Terrific, time tested tools, tricks, and techniques that are tried and true for tough, temporary, transient, and tenacious tunnelling over trecherous telecommunications transmissions, without the tremendous, tedious, and tiresome task of tactically taking out two-timing trickers.
Setup, explore, and test various VPN implementations and tunneling protocols.
In order to successfully accomplish/perform this project, the listed resources/experiences need to be consulted/achieved:
State the idea or purpose of the project. What are you attempting to pursue?
Upon approval, you'll want to fill this section out with more detailed background information. DO NOT JUST PROVIDE A LINK.
Providing any links to original source material, such as from a project page, is a good idea.
You'll want to give a general overview of what is going to be accomplished (for example, if your project is about installing a web server, do a little write-up on web servers. What is it, why do we need one, how does it work, etc.)
Give a general overview of your anticipated implementation of the project. Address any areas where you are making upfront assumptions or curtailing potential detail. State the focus you will be taking in implementation.
State and justify the attributes you'd like to receive upon successful approval and completion of this project.
$ ip tunnel add ipip1 mode gre remote <VM-IP> local <OPENWRT-IP> $ ip link set ipip1 up $ ip addr add 10.3.3.1/24 dev ipip1
$ ip tunnel add ipip1 mode gre remote <OPENWRT-IP> local <VM-IP> $ ip link set ipip1 up $ ip addr add 10.3.3.2/24 dev ipip1
$ ip tunnel add ipip0 mode ipip remote <VM-IP> local <OPENWRT-IP> $ ip link set ipip0 up $ ip addr add 10.2.2.1/24 dev ipip0
$ ip tunnel add ipip0 mode ipip remote <OPENWRT-IP> local <VM-IP> $ ip link set ipip0 up $ ip addr add 10.2.2.2/24 dev ipip0
L2TPv3 Ethernet “pseudowire” setup with UDP encapsulation
$ opkg update $ opkg install kmod-l2tp-eth $ opkg install ip-full $ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \ udp_sport 5000 udp_dport 5000 encap udp \ local <OPENWRT-IP> remote <VM-IP> $ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1 $ ip link set l2tpeth0 up mtu 1428 $ ip addr add 10.6.6.1/24 dev l2tpeth0
$ modprobe l2tp_eth $ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \ udp_sport 5000 udp_dport 5000 encap udp \ local <VM-IP> remote <OPENWRT-IP> $ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1 $ ip link set l2tpeth0 up mtu 1428 $ ip addr add 10.6.6.2/24 dev l2tpeth0
$ opkg update $ opkg install openvpn-nossl $ openvpn --dev tun --remote <VM-IP> \ --proto udp --mssfix 1472 \ --comp-lzo no --ifconfig 10.5.5.1 10.5.5.2
$ openvpn --dev tun --proto udp \ --mssfix 1472 --comp-lzo no \ --fast-io --ifconfig 10.5.5.2 10.5.5.1
$ vi /etc/config/network: [...] config interface 'vpn' option proto 'pptp' option server '<VM-IP>' option username 'vpn' option password 'vpn' option auto '0' option delegate '0' option defaultroute '0' option peerdns '0' option mtu '1462'
$ apt-get install pptpd $ vi /etc/pptpd.conf option /etc/ppp/pptpd-options localip 10.4.4.1 remoteip 10.4.4.10-15 $ vi /etc/ppp/pptpd-options name pptpd nodefaultroute lock nobsdcomp nologfd mtu 1462 $ vi /etc/ppp/chap-secrets vpn * vpn *
Forwarding a local TCP port to a remote TCP port:
$ ssh -L 127.0.0.1:2022:10.150.35.74:22 tunneluser@remotehost.example.com $ ssh -L 8080:localhost:80 tunneluser@remotehost.example.com $ ssh -L 192.168.3.45:8080:web01.example.com:80 tunneluser@remotehost.example.com
Forwarding a remote TCP port to a local TCP port:
$ ssh -R localhost:2022:localhost:22 tunneluser@bastionhost.example.com $ sudo ssh -R web99.example.com:80:localhost:80 root@web99.example.com
Establishing a Layer-2 SSH VPN using “tap” devices:
# create a "tap0" virtual network interface $ sudo tunctl -t tap0 ## or ## $ sudo ip tuntap add dev tap0 mode tap # configure the "tap0" interface $ sudo ifconfig tap0 192.168.1.101 netmask 255.255.255.0 # start the SSH Layer-2 VPN tunnel $ ssh -o Tunnel=ethernet -f -w 0:0 root@remotehost.example.com true
# create a "tap0" virtual network interface $ sudo tunctl -t tap0 ## or ## $ sudo ip tuntap add dev tap0 mode tap # configure the "tap0" interface $ sudo ifconfig tap0 192.168.1.102 netmask 255.255.255.0
Establishing a Layer-3 SSH VPN using “tun” devices:
$ sudo ssh -f -w 0:0 root@remotehost.example.com true $ sudo ifconfig tun0 192.168.1.101 netmask 255.255.255.0
$ sudo ifconfig tun0 192.168.1.102 netmask 255.255.255.0
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
$ opkg update $ opkg install wireguard ## Generate Public/Private Keypair $ umask 077 $ wg genkey > server.privatekey $ wg pubkey < server.privatekey > server.publickey ## Can also be done with a single command: $ wg genkey | tee server.privatekey | wg server.pubkey > server.publickey ## Command line configuration # Add new interface with ip-link(8) $ ip link add dev wg0 type wireguard # Assign an IP address and peer with ifconfig(8) or ip-address(8) $ ip addr add dev wg0 10.0.0.1/24 ## Example with only 2 peers #$ ip address add dev wg0 10.0.0.1/24 peer 10.0.0.2/24 # Configure interface with keys and peer endpoints with wg $ wg setconf wg0 myconfig.conf ## or ## $ wg set wg0 listen-port 51820 \ private-key ./server.privatekey \ peer <client.publickey> \ allowed-ips 10.0.0.2/32 \ endpoint 192.168.1.2:51820 # Activate interface with ifconfig(8) or ip-link(8): $ ip link set wg0 up # check: $ ip addr # Add peer: $ wg public key: <server.publickey> private key: <server.privatekey> listening port: 51820 $ wg set wg0 peer <client.publickey> \ allowed-ips 10.0.0.2/32 \ endpoint 192.168.1.2:51820 # Test connectivity ping 10.0.0.2 ## Static configuration $ vi /etc/config/network config interface 'wg0' option proto 'wireguard' option listen_port '51820' list addresses '10.0.0.1/32' option private_key '<server.privatekey>' config wireguard_wg0 option public_key '<client.publickey>' option route_allowed_ips '1' list allowed_ips '10.0.0.0/24'
$ sudo add-apt-repository ppa:wireguard/wireguard $ sudo apt get update $ sudo apt get install wireguard ## Generate Public/Private Keypair $ umask 077 $ wg genkey > client.privatekey $ wg pubkey < client.privatekey > client.publickey ## Can also be done with a single command: $ wg genkey | tee client.privatekey | wg client.pubkey > client.publickey ## Command line configuration # Add new interface with ip-link(8) $ ip link add dev wg0 type wireguard # Assign an IP address and peer with ifconfig(8) or ip-address(8) $ ip addr add dev wg0 10.0.0.2/24 ## Example with only 2 peers #$ ip address add dev wg0 10.0.0.2/24 peer 10.0.0.1/24 # Configure interface with keys and peer endpoints with wg $ wg setconf wg0 myconfig.conf ## or ## $ wg set wg0 listen-port 51820 \ private-key ./client.privatekey \ peer <server.publickey> \ allowed-ips 10.0.0.1/32 \ endpoint 192.168.1.1:51820 # Activate interface with ifconfig(8) or ip-link(8): $ ip link set wg0 up # check: $ ip addr # Add peer: $ wg public key: <client.publickey> private key: <client.privatekey> listening port: 51820 $ wg set wg0 peer <server.publickey> \ allowed-ips 10.0.0.1/32 \ endpoint 192.168.1.1:51820 # Test connectivity ping 10.0.0.1 ## Static configuration $ vi /etc/config/network config interface 'wg0' option proto 'wireguard' option listen_port '51820' list addresses '10.0.0.2/32' option private_key '<client.privatekey>' config wireguard_wg0 option public_key '<server.publickey>' option route_allowed_ips '1' list allowed_ips '0.0.0.0/0' option endpoint_host 'Server's public ip address' option endpoint_port '51820' option persistent_keepalive '25'
$ vi /etc/config/firewall config rule option target 'ACCEPT' option src 'wan' option proto 'udp' option name 'Wireguard_VPN' option family 'ipv4' option dest_port '51820' config zone option name 'wg-vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option masq '1' option device 'wg0' config forwarding 'wg_wan' option src 'wg-vpn' option dest 'wan' config forwarding 'wg_lan' option src 'wg-vpn' option dest 'lan' config forwarding option src 'lan' option dest 'wg-vpn'
## Restart networking: $ /etc/init.d/network restart $ /etc/init.d/firewall restart ## Testing throughput:
Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <code> </code> blocks here.
/* * hello.c - A sample "Hello, World!" program * * written by NAME for COURSE on DATE * * compile with: * gcc -o hello hello.c * * execute with: * ./hello */ #include <stdio.h> int main() { printf("Hello, World!\n"); // Output message to STDOUT return(0); }
Again, if there is associated code with the project, and you haven't already indicated how to run it, provide a sample run of your code:
lab46:~/src/cprog$ ./hello Hello, World! lab46:~/src/cprog$
Comments/thoughts generated through performing the project, observations made, analysis rendered, conclusions wrought. What did you learn from doing this project?
In performing this project, the following resources were referenced: