microsoft/PQCrypto-VPN microsoft/PQCrypto-VPN

  • Stars
    star
    298
  • Rank 139,663 (Top 3 %)
  • Language
    Perl
  • License
    MIT License
  • Created almost 7 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
microsoft/PQCrypto-VPN
github

microsoft

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Post-quantum Cryptography VPN

Thank you for your interest! This project is no longer active. Please see the OpenVPN demo at the Open Quantum Safe project for an up-to-date PQ-enabled version of OpenVPN.

Welcome to the PQCrypto-VPN project!

Please start with our project page at Microsoft Research for an overview of this project.

This project takes a fork of the OpenVPN software and combines it with post-quantum cryptography. In this way, we can test these algorithms with VPNs, evaluating functionality and performance of the quantum resistant cryptography. Because this project is experimental, it should not be used to protect sensitive data or communications at this time. Further cryptanalysis and research must first be done over the next few years to determine which algorithms are truly post-quantum safe.

This work is sponsored by Microsoft Research Security and Cryptography, as part of our post-quantum cryptography project. Along with academic and industry collaborators, we have designed the following algorithms and contributed them to the Open Quantum Safe project and are usable in this fork of OpenVPN:

  • Frodo: a key exchange protocol based on the learning with errors problem
  • SIDH: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman
  • Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs
  • qTESLA: a signature algorithm based on the ring learning with errors problem

We will also enable other ciphersuites as much as we are able to make them work. Our OpenVPN fork depends on the Open Quantum Safe project fork of OpenSSL, so contributors looking to add support for a new algorithm should ensure it is supported by Open Quantum Safe.

We also provide software and instructions for building a post-quantum secure VPN appliance with a Raspberry Pi 3. The device acts as a WiFi access point, and tunnels all of its traffic over the post-quantum VPN. This has two main advantages when compared to using a VPN client on the device. First, installing VPN client software is not required. Second, using VPN software can be error prone, and not all traffic will be protected if there are configuration errors. With a hardware device, all devices connecting to it get post-quantum security transparently. See the pqap directory, and the README file there for more information.

Releases

Please see our releases page for pre-built binaries for both Windows and Ubuntu Linux.

Tell us what you think

For bug reports, feature requests, and other issues with the code itself, please raise them in our issues tracker. For pull requests, please see the next section on Contributing. For other feedback, questions, comments, or anything else you'd like to tell us, you can talk to us at [email protected].

Prerequisites

  • To run the binaries: either Ubuntu Linux 18.04 or newer, or Windows 10. Only 64-bit operating systems are supported.
  • To build the source: Ubuntu Linux 18.04. Newer versions of Ubuntu are likely to also be fine, but we have not tested them.

OpenVPN for Windows does not build natively on Windows; it is only cross-compiled on Linux. Therefore all building from source must be done on Linux.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA, so if you have already signed a CLA with Microsoft for another project, that covers contributions to us as well.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Cloning

Our build relies on Git submodules for the sources to OQS-OpenSSL and OpenVPN. When cloning, be sure to use the --recurse-submodules option to git clone. If you forget, you should be able to run git submodule init followed by git submodule update to retrieve the submodules after a clone. For your convenience, here is a full clone command:

git clone --recurse-submodules https://github.com/microsoft/PQCrypto-VPN.git

Build Process Overview

Following OpenVPN's build process, binaries for both Linux and Windows are produced by a Linux-based build system that cross-compiles for Windows. Our build process first builds liboqs and the Open Quantum Safe fork of OpenSSL, and then our version of OpenVPN which uses them.

There is one Python script for running the build:

  • build.py: This does a full build of everything on Linux: both Linux and Windows versions of liboqs, OpenSSL, OpenVPN, and on Windows only, OpenVPN-GUI. The outputs of the build process are a gzipped tarball that can be unpacked onto an Ubuntu Linux system, and a Windows installer executable for installing on 64-bit Windows.

See the comments at the top of build.py for a list of prerequisite packages that must be installed before building. There is also a Dockerfile in openvpn/build/docker to build the installers in a container.

Previous versions of PQCrypto-VPN required OpenSSL ot be built on Windows, but now cross-compilation on Linux is supported there as well. As a result, our entire build process runs only on Linux, and we no longer require doing part of the build process on Windows nor are dependent on the Visual C++ Runtime Redistributable DLLs.

Subprojects

To enable our build of OpenVPN, we have forks of three OpenVPN GitHub repos that we have modified to enable this functionality. Pull requests are welcomed in these subprojects as well. The same requirements to sign a CLA apply to these repos.

Please open all issues here on the PQCrypto-VPN project.

Open Quantum Safe's implementations of the algorithms are in their liboqs library, which is consumed by the OpenSSL fork below.

We also use the OpenSSL fork maintained by the Open Quantum Safe Project for the implementations of the algorithms themselves. As we work closely with OQS, we do not maintain our own fork of their code. They also welcome opening issues and pull requests directly at their project.

Setup instructions

The setup instructions are the same whether you download our pre-made binaries, or if you build them yourself.

Windows client

After running the installer executable, you will need to create a configuration file. This can be located anywhere, though OpenVPN-GUI uses %USERPROFILE%\OpenVPN\config. Samples have beeen provided in the openvpn\config directory:

  • client-win.ovpn: Client authenticating with a certificate
  • client-passdb.ovpn: Client authenticating with a username/password. This sample configuration file is based on Linux, so you will need to adjust the pathnames for a Windows host.

The tunnel can then be established by running OpenVPN-GUI, right-clicking on its system tray icon, selecting the configuration file, and choosing Connect. OpenVPN can be run from an elevated command prompt, just like on Linux; see the Linux instructions below if you prefer this method.

Linux client or server

Unpack pq-openvpn-linux-staged.tgz from the root directory as root. This will drop the installation in /usr/local/openvpn as well as an automatic startup script suitable for Ubuntu hosts running systemd.

Optional: If you are configuring a server and want OpenVPN to start automatically at boot, run the initialsetup.sh script installed in the /usr/local/openvpn/sbin directory. We recommend you only do this when you have thoroughly tested your configuration.

You then need to create a configuration file. If running a server, the automatic start scripts expect this to be called server.ovpn and located in /usr/local/openvpn/etc. If you are running a client or a server from the command line, it can be called whatever you want as you will provide the configuration filename when starting OpenVPN. The following samples have been provided in the openvpn/config directory:

  • client.ovpn: Client authenticating with a certificate
  • client-passdb.ovpn: Client authenticating with a username/password
  • server.ovpn: Server only accepting client certificate authentication
  • server-passdb.ovpn: Server only accepting username/password authentication

The ecdh-curve configuration directive is used to select the key exchange algorithm and must be present to guarantee a post-quantum algorithm is selected. You can see the list of valid choices from the list of supported algorithms at OQS's OpenSSL fork here: https://github.com/open-quantum-safe/openssl#supported-algorithms

If no ecdh-curve directive is present, p256_sikep434 is chosen by default. If present, the ecdh-curve directive must agree on both client and server, or a session will fail to negotiate. It is possible to pick a non-post quantum algorithm from the list of all algorithms supported by OpenSSL; make sure only to select choices from the list linked above to ensure use of a post-quantum key exchange.

The authentication algorithm depends on the types of certificates provided as part of the configuration. You can use classical signature algorithms (like RSA or ECDSA), but these are not post-quantum. See the instructions in openvpn/config/picnic-pki.md for creating certificates using Picnic-L1FS as the signature algorithm as one post-quantum option. See the above list of supported algorithms for post-quantum signature algorithms.

OpenVPN is then started by running from a root command prompt:

/usr/local/openvpn/sbin/openvpn --config <config file name>

This will keep OpenVPN running in the foreground and keep control of your terminal. You can safely terminate OpenVPN by typing Control-C; OpenVPN will clean up its network setup before exiting. You can add the --daemon to the command line or daemon to the configuration file to make it go into the background, and you can then use kill to send its process a signal to terminate when desired.

Setting up username/password authentication on a Linux server

This setup uses the host's built-in username and password database for authentication as an expedient method of authentication. Any valid user presenting a correct password will be able to authenticate and connect.

Suggested procedure for creating a user that can't log into the host but can authenticate to OpenVPN with these settings:

useradd -c "<User Full Name Here>" -d /usr/local/openvpn -s /bin/false <username>

passwd <username>

<username> and <User Full Name Here> are user-specific inputs. The above example assumes ${INSTALL_ROOT} is /usr/local/openvpn; modify as needed if the path is different. It is critical that whatever follows the -s parameter does NOT appear in the /etc/shells file on the host; /bin/false should never be in there.

For additional security, in /etc/ssh/sshd_config should be the line PasswordAuthentication no to prevent any password authentication. This appears to be the default for Azure VMs but not for regular Linux hosts. This will, of course, require using public key authentication for administrators to log into the host directly. If password authentication to the host is required, create a group for OpenVPN users and then instruct the SSH server to deny logins to that group as follows as root:

  1. groupadd openvpn
  2. Add a -g openvpn argument to the useradd command above
  3. Add a DenyGroups openvpn directive to /etc/ssh/sshd_config

Already-created users can be retroactively added to this group with usermod -a -G openvpn <username>.

Although having /bin/false as the shell should prevent users from doing anything, denying the group will make the SSH return an authentication failure; not having this will cause the authentication to succeed, but when the host executes /bin/false as the shell, it will return immediately and the connection should then close. But since SSH allows authenticated users to do a number of things like open network tunnels without starting a shell, SSH access should be explicitly denied to prevent any functionality being invoked by a successful authentication.

Setting up certificate authentication

The process of setting up RSA-signed certificates for client and server authentication is the same for regular OpenVPN, and so we refer you to their excellent instructions for setting up a Certificate Authority (CA) and issuing certificates. Even if you use username/password authentication for clients, servers must still have a certificate, and the certificate of the CA must be provided to clients.

The analogous process for Picnic-signed certificates is described in in openvpn/config/picnic-pki.md. This uses the OpenSSL command line tool from the Open Quantum Safe fork of OpenSSL.

Known Issues

Only the server currently lists the key exchange algorithm used in its log output as "group_id", and it is only listed by the OpenSSL numerical identifier, which we realize is not very user-friendly. After the group_id value will be a message that says either (post-quantum key exchange) or (NOT post-quantum key exchange) to address this. OpenSSL does not expose the necessary API surface to obtain this information on the client.

Although the p256_sikep434 hybrid key exchange is chosen by default, it is possible to choose a non-post quantum key exchange with the ecdh-curve configuration directive. We have chosen this default and provided ample documentation to ensure as much as possible that a non-post quantum key exchange is not selected accidentally.

The Open Quantum Safe fork of OpenSSL only provides post-quantum algorithms for TLS 1.3 connections. Use of TLS 1.2 or earlier has no post-quantum algorithms. Therefore, it is vital the tls-version-min 1.3 directive is always present in configuration files to ensure clients and servers never fall back to older versions of TLS.

More Repositories

1

vscode

Visual Studio Code
TypeScript
163,565
star
2

PowerToys

Windows system utilities to maximize productivity
C#
110,602
star
3

TypeScript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TypeScript
100,730
star
4

terminal

The new Windows Terminal and the original Windows console host, all in the same place!
C++
94,835
star
5

Web-Dev-For-Beginners

24 Lessons, 12 Weeks, Get Started as a Web Developer
JavaScript
83,418
star
6

ML-For-Beginners

12 weeks, 26 lessons, 52 quizzes, classic Machine Learning for all
HTML
69,631
star
7

generative-ai-for-beginners

21 Lessons, Get Started Building with Generative AI πŸ”— https://microsoft.github.io/generative-ai-for-beginners/
Jupyter Notebook
64,519
star
8

playwright

Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API.
TypeScript
64,013
star
9

monaco-editor

A browser based code editor
JavaScript
35,437
star
10

DeepSpeed

DeepSpeed is a deep learning optimization library that makes distributed training and inference easy, efficient, and effective.
Python
35,130
star
11

AI-For-Beginners

12 Weeks, 24 Lessons, AI for All!
Jupyter Notebook
34,704
star
12

autogen

A programming framework for agentic AI πŸ€–
Jupyter Notebook
32,470
star
13

MS-DOS

The original sources of MS-DOS 1.25, 2.0, and 4.0 for reference purposes
Assembly
30,714
star
14

Data-Science-For-Beginners

10 Weeks, 20 Lessons, Data Science for All!
Jupyter Notebook
28,136
star
15

calculator

Windows Calculator: A simple yet powerful calculator that ships with Windows
C++
27,371
star
16

cascadia-code

This is a fun, new monospaced font that includes programming ligatures and is designed to enhance the modern look and feel of the Windows Terminal.
Python
25,726
star
17

JARVIS

JARVIS, a system to connect LLMs with ML community. Paper: https://arxiv.org/pdf/2303.17580.pdf
Python
23,519
star
18

api-guidelines

Microsoft REST API Guidelines
22,661
star
19

winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
C++
20,495
star
20

unilm

Large-scale Self-supervised Pre-training Across Tasks, Languages, and Modalities
Python
19,889
star
21

vcpkg

C++ Library Manager for Windows, Linux, and MacOS
CMake
19,600
star
22

fluentui

Fluent UI web represents a collection of utilities, React components, and web components for building web applications.
TypeScript
18,419
star
23

semantic-kernel

Integrate cutting-edge LLM technology quickly and easily into your apps
C#
17,792
star
24

graphrag

A modular graph-based Retrieval-Augmented Generation (RAG) system
Python
17,750
star
25

CNTK

Microsoft Cognitive Toolkit (CNTK), an open source deep-learning toolkit
C++
17,412
star
26

WSL

Issues found on WSL
PowerShell
17,372
star
27

LightGBM

A fast, distributed, high performance gradient boosting (GBT, GBDT, GBRT, GBM or MART) framework based on decision tree algorithms, used for ranking, classification and many other machine learning tasks.
C++
16,470
star
28

AirSim

Open source simulator for autonomous vehicles built on Unreal Engine / Unity, from Microsoft AI & Research
C++
16,327
star
29

react-native-windows

A framework for building native Windows apps with React.
C++
16,310
star
30

recommenders

Best Practices on Recommendation Systems
Python
16,075
star
31

IoT-For-Beginners

12 Weeks, 24 Lessons, IoT for All!
C++
15,360
star
32

qlib

Qlib is an AI-oriented quantitative investment platform that aims to realize the potential, empower research, and create value using AI technologies in quantitative investment, from exploring ideas to implementing productions. Qlib supports diverse machine learning modeling paradigms. including supervised learning, market dynamics modeling, and RL.
Python
15,308
star
33

dotnet

This repo is the official home of .NET on GitHub. It's a great starting point to find many .NET OSS projects from Microsoft and the community, including many that are part of the .NET Foundation.
HTML
14,370
star
34

Bringing-Old-Photos-Back-to-Life

Bringing Old Photo Back to Life (CVPR 2020 oral)
Python
14,132
star
35

ai-edu

AI education materials for Chinese students, teachers and IT professionals.
HTML
13,485
star
36

pyright

Static Type Checker for Python
Python
13,195
star
37

nni

An open source AutoML toolkit for automate machine learning lifecycle, including feature engineering, neural architecture search, model compression and hyper-parameter tuning.
Python
13,084
star
38

guidance

A guidance language for controlling large language models.
Jupyter Notebook
11,777
star
39

TypeScript-Node-Starter

A reference example for TypeScript and Node with a detailed README describing how to use the two together.
SCSS
11,314
star
40

Swin-Transformer

This is an official implementation for "Swin Transformer: Hierarchical Vision Transformer using Shifted Windows".
Python
11,187
star
41

TypeScript-React-Starter

A starter template for TypeScript and React with a detailed README describing how to use the two together.
TypeScript
11,081
star
42

frontend-bootcamp

Frontend Workshop from HTML/CSS/JS to TypeScript/React/Redux
TypeScript
10,807
star
43

mimalloc

mimalloc is a compact general purpose allocator with excellent performance.
C
10,532
star
44

windows-rs

Rust for Windows
Rust
10,411
star
45

wslg

Enabling the Windows Subsystem for Linux to include support for Wayland and X server related scenarios
C++
10,165
star
46

language-server-protocol

Defines a common protocol for language servers.
HTML
10,093
star
47

sql-server-samples

Azure Data SQL Samples - Official Microsoft GitHub Repository containing code samples for SQL Server, Azure SQL, Azure Synapse, and Azure SQL Edge
9,950
star
48

onnxruntime

ONNX Runtime: cross-platform, high performance ML inferencing and training accelerator
C++
9,837
star
49

fast

The adaptive interface system for modern web experiences.
TypeScript
9,271
star
50

computervision-recipes

Best Practices, code samples, and documentation for Computer Vision.
Jupyter Notebook
9,264
star
51

napajs

Napa.js: a multi-threaded JavaScript runtime
C++
9,256
star
52

Windows-universal-samples

API samples for the Universal Windows Platform.
JavaScript
9,253
star
53

LoRA

Code for loralib, an implementation of "LoRA: Low-Rank Adaptation of Large Language Models"
Python
9,145
star
54

fluentui-emoji

A collection of familiar, friendly, and modern emoji from Microsoft
Python
9,068
star
55

vscode-tips-and-tricks

Collection of helpful tips and tricks for VS Code.
9,038
star
56

playwright-python

Python version of the Playwright testing and automation library.
Python
8,990
star
57

STL

MSVC's implementation of the C++ Standard Library.
C++
8,978
star
58

react-native-code-push

React Native module for CodePush
C
8,643
star
59

vscode-extension-samples

Sample code illustrating the VS Code extension API.
TypeScript
8,628
star
60

inshellisense

IDE style command line auto complete
TypeScript
8,402
star
61

reverse-proxy

A toolkit for developing high-performance HTTP reverse proxy applications.
C#
8,398
star
62

reactxp

Library for cross-platform app development.
TypeScript
8,289
star
63

WSL2-Linux-Kernel

The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)
C
8,037
star
64

ailab

Experience, Learn and Code the latest breakthrough innovations with Microsoft AI
C#
7,699
star
65

c9-python-getting-started

Sample code for Channel 9 Python for Beginners course
Jupyter Notebook
7,642
star
66

UFO

A UI-Focused Agent for Windows OS Interaction.
Python
7,633
star
67

cpprestsdk

The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services.
C++
7,573
star
68

botframework-sdk

Bot Framework provides the most comprehensive experience for building conversation applications.
JavaScript
7,484
star
69

azuredatastudio

Azure Data Studio is a data management and development tool with connectivity to popular cloud and on-premises databases. Azure Data Studio supports Windows, macOS, and Linux, with immediate capability to connect to Azure SQL and SQL Server. Browse the extension library for more database support options including MySQL, PostreSQL, and MongoDB.
TypeScript
7,182
star
70

winget-pkgs

The Microsoft community Windows Package Manager manifest repository
6,981
star
71

Windows-driver-samples

This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
C
6,924
star
72

winfile

Original Windows File Manager (winfile) with enhancements
C
6,437
star
73

nlp-recipes

Natural Language Processing Best Practices & Examples
Python
6,379
star
74

WinObjC

Objective-C for Windows
C
6,241
star
75

SandDance

Visually explore, understand, and present your data.
TypeScript
6,091
star
76

VFSForGit

Virtual File System for Git: Enable Git at Enterprise Scale
C#
5,979
star
77

GSL

Guidelines Support Library
C++
5,957
star
78

MixedRealityToolkit-Unity

This repository is for the legacy Mixed Reality Toolkit (MRTK) v2. For the latest version of the MRTK please visit https://github.com/MixedRealityToolkit/MixedRealityToolkit-Unity
C#
5,943
star
79

fluentui-system-icons

Fluent System Icons are a collection of familiar, friendly and modern icons from Microsoft.
HTML
5,934
star
80

vscode-go

An extension for VS Code which provides support for the Go language. We have moved to https://github.com/golang/vscode-go
TypeScript
5,932
star
81

microsoft-ui-xaml

Windows UI Library: the latest Windows 10 native controls and Fluent styles for your applications
5,861
star
82

vscode-recipes

JavaScript
5,859
star
83

rushstack

Monorepo for tools developed by the Rush Stack community
TypeScript
5,840
star
84

MMdnn

MMdnn is a set of tools to help users inter-operate among different deep learning frameworks. E.g. model conversion and visualization. Convert models between Caffe, Keras, MXNet, Tensorflow, CNTK, PyTorch Onnx and CoreML.
Python
5,782
star
85

vscode-docs

Public documentation for Visual Studio Code
Markdown
5,650
star
86

ethr

Ethr is a Comprehensive Network Measurement Tool for TCP, UDP & ICMP.
Go
5,642
star
87

FASTER

Fast persistent recoverable log and key-value store + cache, in C# and C++.
C#
5,630
star
88

vscode-cpptools

Official repository for the Microsoft C/C++ extension for VS Code.
TypeScript
5,501
star
89

DirectX-Graphics-Samples

This repo contains the DirectX Graphics samples that demonstrate how to build graphics intensive applications on Windows.
C++
5,440
star
90

promptbase

All things prompt engineering
Python
5,367
star
91

BosqueLanguage

The Bosque programming language is an experiment in regularized design for a machine assisted rapid and reliable software development lifecycle.
TypeScript
5,282
star
92

TaskWeaver

A code-first agent framework for seamlessly planning and executing data analytics tasks.
Python
5,258
star
93

Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
C++
5,139
star
94

tsyringe

Lightweight dependency injection container for JavaScript/TypeScript
TypeScript
5,104
star
95

DeepSpeedExamples

Example models using DeepSpeed
Python
5,092
star
96

SynapseML

Simple and Distributed Machine Learning
Scala
5,041
star
97

Windows-classic-samples

This repo contains samples that demonstrate the API used in Windows classic desktop applications.
5,040
star
98

sudo

It's sudo, for Windows
Rust
4,998
star
99

TypeScript-Handbook

Deprecated, please use the TypeScript-Website repo instead
JavaScript
4,883
star
100

vscode-dev-containers

NOTE: Most of the contents of this repository have been migrated to the new devcontainers GitHub org (https://github.com/devcontainers). See https://github.com/devcontainers/template-starter and https://github.com/devcontainers/feature-starter for information on creating your own!
Shell
4,713
star