nacltai-specific options

Option

Optional Value

Description

Proto_privatekey

64-bit hex

Your private key (which can be generated using the naclkeypair tool; you can configure the private key here and publish the public key to your partner ).

Proto_publickey

64-bit hex

Public Key (the Public Key generated and released by your peer, Which is configured here ).

3.3. UDP-specific options

Option

Optional Value

Description

Peer_remoteaddr

IPv4/IPv6 address

Peer communication IP address (corresponding to peer peer_localaddr configuration)

Peer_remoteport

1 To 65535

Peer UDP port (corresponding to peer peer_localport configuration item ).

Peer_remotefloat

0 or 1

When receiving correct encrypted data packets, the remote terminal is automatically updated. This allows the remote client to continue to communicate through this tunnel after changing the IP address or end. (If you set a tunnel with sigmavpn on the Android device, you may need to use this configuration option instead of peer_remoteaddr and peer_remoteport ). This option is available in Versions later than 0.2. You may need to obtain the latest source code and recompile it to enable this configuration item.

Peer_localaddr

IPv4/IPv6 address.

IP address of the local listener (corresponding to the peer configured peer_remoteaddr)

Peer_localport

1 To 65535

Local UDP port (corresponding to the peer configured peer_remoteport)

Peer_ipv6

0 or 1

Specifies whether to use IPv6 for UDP connections. The associated local and remote addresses must be in IPv6 format. If it is not specified, it is assumed that IPv4 is used (note that this option sets whether the tunnel can carry the IPv6, rather than whether the interaction in the tunnel can use IPv6)

3.4. tuntap-specific options

Option

Optional Value

Description

Ocal_interface

String

Depends on the OS. It is a valid Nic device name (such as Linux 2.6 + mytunnel), or the full path to the Tun or tap device (such as the/dev/tun0 of Mac OS X ).

Local_tunmode

0 or 1

Whether to use a layer-3 Tun adapter instead of a layer-2 tap adapter (only applicable to Linux 2.6 + ). The Tun adapter carries an IP group instead of an Ethernet frame. If the other party uses the android client of sigmavpn, this is required.

Local_protocolinfo

0 or 1

Whether to include the Protocol information header field When Tun mode is used (only applicable to Linux 2.6 + ). If you want to carry both IPv4 and IPv6 data on a layer-3 Tun tunnel, this option is optional or even unnecessary. If the other party uses the android client of sigmavpn, do not use this option, even the IPv6 tunnel.

3.5. configuration file instance

[Peername]

PROTO = nacl0

Proto_publickey = publish

Proto_privatekey = encrypted

Local = tuntap

Local_interface = tap0

Peer = UDP

Peer_remoteaddr = 192.168.122.130

Peer_remoteport = 4567

Peer_localaddr = 192.168.122.180

Peer_localport = 7654

After Linux kernel version 2.6, the configuration value of local_interface is simplified to a direct device name, such as "Tunnel", that is, the complete path does not need to be configured.

4.
Step 4.1. Compile nacltai

Check whether your module file contains the proto_nacltai.o file and an executable file named naclkeypair. If not, recompile and install the -- with-NaCl parameter.

4.2. Create a configuration file

The installation script creates an empty configuration file:/usr/local/etc/sigmavpn. conf. Open the file and enter the content of the following template:

[Peername]
PROTO = nacltai
Proto_publickey =
Proto_privatekey =
Local = tuntap
Local_interface =
Peer = UDP
Peer_remoteaddr =
Peer_remoteport =
Peer_localaddr =
Peer_localport =

4.3. Generate and exchange keys

Run the naclkeypair command to generate two keys, one private key and one public key. Write the Private Key to the proto_privatekey option value in the configuration file and publish the public key to your partner.

Similarly, your partner also needs to generate a pair of keys. You get the public key from the partner and write it to the proto_publickey value in the configuration file.

4.4. Configure the IP address and port

Select an IP address and port for local monitoring of sigmavpn. The configuration items correspond to peer_localaddr and peer_localport. Inform your partner of the address and port.

Your partner also wants to tell you his address and port. You need to configure the address and product as the option values of peer_remoteaddr and peer_remoteport.

4.5. Negotiated Tunnel Type

Select your tunnel type. It can be either (Layer 2/Ethernet) or Tun (Layer 3/IP ):

  • Linux:If the Tun mode is used. Set the value of local_tunmode to 1. If you want to use multiple protocols, such as IPV6, you also need to set local_protocolinfo to 1.
  • Mac OS X:If the Tun mode is used, set the local_interface value to the full path of the tnx device. Otherwise, set it to the full path of the tapx device.
4.6. Other configurations
  • Replace the peername In the first line of the configuration template with the name you selected. This name does not affect session creation. It is purely for reporting purposes.
  • Linux:The name of a virtual network card is required as the value of the local_interface option. Sigmavpn creates a virtual network card with the name you specified in the system.
4.7. Save the configuration and run sigmavpn

Save the configuration file to a specified place, for example,/usr/local/etc/sigmavpn. conf. (/Usr/local/etc/sigmavpn. conf is the default configuration file of sigmavpn. If it is not the configuration file, you need to specify the configuration file with the-C parameter during runtime)

Start sigmavpn:

# Sigmavpn
-C "path/to/sigmavpn. conf"

4.8. Check the NIC and assign an IP address

Run ifconfig to check the NIC

  • Linux:Ifconfig interfacename
  • Mac OS X:Ifconfig tap0 or ifconfig tun0, etc.

If you see the information of the virtual network card, you can assign an IP address to the virtual network card:

# Ifconfig interfacename
10.8.0.1/24

Enable NIC:

# Ifconfig interfacename up

After both sides are configured, You can ping the peer end of the tunnel through the virtual IP address.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.