Committed by git-kv

This commit is contained in:
The Robur team 2023-11-15 10:06:12 +00:00
parent 1d3754d694
commit 0144fce672
3 changed files with 22 additions and 16 deletions

View file

@ -25,9 +25,7 @@
<article> <article>
<h1>MirageVPN &amp; tls-crypt-v2</h1> <h1>MirageVPN &amp; tls-crypt-v2</h1>
<ul class="tags-list"><li><a href="/tags/ocaml.html">ocaml</a></li><li><a href="/tags/mirageos.html">mirageos</a></li><li><a href="/tags/vpn.html">vpn</a></li><li><a href="/tags/security.html">security</a></li></ul><h1>Miragevpn &amp; tls-crypt-v2</h1> <ul class="tags-list"><li><a href="/tags/ocaml.html">ocaml</a></li><li><a href="/tags/mirageos.html">mirageos</a></li><li><a href="/tags/vpn.html">vpn</a></li><li><a href="/tags/security.html">security</a></li></ul><p>In 2019 <a href="https://robur.coop/">Robur</a> started working on a <a href="https://github.com/robur-coop/miragevpn/">OpenVPN™-compatible implementation in OCaml</a>.
<p>hannes is undecided - should it be &quot;MirageVPN&quot;?</p>
<p>In 2019 <a href="https://robur.coop/">Robur</a> started working on a <a href="https://github.com/robur-coop/miragevpn/">OpenVPN™-compatible implementation in OCaml</a>.
The project was funded for 6 months in 2019 by <a href="https://prototypefund.de">prototypefund</a>. The project was funded for 6 months in 2019 by <a href="https://prototypefund.de">prototypefund</a>.
In late 2022 we applied again for funding this time to the <a href="https://www.assure.ngi.eu/">NGI Assure</a> open call, and our application was eventually accepted. In late 2022 we applied again for funding this time to the <a href="https://www.assure.ngi.eu/">NGI Assure</a> open call, and our application was eventually accepted.
In this blog post I will explain why reimplementing the OpenVPN™ protocol in OCaml is a worthwhile effort, and describe the Miragevpn implementation and in particular the <code>tls-crypt-v2</code> mechanism.</p> In this blog post I will explain why reimplementing the OpenVPN™ protocol in OCaml is a worthwhile effort, and describe the Miragevpn implementation and in particular the <code>tls-crypt-v2</code> mechanism.</p>
@ -47,22 +45,21 @@ You may ask yourself: why not just use the existing tried and tested implementat
It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and has in the past had some notable security vulnerabilities. It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and has in the past had some notable security vulnerabilities.
Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems. Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.</p> The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.</p>
<p>[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
<p>Another reason is <a href="https://mirage.io/">Mirage OS</a>, a library operating system implemented in OCaml. <p>Another reason is <a href="https://mirage.io/">Mirage OS</a>, a library operating system implemented in OCaml.
We work on the Mirage project and write applications (unikernels) using Mirage. We work on the Mirage project and write applications (unikernels) using Mirage.
In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network], In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
or be able to offer a VPN network to clients using OpenVPN™.</p> or be able to offer a VPN network to clients using OpenVPN™.</p>
<!-- hannes: consider the current setup: as a VPN provider you offer lots of machines that run an operating system just for the user-space OpenVPN service. there are no users on the system, a lot of legacy layers are just around that are not needed. <p>Consider a VPN provider:
The VPN provider runs many machines that run an operating system in order to run the user-space OpenVPN™ service.
With a MirageOS unikernel (and reproducible builds), which basically is a statically linked binary which is a complete operating system, such a setup and deployment (including updates) will be straightforward. With OCaml 5 and multicore in mind, this will even scale much better than OpenVPN (which is limited to a single core (hannes is not sure whether this is still true)). There are no <em>real</em> users on the system, and a lot of unrelated processes and legacy layers are around that are not needed.
--> With a Mirage OS unikernel, which is basically a statically linked binary and operating system such a setup becomes simpler with fewer layers.
<p>One very interesting example is a unikernel for <a href="https://www.qubes-os.org/">Qubes OS</a> that we have planned. With <a href="https://robur.coop/Projects/Reproducible_builds">reproducible builds</a> deployment and updates will be straightforward.</p>
<p>Another very interesting example is a unikernel for <a href="https://www.qubes-os.org/">Qubes OS</a> that we have planned.
Qubes OS is an operating system with a high focus on security. Qubes OS is an operating system with a high focus on security.
It offers an almost seamless experience of running applications in different virtual machines on the same machine. It offers an almost seamless experience of running applications in different virtual machines on the same machine.
The networking provided to a application (virtual machine) can be restricted to only go through the VPN. The networking provided to a application (virtual machine) can be restricted to only go through the VPN.
It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine. It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine.
With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.</p> With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.</p>
<p>[^vpn-network]: I use the term &quot;VPN network&quot; to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
<p>Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.</p> <p>Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.</p>
<h3>TLS mode</h3> <h3>TLS mode</h3>
<p>There are different variants of TLS mode, but what they share is separate &quot;control&quot; channel and &quot;data&quot; channel. <p>There are different variants of TLS mode, but what they share is separate &quot;control&quot; channel and &quot;data&quot; channel.
@ -101,9 +98,16 @@ The server responds in a similar manner with a sequence number of <code>0x0f0000
At the moment only one tag and one value is defined which signifies the server supports HMAC cookies - this seems unnecessarily complex, but is done to allow future extensibility. At the moment only one tag and one value is defined which signifies the server supports HMAC cookies - this seems unnecessarily complex, but is done to allow future extensibility.
Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext. Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext.
The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.</p> The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.</p>
<!-- hannes <h2>Cool! Let's deploy it!</h2>
something along the lines: if you're keen on setting this up yourself, go to <here> and download the latest binary, and execute it (well, just a brief howto get it up and running). Don't hesitate to reach out if you're stuck. <p>Great!
--> We build on a daily basis unikernels in our <a href="https://builds.robur.coop/">reproducible builds setup</a>.
At the time of writing we have published a <a href="https://builds.robur.coop/job/miragevpn-router">Miragevpn router unikernel</a> acting as a client.
For general instructions on running Mirage unikernels see our <a href="https://robur.coop/Projects/Reproducible_builds">reproducible builds</a> blog post.
The unikernel will need a block device containing the OpenVPN™ configuration and a network device.
More detailed instructions Will Follow Soon™!
Don't hesitate to reach out to us on <a href="https://github.com/robur-coop/miragevpn/issues">GitHub</a>, <a href="https://robur.coop/Contact">by mail</a> or me personally <a href="https://bsd.network/@reynir">on Mastodon</a> if you're stuck.</p>
<p>[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
<p>[^vpn-network]: I use the term &quot;VPN network&quot; to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
</article> </article>

View file

@ -1 +1 @@
<?xml version="1.0" encoding="UTF-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Robur's blog</title><link>https://blog.robur.coop</link><atom:link href="https://blog.robur.coop/feed.xml" rel="self" type="application/rss+xml" /><description>The Robur cooperative blog</description><generator>yocaml</generator><webMaster>team@robur.coop</webMaster><item><title>MirageVPN & tls-crypt-v2</title><link>https://blog.robur.coop/articles/miragevpn.html</link><pubDate>Mon, 13 Nov 2023 10:00:00 GMT</pubDate><description>How we implementated tls-crypt-v2 for miragevpn</description><guid isPermaLink="false">https://blog.robur.coop/articles/miragevpn.html</guid></item></channel></rss> <?xml version="1.0" encoding="UTF-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Robur's blog</title><link>https://blog.robur.coop</link><atom:link href="https://blog.robur.coop/feed.xml" rel="self" type="application/rss+xml" /><description>The Robur cooperative blog</description><generator>yocaml</generator><webMaster>team@robur.coop</webMaster><item><title>MirageVPN & tls-crypt-v2</title><link>https://blog.robur.coop/articles/miragevpn.html</link><pubDate>Tue, 14 Nov 2023 10:00:00 GMT</pubDate><description>How we implementated tls-crypt-v2 for miragevpn</description><guid isPermaLink="false">https://blog.robur.coop/articles/miragevpn.html</guid></item></channel></rss>

View file

@ -21,7 +21,9 @@
The <strong>Robur</strong> cooperative blog. The <strong>Robur</strong> cooperative blog.
</blockquote> </blockquote>
</header> </header>
<main><a class="small-button rss" href="./feed.xml">RSS</a><p>The Robur blog.</p> <main><a class="small-button github" href="https://github.com/dinosaure">github/dinosaure</a>
<a class="small-button twitter" href="https://twitter.com/Dinoosaure">@Dinoosaure</a>
<a class="small-button rss" href="./feed.xml">RSS</a><p>The Robur blog.</p>
<h3>Essays and ramblings</h3> <h3>Essays and ramblings</h3>
@ -31,7 +33,7 @@
<img src="https://www.gravatar.com/avatar/54a15736b37879bc9708c1618a7cc130"> <img src="https://www.gravatar.com/avatar/54a15736b37879bc9708c1618a7cc130">
</a></div> </a></div>
<div class="content"> <div class="content">
<span class="date">2023-11-13</span> <span class="date">2023-11-14</span>
<a href="articles/miragevpn.html">MirageVPN &amp; tls-crypt-v2</a><br /> <a href="articles/miragevpn.html">MirageVPN &amp; tls-crypt-v2</a><br />
<p>How we implementated tls-crypt-v2 for miragevpn</p> <p>How we implementated tls-crypt-v2 for miragevpn</p>
<div class="bottom"> <div class="bottom">