User Tools

Site Tools


user:nbrimme1:portfolio:tunnels

Other Project: Toobz

Terrific, time tested tools, tricks, and techniques that are tried and true for tough, temporary, transient, and tenacious tunnelling over trecherous telecommunications transmissions, without the tremendous, tedious, and tiresome task of tactically taking out two-timing trickers.

Objectives

Setup, explore, and test various VPN implementations and tunneling protocols.

Prerequisites

In order to successfully accomplish/perform this project, the listed resources/experiences need to be consulted/achieved:

  • resource1
  • resource2
  • resource3
  • experience1
  • experience2
  • etc.

Background

State the idea or purpose of the project. What are you attempting to pursue?

Upon approval, you'll want to fill this section out with more detailed background information. DO NOT JUST PROVIDE A LINK.

Providing any links to original source material, such as from a project page, is a good idea.

You'll want to give a general overview of what is going to be accomplished (for example, if your project is about installing a web server, do a little write-up on web servers. What is it, why do we need one, how does it work, etc.)

Scope

Give a general overview of your anticipated implementation of the project. Address any areas where you are making upfront assumptions or curtailing potential detail. State the focus you will be taking in implementation.

Attributes

State and justify the attributes you'd like to receive upon successful approval and completion of this project.

  • attribute1: why you feel your pursuit of this project will gain you this attribute
  • attribute2: why you feel your pursuit of this project will gain you this attribute
  • etc…

Procedure

GRE: Generic Routing Encapsulation

  • OpenWRT:
    $ ip tunnel add ipip1 mode gre remote <VM-IP> local <OPENWRT-IP>
    $ ip link set ipip1 up
    $ ip addr add 10.3.3.1/24 dev ipip1
  • Ubuntu:
    $ ip tunnel add ipip1 mode gre remote <OPENWRT-IP> local <VM-IP>
    $ ip link set ipip1 up
    $ ip addr add 10.3.3.2/24 dev ipip1

IPIP: IP in IPv4/IPv6

  • OpenWRT:
    $ ip tunnel add ipip0 mode ipip remote <VM-IP> local <OPENWRT-IP>
    $ ip link set ipip0 up
    $ ip addr add 10.2.2.1/24 dev ipip0
  • Ubuntu:
    $ ip tunnel add ipip0 mode ipip remote <OPENWRT-IP> local <VM-IP>
    $ ip link set ipip0 up
    $ ip addr add 10.2.2.2/24 dev ipip0

IPSec: Internet Protocol Security

L2TP: Layer 2 Tunneling Protocol

L2TPv3 Ethernet “pseudowire” setup with UDP encapsulation

  • OpenWRT:
    $ opkg update
    $ opkg install kmod-l2tp-eth
    $ opkg install ip-full
    $ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
    	udp_sport 5000 udp_dport 5000 encap udp \
    	local <OPENWRT-IP> remote <VM-IP>
    $ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
    $ ip link set l2tpeth0 up mtu 1428
    $ ip addr add 10.6.6.1/24 dev l2tpeth0
  • Ubuntu:
    $ modprobe l2tp_eth
    $ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
    	udp_sport 5000 udp_dport 5000 encap udp \
    	local <VM-IP> remote <OPENWRT-IP>
    $ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
    $ ip link set l2tpeth0 up mtu 1428
    $ ip addr add 10.6.6.2/24 dev l2tpeth0

Netcat

OpenVPN: Openvpn Tunneling Protocol

  • OpenWRT:
    $ opkg update
    $ opkg install openvpn-nossl
    $ openvpn --dev tun --remote <VM-IP> \
    	  --proto udp --mssfix 1472 \
    	  --comp-lzo no --ifconfig 10.5.5.1 10.5.5.2
  • Ubuntu:
    $ openvpn --dev tun --proto udp \
    	  --mssfix 1472 --comp-lzo no \
    	  --fast-io --ifconfig 10.5.5.2 10.5.5.1

PPTP: Point-to-Point Tunneling Protocol

  • OpenWRT:
    $ vi /etc/config/network:
    [...]
    config interface 'vpn'
      option proto 'pptp'
      option server '<VM-IP>'
      option username 'vpn'
      option password 'vpn'
      option auto '0'
      option delegate '0'
      option defaultroute '0'
      option peerdns '0'
      option mtu '1462'
  • Ubuntu:
    $ apt-get install pptpd
    $ vi /etc/pptpd.conf
    option /etc/ppp/pptpd-options
    localip 10.4.4.1
    remoteip 10.4.4.10-15
     
    $ vi /etc/ppp/pptpd-options
    name pptpd
    nodefaultroute
    lock
    nobsdcomp
    nologfd
    mtu 1462
     
    $ vi /etc/ppp/chap-secrets
    vpn * vpn *

SIT: IPv6 in IPv4/IPv6

SSH: Secure Shell

Forwarding a local TCP port to a remote TCP port:

$ ssh -L 127.0.0.1:2022:10.150.35.74:22 tunneluser@remotehost.example.com
$ ssh -L 8080:localhost:80 tunneluser@remotehost.example.com
$ ssh -L 192.168.3.45:8080:web01.example.com:80 tunneluser@remotehost.example.com

Forwarding a remote TCP port to a local TCP port:

$ ssh -R localhost:2022:localhost:22 tunneluser@bastionhost.example.com
$ sudo ssh -R web99.example.com:80:localhost:80 root@web99.example.com

Establishing a Layer-2 SSH VPN using “tap” devices:

  • Local Host:
    # create a "tap0" virtual network interface
    $ sudo tunctl -t tap0
    ## or ##
    $ sudo ip tuntap add dev tap0 mode tap
    # configure the "tap0" interface
    $ sudo ifconfig tap0 192.168.1.101 netmask 255.255.255.0
    # start the SSH Layer-2 VPN tunnel
    $ ssh -o Tunnel=ethernet -f -w 0:0 root@remotehost.example.com true
  • Remote Host:
    # create a "tap0" virtual network interface
    $ sudo tunctl -t tap0
    ## or ##
    $ sudo ip tuntap add dev tap0 mode tap
    # configure the "tap0" interface
    $ sudo ifconfig tap0 192.168.1.102 netmask 255.255.255.0

Establishing a Layer-3 SSH VPN using “tun” devices:

  • Local Host:
    $ sudo ssh -f -w 0:0 root@remotehost.example.com true
    $ sudo ifconfig tun0 192.168.1.101 netmask 255.255.255.0
  • Remote Host:
    $ sudo ifconfig tun0 192.168.1.102 netmask 255.255.255.0

SSTP: Secure Socket Tunneling Protocol

VXLAN: Virtual Extensible Local Area Network

WireGuard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

  • OpenWRT:
    $ opkg update
    $ opkg install wireguard
    ## Generate Public/Private Keypair
    $ umask 077
    $ wg genkey > server.privatekey
    $ wg pubkey < server.privatekey > server.publickey
    ## Can also be done with a single command:
    $ wg genkey | tee server.privatekey | wg server.pubkey > server.publickey
     
    ## Command line configuration
    # Add new interface with ip-link(8)
    $ ip link add dev wg0 type wireguard
    # Assign an IP address and peer with ifconfig(8) or ip-address(8)
    $ ip addr add dev wg0 10.0.0.1/24
    ## Example with only 2 peers
    #$ ip address add dev wg0 10.0.0.1/24 peer 10.0.0.2/24
    # Configure interface with keys and peer endpoints with wg
    $ wg setconf wg0 myconfig.conf
    ## or ## 
    $ wg set wg0 listen-port 51820 \
    	private-key ./server.privatekey \
    	peer <client.publickey> \
    	allowed-ips 10.0.0.2/32 \
    	endpoint 192.168.1.2:51820
    # Activate interface with ifconfig(8) or ip-link(8):
    $ ip link set wg0 up
    # check:
    $ ip addr
    # Add peer:
    $ wg
      public key: <server.publickey>
      private key: <server.privatekey>
      listening port: 51820
    $ wg set wg0 peer <client.publickey> \
    	allowed-ips 10.0.0.2/32 \
    	endpoint 192.168.1.2:51820
    # Test connectivity
    ping 10.0.0.2
     
    ## Static configuration
    $ vi /etc/config/network
    config interface 'wg0'                 
    	option proto 'wireguard'
    	option listen_port '51820'
    	list addresses '10.0.0.1/32'
    	option private_key '<server.privatekey>'    
     
    config wireguard_wg0
    	option public_key '<client.publickey>'
    	option route_allowed_ips '1'
    	list allowed_ips '10.0.0.0/24'
  • Ubuntu:
    $ sudo add-apt-repository ppa:wireguard/wireguard
    $ sudo apt get update
    $ sudo apt get install wireguard
    ## Generate Public/Private Keypair
    $ umask 077
    $ wg genkey > client.privatekey
    $ wg pubkey < client.privatekey > client.publickey
    ## Can also be done with a single command:
    $ wg genkey | tee client.privatekey | wg client.pubkey > client.publickey
     
    ## Command line configuration
    # Add new interface with ip-link(8)
    $ ip link add dev wg0 type wireguard
    # Assign an IP address and peer with ifconfig(8) or ip-address(8)
    $ ip addr add dev wg0 10.0.0.2/24
    ## Example with only 2 peers
    #$ ip address add dev wg0 10.0.0.2/24 peer 10.0.0.1/24
    # Configure interface with keys and peer endpoints with wg
    $ wg setconf wg0 myconfig.conf
    ## or ## 
    $ wg set wg0 listen-port 51820 \
    	private-key ./client.privatekey \
    	peer <server.publickey> \
    	allowed-ips 10.0.0.1/32 \
    	endpoint 192.168.1.1:51820
    # Activate interface with ifconfig(8) or ip-link(8):
    $ ip link set wg0 up
    # check:
    $ ip addr
    # Add peer:
    $ wg
      public key: <client.publickey>
      private key: <client.privatekey>
      listening port: 51820
    $ wg set wg0 peer <server.publickey> \
    	allowed-ips 10.0.0.1/32 \
    	endpoint 192.168.1.1:51820
    # Test connectivity
    ping 10.0.0.1
     
    ## Static configuration
    $ vi /etc/config/network
    config interface 'wg0'
    	option proto 'wireguard'
    	option listen_port '51820'
    	list addresses '10.0.0.2/32'
    	option private_key '<client.privatekey>'
     
    config wireguard_wg0
    	option public_key '<server.publickey>'
    	option route_allowed_ips '1'
    	list allowed_ips '0.0.0.0/0'
    	option endpoint_host 'Server's public ip address'
    	option endpoint_port '51820'
    	option persistent_keepalive '25'
  • Firewall Rules:
    $ vi /etc/config/firewall
    config rule
    	option target 'ACCEPT'
    	option src 'wan'
    	option proto 'udp'     
    	option name 'Wireguard_VPN'
    	option family 'ipv4'
    	option dest_port '51820'
     
    config zone 
    	option name 'wg-vpn'
    	option input 'ACCEPT'  
    	option forward 'ACCEPT'
    	option output 'ACCEPT'
    	option masq '1'  
    	option device 'wg0'
     
    config forwarding 'wg_wan'
    	option src 'wg-vpn'
    	option dest 'wan'
     
    config forwarding 'wg_lan'
    	option src 'wg-vpn'
    	option dest 'lan'
     
    config forwarding  
    	option src 'lan'
    	option dest 'wg-vpn'
  • Testing:
    ## Restart networking:
    $ /etc/init.d/network restart
    $ /etc/init.d/firewall restart
    ## Testing throughput:

Code

Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <code> </code> blocks here.

/*
 * hello.c - A sample "Hello, World!" program
 * 
 * written by NAME for COURSE on DATE
 *
 * compile with:
 *   gcc -o hello hello.c
 *
 * execute with:
 *   ./hello
 */
 
#include <stdio.h>
 
int main()
{
    printf("Hello, World!\n");    // Output message to STDOUT
    return(0);
}

Execution

Again, if there is associated code with the project, and you haven't already indicated how to run it, provide a sample run of your code:

lab46:~/src/cprog$ ./hello
Hello, World!
lab46:~/src/cprog$ 

Reflection

Comments/thoughts generated through performing the project, observations made, analysis rendered, conclusions wrought. What did you learn from doing this project?

References

In performing this project, the following resources were referenced:

  • Google: Of course Google was used, it knows everything. No particular page from Google was used, It was mainly used for information about the project (Linked Lists in general): http://www.google.com/; If ya don't know, now ya know, and knowing is half the battle.

Back to my Portfolio
Back to my Opus

user/nbrimme1/portfolio/tunnels.txt · Last modified: 2018/07/19 22:59 by nbrimme1