forked from robur/blog.robur.coop
Committed by git-kv
This commit is contained in:
parent
1d3754d694
commit
0144fce672
3 changed files with 22 additions and 16 deletions
|
@ -25,9 +25,7 @@
|
||||||
|
|
||||||
<article>
|
<article>
|
||||||
<h1>MirageVPN & tls-crypt-v2</h1>
|
<h1>MirageVPN & tls-crypt-v2</h1>
|
||||||
<ul class="tags-list"><li><a href="/tags/ocaml.html">ocaml</a></li><li><a href="/tags/mirageos.html">mirageos</a></li><li><a href="/tags/vpn.html">vpn</a></li><li><a href="/tags/security.html">security</a></li></ul><h1>Miragevpn & tls-crypt-v2</h1>
|
<ul class="tags-list"><li><a href="/tags/ocaml.html">ocaml</a></li><li><a href="/tags/mirageos.html">mirageos</a></li><li><a href="/tags/vpn.html">vpn</a></li><li><a href="/tags/security.html">security</a></li></ul><p>In 2019 <a href="https://robur.coop/">Robur</a> started working on a <a href="https://github.com/robur-coop/miragevpn/">OpenVPN™-compatible implementation in OCaml</a>.
|
||||||
<p>hannes is undecided - should it be "MirageVPN"?</p>
|
|
||||||
<p>In 2019 <a href="https://robur.coop/">Robur</a> started working on a <a href="https://github.com/robur-coop/miragevpn/">OpenVPN™-compatible implementation in OCaml</a>.
|
|
||||||
The project was funded for 6 months in 2019 by <a href="https://prototypefund.de">prototypefund</a>.
|
The project was funded for 6 months in 2019 by <a href="https://prototypefund.de">prototypefund</a>.
|
||||||
In late 2022 we applied again for funding this time to the <a href="https://www.assure.ngi.eu/">NGI Assure</a> open call, and our application was eventually accepted.
|
In late 2022 we applied again for funding this time to the <a href="https://www.assure.ngi.eu/">NGI Assure</a> open call, and our application was eventually accepted.
|
||||||
In this blog post I will explain why reimplementing the OpenVPN™ protocol in OCaml is a worthwhile effort, and describe the Miragevpn implementation and in particular the <code>tls-crypt-v2</code> mechanism.</p>
|
In this blog post I will explain why reimplementing the OpenVPN™ protocol in OCaml is a worthwhile effort, and describe the Miragevpn implementation and in particular the <code>tls-crypt-v2</code> mechanism.</p>
|
||||||
|
@ -47,22 +45,21 @@ You may ask yourself: why not just use the existing tried and tested implementat
|
||||||
It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and has in the past had some notable security vulnerabilities.
|
It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and has in the past had some notable security vulnerabilities.
|
||||||
Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
|
Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
|
||||||
The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.</p>
|
The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.</p>
|
||||||
<p>[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
|
|
||||||
<p>Another reason is <a href="https://mirage.io/">Mirage OS</a>, a library operating system implemented in OCaml.
|
<p>Another reason is <a href="https://mirage.io/">Mirage OS</a>, a library operating system implemented in OCaml.
|
||||||
We work on the Mirage project and write applications (unikernels) using Mirage.
|
We work on the Mirage project and write applications (unikernels) using Mirage.
|
||||||
In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
|
In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
|
||||||
or be able to offer a VPN network to clients using OpenVPN™.</p>
|
or be able to offer a VPN network to clients using OpenVPN™.</p>
|
||||||
<!-- hannes: consider the current setup: as a VPN provider you offer lots of machines that run an operating system just for the user-space OpenVPN service. there are no users on the system, a lot of legacy layers are just around that are not needed.
|
<p>Consider a VPN provider:
|
||||||
|
The VPN provider runs many machines that run an operating system in order to run the user-space OpenVPN™ service.
|
||||||
With a MirageOS unikernel (and reproducible builds), which basically is a statically linked binary which is a complete operating system, such a setup and deployment (including updates) will be straightforward. With OCaml 5 and multicore in mind, this will even scale much better than OpenVPN (which is limited to a single core (hannes is not sure whether this is still true)).
|
There are no <em>real</em> users on the system, and a lot of unrelated processes and legacy layers are around that are not needed.
|
||||||
-->
|
With a Mirage OS unikernel, which is basically a statically linked binary and operating system such a setup becomes simpler with fewer layers.
|
||||||
<p>One very interesting example is a unikernel for <a href="https://www.qubes-os.org/">Qubes OS</a> that we have planned.
|
With <a href="https://robur.coop/Projects/Reproducible_builds">reproducible builds</a> deployment and updates will be straightforward.</p>
|
||||||
|
<p>Another very interesting example is a unikernel for <a href="https://www.qubes-os.org/">Qubes OS</a> that we have planned.
|
||||||
Qubes OS is an operating system with a high focus on security.
|
Qubes OS is an operating system with a high focus on security.
|
||||||
It offers an almost seamless experience of running applications in different virtual machines on the same machine.
|
It offers an almost seamless experience of running applications in different virtual machines on the same machine.
|
||||||
The networking provided to a application (virtual machine) can be restricted to only go through the VPN.
|
The networking provided to a application (virtual machine) can be restricted to only go through the VPN.
|
||||||
It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine.
|
It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine.
|
||||||
With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.</p>
|
With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.</p>
|
||||||
<p>[^vpn-network]: I use the term "VPN network" to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
|
|
||||||
<p>Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.</p>
|
<p>Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.</p>
|
||||||
<h3>TLS mode</h3>
|
<h3>TLS mode</h3>
|
||||||
<p>There are different variants of TLS mode, but what they share is separate "control" channel and "data" channel.
|
<p>There are different variants of TLS mode, but what they share is separate "control" channel and "data" channel.
|
||||||
|
@ -101,9 +98,16 @@ The server responds in a similar manner with a sequence number of <code>0x0f0000
|
||||||
At the moment only one tag and one value is defined which signifies the server supports HMAC cookies - this seems unnecessarily complex, but is done to allow future extensibility.
|
At the moment only one tag and one value is defined which signifies the server supports HMAC cookies - this seems unnecessarily complex, but is done to allow future extensibility.
|
||||||
Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext.
|
Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext.
|
||||||
The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.</p>
|
The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.</p>
|
||||||
<!-- hannes
|
<h2>Cool! Let's deploy it!</h2>
|
||||||
something along the lines: if you're keen on setting this up yourself, go to <here> and download the latest binary, and execute it (well, just a brief howto get it up and running). Don't hesitate to reach out if you're stuck.
|
<p>Great!
|
||||||
-->
|
We build on a daily basis unikernels in our <a href="https://builds.robur.coop/">reproducible builds setup</a>.
|
||||||
|
At the time of writing we have published a <a href="https://builds.robur.coop/job/miragevpn-router">Miragevpn router unikernel</a> acting as a client.
|
||||||
|
For general instructions on running Mirage unikernels see our <a href="https://robur.coop/Projects/Reproducible_builds">reproducible builds</a> blog post.
|
||||||
|
The unikernel will need a block device containing the OpenVPN™ configuration and a network device.
|
||||||
|
More detailed instructions Will Follow Soon™!
|
||||||
|
Don't hesitate to reach out to us on <a href="https://github.com/robur-coop/miragevpn/issues">GitHub</a>, <a href="https://robur.coop/Contact">by mail</a> or me personally <a href="https://bsd.network/@reynir">on Mastodon</a> if you're stuck.</p>
|
||||||
|
<p>[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
|
||||||
|
<p>[^vpn-network]: I use the term "VPN network" to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
|
||||||
|
|
||||||
</article>
|
</article>
|
||||||
|
|
||||||
|
|
2
feed.xml
2
feed.xml
|
@ -1 +1 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Robur's blog</title><link>https://blog.robur.coop</link><atom:link href="https://blog.robur.coop/feed.xml" rel="self" type="application/rss+xml" /><description>The Robur cooperative blog</description><generator>yocaml</generator><webMaster>team@robur.coop</webMaster><item><title>MirageVPN & tls-crypt-v2</title><link>https://blog.robur.coop/articles/miragevpn.html</link><pubDate>Mon, 13 Nov 2023 10:00:00 GMT</pubDate><description>How we implementated tls-crypt-v2 for miragevpn</description><guid isPermaLink="false">https://blog.robur.coop/articles/miragevpn.html</guid></item></channel></rss>
|
<?xml version="1.0" encoding="UTF-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Robur's blog</title><link>https://blog.robur.coop</link><atom:link href="https://blog.robur.coop/feed.xml" rel="self" type="application/rss+xml" /><description>The Robur cooperative blog</description><generator>yocaml</generator><webMaster>team@robur.coop</webMaster><item><title>MirageVPN & tls-crypt-v2</title><link>https://blog.robur.coop/articles/miragevpn.html</link><pubDate>Tue, 14 Nov 2023 10:00:00 GMT</pubDate><description>How we implementated tls-crypt-v2 for miragevpn</description><guid isPermaLink="false">https://blog.robur.coop/articles/miragevpn.html</guid></item></channel></rss>
|
|
@ -21,7 +21,9 @@
|
||||||
The <strong>Robur</strong> cooperative blog.
|
The <strong>Robur</strong> cooperative blog.
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</header>
|
</header>
|
||||||
<main><a class="small-button rss" href="./feed.xml">RSS</a><p>The Robur blog.</p>
|
<main><a class="small-button github" href="https://github.com/dinosaure">github/dinosaure</a>
|
||||||
|
<a class="small-button twitter" href="https://twitter.com/Dinoosaure">@Dinoosaure</a>
|
||||||
|
<a class="small-button rss" href="./feed.xml">RSS</a><p>The Robur blog.</p>
|
||||||
|
|
||||||
<h3>Essays and ramblings</h3>
|
<h3>Essays and ramblings</h3>
|
||||||
|
|
||||||
|
@ -31,7 +33,7 @@
|
||||||
<img src="https://www.gravatar.com/avatar/54a15736b37879bc9708c1618a7cc130">
|
<img src="https://www.gravatar.com/avatar/54a15736b37879bc9708c1618a7cc130">
|
||||||
</a></div>
|
</a></div>
|
||||||
<div class="content">
|
<div class="content">
|
||||||
<span class="date">2023-11-13</span>
|
<span class="date">2023-11-14</span>
|
||||||
<a href="articles/miragevpn.html">MirageVPN & tls-crypt-v2</a><br />
|
<a href="articles/miragevpn.html">MirageVPN & tls-crypt-v2</a><br />
|
||||||
<p>How we implementated tls-crypt-v2 for miragevpn</p>
|
<p>How we implementated tls-crypt-v2 for miragevpn</p>
|
||||||
<div class="bottom">
|
<div class="bottom">
|
||||||
|
|
Loading…
Reference in a new issue