From 4ba2fd10f019b434e188860817ce3deb6a956e41 Mon Sep 17 00:00:00 2001 From: Date: Mon, 20 Nov 2023 14:06:31 +0000 Subject: [PATCH] Built from 8f26c5fa8f9328e4a0b2c550380b888d9ce641e3 --- articles/miragevpn-ncp.html | 59 +++++++++++++++++++++++++++++++++++++ feed.xml | 2 +- index.html | 13 ++++++++ tags/mirageos.html | 6 ++-- tags/ocaml.html | 6 ++-- tags/security.html | 6 ++-- tags/vpn.html | 6 ++-- 7 files changed, 85 insertions(+), 13 deletions(-) create mode 100644 articles/miragevpn-ncp.html diff --git a/articles/miragevpn-ncp.html b/articles/miragevpn-ncp.html new file mode 100644 index 0000000..eaf440a --- /dev/null +++ b/articles/miragevpn-ncp.html @@ -0,0 +1,59 @@ + + + + + + + + + Robur's blog - MirageVPN updated (AEAD, NCP) + + + + + + + + +
+

blog.robur.coop

+
+ The Robur cooperative blog. +
+
+
Back to index + +
+

MirageVPN updated (AEAD, NCP)

+

Updating MirageVPN

+

As announced earlier this month, we've been working hard over the last months on MirageVPN (initially developed in 2019, targeting OpenVPN™ 2.4.7, now 2.6.6). We managed to receive funding from NGI Assure call (via NLnet). We've made over 250 commits with more than 10k lines added, and 18k lines removed. We closed nearly all old issues, and opened 100 fresh ones, of which we already closed more than half of them. :D

+

Actual bugs fixed (that were leading to non-working MirageVPN applications)

+

In more detail, we had a specific configuration running over all the years, namely UDP mode with static keys (no TLS handshake, etc.). There were several issues (bitrot) that we encountered and solved along the path, amongst others:

+ +

To avoid any future breakage while revising the code (cleaning it up, extending it), we are now building several unikernels as part of our CI system. We also have setup OpenVPN™ servers with various configurations that we periodically test with our new code (we'll also work on further automation thereof).

+

New features: AEAD ciphers, supporting more configuration primitives

+

We added various configuration primitives, amongst them configuratble tls ciphersuites, minimal and maximal tls version to use, tls-crypt-v2, verify-x509-name, cipher, remote-random, ...

+

From a cryptographic point of view, we are now supporting more authentication hashes via the configuration directive auth, namely the SHA2 family - previously, only SHA1 was supported, AEAD ciphers (AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305) - previously only AES-256-CBC was supported.

+

NCP - Negotiation of cryptographic parameters

+

OpenVPN™ has a way to negotiate cryptographic parameters, instead of hardcoding them in the configuration. The client can propose its supported ciphers, and other features (MTU, directly request a push message for IP configuration, use TLS exporter secret instead of the hand-crafted (TLS 1.0 based PRF), ...) once the TLS handshake has been completed.

+

We are now supporting this negotiation protocol, and have been working on the different extensions that are useful to us. Namely, transmitting the supported ciphers, request push (which deletes an entire round-trip), TLS-exporter. This will also be part of the protocol specification that we're working on while finishing our implementation.

+

Cleanups and refactorings

+

We also took some time to cleanup our code base, removing Lwt.fail (which doesn't produce proper backtraces), using lzo from the decompress package (since that code has been upstreamed a while ago), remove unneeded dependencies (rresult, astring), avoiding assert false in pattern matches by improving types, improve the log output (include a timestamp, show log source, use colors).

+

Future

+

There is still some work that we want to do, namely a QubesOS client implementation, an operators manual, extending our specification, resurrecting and adapting the server implementation, supporting more NCP features (if appropriate), etc. So stay tuned, we'll also provide reproducible binaries once we're ready.

+

Don't hesitate to reach out to us on GitHub, by mail or me personally on Mastodon if you're stuck.

+ +
+ +
+ + + + diff --git a/feed.xml b/feed.xml index 4aea133..1981529 100644 --- a/feed.xml +++ b/feed.xml @@ -1 +1 @@ -Robur's bloghttps://blog.robur.coopThe Robur cooperative blogyocamlteam@robur.coopMirageVPN & tls-crypt-v2https://blog.robur.coop/articles/miragevpn.htmlTue, 14 Nov 2023 10:00:00 GMTHow we implementated tls-crypt-v2 for miragevpnhttps://blog.robur.coop/articles/miragevpn.html \ No newline at end of file +Robur's bloghttps://blog.robur.coopThe Robur cooperative blogyocamlteam@robur.coopMirageVPN updated (AEAD, NCP)https://blog.robur.coop/articles/miragevpn-ncp.htmlMon, 20 Nov 2023 10:00:00 GMTHow we resurrected MirageVPN from its bitrot statehttps://blog.robur.coop/articles/miragevpn-ncp.htmlMirageVPN & tls-crypt-v2https://blog.robur.coop/articles/miragevpn.htmlTue, 14 Nov 2023 10:00:00 GMTHow we implementated tls-crypt-v2 for miragevpnhttps://blog.robur.coop/articles/miragevpn.html \ No newline at end of file diff --git a/index.html b/index.html index a33fe73..ed4f574 100644 --- a/index.html +++ b/index.html @@ -26,6 +26,19 @@

Essays and ramblings

  1. +
    + + +
    +
    + 2023-11-20 + MirageVPN updated (AEAD, NCP)
    +

    How we resurrected MirageVPN from its bitrot state

    +
    + +
    +
    +
  2. diff --git a/tags/mirageos.html b/tags/mirageos.html index 3c9ee8d..2d63188 100644 --- a/tags/mirageos.html +++ b/tags/mirageos.html @@ -23,12 +23,12 @@
    Back to index - +
    diff --git a/tags/ocaml.html b/tags/ocaml.html index 88b4e91..7fc298a 100644 --- a/tags/ocaml.html +++ b/tags/ocaml.html @@ -23,12 +23,12 @@
    Back to index - +
    diff --git a/tags/security.html b/tags/security.html index ca7573a..b4872af 100644 --- a/tags/security.html +++ b/tags/security.html @@ -23,12 +23,12 @@
    Back to index - +
    diff --git a/tags/vpn.html b/tags/vpn.html index 403bd2b..3b35698 100644 --- a/tags/vpn.html +++ b/tags/vpn.html @@ -23,12 +23,12 @@
    Back to index - +