forked from robur/blog.robur.coop
Update articles/miragevpn.md
This commit is contained in:
parent
0c4f073a14
commit
13062f1eac
1 changed files with 24 additions and 16 deletions
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
date: 2023-11-13
|
date: 2023-11-14
|
||||||
article.title: MirageVPN & tls-crypt-v2
|
article.title: MirageVPN & tls-crypt-v2
|
||||||
article.description:
|
article.description:
|
||||||
How we implementated tls-crypt-v2 for miragevpn
|
How we implementated tls-crypt-v2 for miragevpn
|
||||||
|
@ -14,10 +14,6 @@ author:
|
||||||
link: https://reyn.ir/
|
link: https://reyn.ir/
|
||||||
---
|
---
|
||||||
|
|
||||||
# Miragevpn & tls-crypt-v2
|
|
||||||
|
|
||||||
hannes is undecided - should it be "MirageVPN"?
|
|
||||||
|
|
||||||
In 2019 [Robur][robur.coop] started working on a [OpenVPN™-compatible implementation in OCaml][miragevpn].
|
In 2019 [Robur][robur.coop] started working on a [OpenVPN™-compatible implementation in OCaml][miragevpn].
|
||||||
The project was funded for 6 months in 2019 by [prototypefund](https://prototypefund.de).
|
The project was funded for 6 months in 2019 by [prototypefund](https://prototypefund.de).
|
||||||
In late 2022 we applied again for funding this time to the [NGI Assure][ngi-assure] open call, and our application was eventually accepted.
|
In late 2022 we applied again for funding this time to the [NGI Assure][ngi-assure] open call, and our application was eventually accepted.
|
||||||
|
@ -45,25 +41,24 @@ It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and
|
||||||
Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
|
Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
|
||||||
The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.
|
The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.
|
||||||
|
|
||||||
[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.
|
|
||||||
|
|
||||||
Another reason is [Mirage OS][mirage], a library operating system implemented in OCaml.
|
Another reason is [Mirage OS][mirage], a library operating system implemented in OCaml.
|
||||||
We work on the Mirage project and write applications (unikernels) using Mirage.
|
We work on the Mirage project and write applications (unikernels) using Mirage.
|
||||||
In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
|
In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
|
||||||
or be able to offer a VPN network to clients using OpenVPN™.
|
or be able to offer a VPN network to clients using OpenVPN™.
|
||||||
<!-- hannes: consider the current setup: as a VPN provider you offer lots of machines that run an operating system just for the user-space OpenVPN service. there are no users on the system, a lot of legacy layers are just around that are not needed.
|
|
||||||
|
|
||||||
With a MirageOS unikernel (and reproducible builds), which basically is a statically linked binary which is a complete operating system, such a setup and deployment (including updates) will be straightforward. With OCaml 5 and multicore in mind, this will even scale much better than OpenVPN (which is limited to a single core (hannes is not sure whether this is still true)).
|
Consider a VPN provider:
|
||||||
-->
|
The VPN provider runs many machines that run an operating system in order to run the user-space OpenVPN™ service.
|
||||||
One very interesting example is a unikernel for [Qubes OS][qubes] that we have planned.
|
There are no *real* users on the system, and a lot of unrelated processes and legacy layers are around that are not needed.
|
||||||
|
With a Mirage OS unikernel, which is basically a statically linked binary and operating system such a setup becomes simpler with fewer layers.
|
||||||
|
With [reproducible builds][reproducible-builds] deployment and updates will be straightforward.
|
||||||
|
|
||||||
|
Another very interesting example is a unikernel for [Qubes OS][qubes] that we have planned.
|
||||||
Qubes OS is an operating system with a high focus on security.
|
Qubes OS is an operating system with a high focus on security.
|
||||||
It offers an almost seamless experience of running applications in different virtual machines on the same machine.
|
It offers an almost seamless experience of running applications in different virtual machines on the same machine.
|
||||||
The networking provided to a application (virtual machine) can be restricted to only go through the VPN.
|
The networking provided to a application (virtual machine) can be restricted to only go through the VPN.
|
||||||
It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine.
|
It is possible to use OpenVPN™ for such a setup, but that requires running OpenVPN™ in a full Linux virtual machine.
|
||||||
With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.
|
With Mirage OS the resource footprint is typically much smaller than an equivalent application running in a Linux virtual machine; often the memory footprint is smaller by an order.
|
||||||
|
|
||||||
[^vpn-network]: I use the term "VPN network" to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.
|
|
||||||
|
|
||||||
Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.
|
Finally, while it's not an explicit goal of ours, reimplementing a protocol without an explicit specification can help uncover bugs and things that need better documentation in the original implementation.
|
||||||
|
|
||||||
### TLS mode
|
### TLS mode
|
||||||
|
@ -110,9 +105,15 @@ At the moment only one tag and one value is defined which signifies the server s
|
||||||
Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext.
|
Finally, if the server supports HMAC cookies, the client sends a packet where the wrapped key is appended in cleartext.
|
||||||
The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.
|
The server is now able to decrypt the third packet without having to keep the key from the first packet around and can verify the session id.
|
||||||
|
|
||||||
<!-- hannes
|
## Cool! Let's deploy it!
|
||||||
something along the lines: if you're keen on setting this up yourself, go to <here> and download the latest binary, and execute it (well, just a brief howto get it up and running). Don't hesitate to reach out if you're stuck.
|
|
||||||
-->
|
Great!
|
||||||
|
We build on a daily basis unikernels in our [reproducible builds setup][builder-web].
|
||||||
|
At the time of writing we have published a [Miragevpn router unikernel][miragevpn-router] acting as a client.
|
||||||
|
For general instructions on running Mirage unikernels see our [reproducible builds][reproducible-builds] blog post.
|
||||||
|
The unikernel will need a block device containing the OpenVPN™ configuration and a network device.
|
||||||
|
More detailed instructions Will Follow Soon™!
|
||||||
|
Don't hesitate to reach out to us on [GitHub](https://github.com/robur-coop/miragevpn/issues), [by mail](https://robur.coop/Contact) or me personally [on Mastodon](https://bsd.network/@reynir) if you're stuck.
|
||||||
|
|
||||||
[robur.coop]: https://robur.coop/
|
[robur.coop]: https://robur.coop/
|
||||||
[miragevpn]: https://github.com/robur-coop/miragevpn/
|
[miragevpn]: https://github.com/robur-coop/miragevpn/
|
||||||
|
@ -120,7 +121,14 @@ something along the lines: if you're keen on setting this up yourself, go to <he
|
||||||
[openvpn]: https://openvpn.net/
|
[openvpn]: https://openvpn.net/
|
||||||
[vpn-wiki]: https://en.wikipedia.org/wiki/Virtual_private_network
|
[vpn-wiki]: https://en.wikipedia.org/wiki/Virtual_private_network
|
||||||
[mirage]: https://mirage.io/
|
[mirage]: https://mirage.io/
|
||||||
|
[reproducible-builds]: https://robur.coop/Projects/Reproducible_builds
|
||||||
[qubes]: https://www.qubes-os.org/
|
[qubes]: https://www.qubes-os.org/
|
||||||
[wiki-wrap]: https://en.wikipedia.org/wiki/Key_wrap
|
[wiki-wrap]: https://en.wikipedia.org/wiki/Key_wrap
|
||||||
[syn-flood]: https://en.wikipedia.org/wiki/SYN_flood
|
[syn-flood]: https://en.wikipedia.org/wiki/SYN_flood
|
||||||
[syn-cookie]: https://en.wikipedia.org/wiki/SYN_cookies
|
[syn-cookie]: https://en.wikipedia.org/wiki/SYN_cookies
|
||||||
|
[builder-web]: https://builds.robur.coop/
|
||||||
|
[miragevpn-router]: https://builds.robur.coop/job/miragevpn-router
|
||||||
|
|
||||||
|
[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.
|
||||||
|
|
||||||
|
[^vpn-network]: I use the term "VPN network" to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.
|
||||||
|
|
Loading…
Reference in a new issue