• Stars
    star
    284
  • Rank 145,616 (Top 3 %)
  • Language
    Go
  • License
    BSD 3-Clause "New...
  • Created about 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple VPN allowing mesh-like communication between nodes, over websockets

Go Report Card license Release

Simple-VPN

This project is a VPN-server, written in golang, using websockets as a transport. The idea is that multiple-nodes each connect to a central VPN-server, and once connected they can talk to each other securely, regardless of their location.

The following image illustrates the expected setup:

  • Three hosts each connect to the central VPN host.
  • Once they're connected each of those hosts can then talk to the other machines which are also connected.
    • (Their private traffic is routed to the central hub, from there sent back out.)

Screenshot

While it is possible to use this software to mask your laptop's IP while traveling, instead showing the IP of the VPN-server as being the source of connections that is not the expected use-case. (Nor is it documented!)

It should be noted that the VPN-server will become a single point of failure if you're using it to join (say) a database-host located at Hetzner with a number of webserver-nodes split between Linode and Digital Ocean, but being a simple service, easy to deploy, it should be trivial to spin up a replacement in a hurry.

Installation

There are two ways to install this project from source, which depend on the version of the go version you're using.

Alternatively you can download the latest release from our releases page if you're running upon AMD64-GNU/Linux host. (Unfortunately we use CGO, and the water-library, which makes our code non-portable for now.)

Source Installation go <= 1.11

If you're using go before 1.11 then the following command should fetch/update the projectl and install it upon your system:

 $ go get -u github.com/skx/simple-vpn

Source installation go >= 1.12

If you're using a more recent version of go (which is highly recommended), you need to clone to a directory which is not present upon your GOPATH:

git clone https://github.com/skx/simple-vpn
cd simple-vpn
go install

Encryption & Overhead

The VPN-server does not implement any kind of encryption itself, nor does it handle access-control beyond the use of a shared-secret. Is this insane? Actually no.

The expectation is that you'll host the VPN-server behind an nginx/apache proxy and you'll add TLS there (i.e. Let's Encrypt). Providing all the clients connect to the server over a TLS/SSL-protected socket then things are secure:

  • The use of TLS prevents traffic from being sniffed.
    • This means that the connections made from one host, to another, over their private network will be unreadable to hosts in the same location.
  • The use of a shared-secret prevents rogue agents from connecting to your VPN-server.
    • This means a user cannot join your private network and attempt to sniff traffic that way.

I believe this solution is "secure enough", but if you have concerns you can ensure that all the traffic you send over it uses TLS itself, for example database-connections can use TLS, etc.

Because traffic routed between two nodes on their private IP addresses has to be routed via the VPN-server expect to see approximately 50% overhead.

VPN-Server Setup

Configuring a VPN server requires two things:

  • The simple-vpn binary to be running in server-mode..
    • This requires the use of a simple configuration-file.
  • Your webserver to proxy (websocket) requests to it.
    • You must ensure that your webserver uses TLS to avoid sniffing.

A minimal configuration file for using simple-vpn in server-mode looks like this:

With your configuration-file you can now launch the VPN-server like so:

 # simple-vpn server ./server.cfg

To proxy traffic to this server, via nginx, you could have a configuration file like this:

server {
    server_name vpn.example.com;
    listen [::]:443  default ipv6only=off ssl;

    ssl on;
    ssl_certificate      /etc/lets.encrypt/ssl/vpn.example.com.full;
    ssl_certificate_key  /etc/lets.encrypt/ssl/vpn.example.com.key;
    ssl_dhparam          /etc/nginx/ssl/dhparam.pem;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    add_header Strict-Transport-Security "max-age=31536000";

    proxy_buffering    off;
    proxy_buffer_size  128k;
    proxy_buffers 100  128k;

    ## VPN server ..
    location /vpn {

       proxy_set_header      X-Forwarded-For $remote_addr;
       proxy_pass            http://127.0.0.1:9000;
       proxy_http_version    1.1;
       proxy_set_header      Upgrade $http_upgrade;
       proxy_set_header      Connection "upgrade";
       proxy_read_timeout    86400;
       proxy_connect_timeout 43200000;

       tcp_nodelay on;
   }
}
  • You don't need to dedicate a complete virtual host to the VPN-server, a single "location" is sufficient.

VPN-Client Setup

Install the binary upon the client hosts you wish to link, and launch them with the name of a configuration-file:

# simple-vpn client client.cfg

There is a sample client configuration file here:

The configuration file has two mandatory settings:

  • key
    • Specifies the shared key with which to authenticate.
  • vpn
    • Specifies the VPN end-point to connect to.

Advanced Configuration

The server will assign each client which connects the next unused IP address from the range it is configured to serve.

Because each client identifies itself with the hostname of the local system it is possible to map static IP addresses to any remote host, which is useful if you wish to setup DNS entries, etc.

To setup a static IP see the commented-out sections in the server.cfg file.

Github Setup

This repository is configured to run tests upon every commit, and when pull-requests are created/updated. The testing is carried out via .github/run-tests.sh which is used by the github-action-tester action.

Releases are automated in a similar fashion via .github/build, and the github-action-publish-binaries action.

Steve

More Repositories

1

sysadmin-util

Tools for Linux/Unix sysadmins.
Perl
949
star
2

bookmarks.public

A template for self-hosted bookmarks using HTML & jQuery.
JavaScript
662
star
3

tunneller

Allow internal services, running on localhost, to be accessed over the internet..
Go
474
star
4

simple.vm

Simple virtual machine which interprets bytecode.
C
459
star
5

deployr

A simple golang application to automate the deployment of software releases.
Go
334
star
6

gobasic

A BASIC interpreter written in golang.
Go
325
star
7

go.vm

A simple virtual machine - compiler & interpreter - written in golang
Go
322
star
8

monkey

An interpreted language written in Go
Go
272
star
9

sysbox

sysadmin/scripting utilities, distributed as a single binary
Go
218
star
10

esp8266

Collection of projects for the WeMos Mini D1
C++
165
star
11

kilua

A minimal text-editor with lua scripting.
C++
160
star
12

sos

Simple Object Storage (I wish I could call it Steve's Simple Storage, or S3 ;)
Go
150
star
13

github-action-publish-binaries

Publish binaries when new releases are made.
Shell
137
star
14

evalfilter

A bytecode-based virtual machine to implement scripting/filtering support in your golang project.
Go
117
star
15

rss2email

Convert RSS feeds to emails
Go
112
star
16

e-comments

External comments for static HTML pages, a lightweight self-hosted disqus alternative.
JavaScript
101
star
17

cpmulator

Golang CP/M emulator for zork, Microsoft BASIC, Turbo Pascal, Wordstar, lighthouse-of-doom, etc
Go
97
star
18

lighthouse-of-doom

A simple text-based adventure game
C
95
star
19

linux-security-modules

A place to store my toy linux-security modules.
C
90
star
20

marionette

Something like puppet, for the localhost only.
Go
85
star
21

kpie

Simple devilspie-like program for window manipulation, with Lua.
C
79
star
22

foth

Tutorial-style FORTH implementation written in golang
Go
78
star
23

dhcp.io

Dynamic DNS - Via Redis, Perl, and Amazon Route53.
Perl
68
star
24

templer

A modular extensible static-site-generator written in perl.
Perl
63
star
25

overseer

A golang-based remote protocol tester for testing sites & service availability
Go
62
star
26

assembler

Basic X86-64 assembler, written in golang
Go
61
star
27

math-compiler

A simple intel/AMD64 assembly-language compiler for mathematical operations
Go
60
star
28

node-reverse-proxy.js

A reverse HTTP-proxy in node.js
JavaScript
54
star
29

webmail

A golang webmail server.
Go
52
star
30

dotfiles

Yet another dotfile-repository
Emacs Lisp
49
star
31

github2mr

Export all your github repositories to a form suitable for 'myrepos' to work with.
Go
46
star
32

puppet-summary

The Puppet Summary is a web interface providing reporting features for Puppet, it replaces the Puppet Dashboard project
Go
46
star
33

org-worklog

A template for maintaining a work-log, via org-mode.
42
star
34

rss2hook

POST to webhook(s) when new feed-items appear.
Go
37
star
35

tweaked.io

The code behind http://tweaked.io/
JavaScript
36
star
36

pam_pwnd

A PAM module to test passwords against previous leaks at haveibeenpwned.com
C
35
star
37

critical

A simple/minimal TCL interpreter, written in golang
Go
34
star
38

alphavet

A golang linter to detect functions not in alphabetical order
Go
32
star
39

dns-api-go

The code behind https://dns-api.org/
Go
31
star
40

markdownshare.com

The code which was previously used at http://markdownshare.com/
Perl
29
star
41

github-action-tester

Run tests when pull-requests are opened, or commits pushed.
Shell
26
star
42

bfcc

BrainFuck Compiler Challenge
Go
22
star
43

maildir-tools

Golang-based utility which can be used for scripting Maildir things, and also as a basic email client
Go
22
star
44

purppura

A server for receiving and processing alerts & events.
Go
21
star
45

cpm-dist

A curated collection of CP/M software
C
20
star
46

implant

Simple utility for embedding files/resources inside golang binaries
Go
20
star
47

chronicle2

Chronicle is a simple blog compiler, written in Perl with minimal dependencies.
Perl
20
star
48

z80-examples

Z80 assembly-language programs.
Makefile
19
star
49

dns-api.org

The code which was previously used at https://dns-api.org/
Perl
19
star
50

yal

Yet another lisp interpreter
Go
16
star
51

ephemeris

A static blog-compiler
Go
15
star
52

markdownshare

The code behind https://markdownshare.com/
Go
15
star
53

aws-utils

A small collection of AWS utilities, packaged as a single standalone binary.
Go
14
star
54

z80retroshield

Arduino library for driving the Z80 retro-shield.
Shell
13
star
55

predis

A redis-server written in Perl.
Perl
12
star
56

github-action-build

Build a project, creating artifacts
Shell
12
star
57

webserver-attacks

Identify attacks against webservers via simple rules
Perl
12
star
58

Device-Osram-Lightify

Interface to the Osram Lightify system
Perl
12
star
59

labeller

Script label addition/removal for gmail/gsuite email.
Go
10
star
60

da-serverspec

ServerSpec.org configuration for the Debian-Administration cluster.
Ruby
10
star
61

docker-api-gateway

Trivial API-gateway for docker, via HAProxy
Go
10
star
62

http2xmpp

HTTP to XMPP (jabber) bridge.
Perl
9
star
63

nanoexec

Trigger commands over a nanomsg queue
C
9
star
64

go-experiments

Repository containing experiments as I learn about golang
Go
9
star
65

golang-metrics

Automatic submission of system metrics to graphite, for golang applications
Go
8
star
66

pass

password-store distribution, with plugins.
Shell
8
star
67

ms-lite

A collection of plugins for a qpsmtpd-powered virtual-host aware SMTP system.
Perl
8
star
68

remotehttp

Magic wrapper to deny HTTP-requests to to "local" resources.
Go
8
star
69

dashboard

Redis & node.js powered dashboard skeleton
JavaScript
8
star
70

Buffalo-220-NAS

Installing NFS on a Buffalo 220 NAS device
Shell
8
star
71

asql

A toy utility to process Apache log files via SQL.
Perl
7
star
72

knownfs

A FUSE-based filesystem that exports ~/.ssh/known_hosts
Go
7
star
73

mpd-web

Simple HTTP view of an MPD server
Go
7
star
74

DockerFiles

Container for various dockerfiles.
Shell
6
star
75

yawns

Yet another weblog/news site
Perl
6
star
76

org-diary

Easily maintain a simple work-log / journal with the use of org-mode
Emacs Lisp
6
star
77

cidr_match.js

A simple module to test whether a given IPv4 address is within a particular CIDR range.
JavaScript
6
star
78

mod_writable

Disallow serving writable files under Apache 2.4.x
C
5
star
79

mod_blacklist

A simple Apache module to blacklist remote hosts.
C
5
star
80

arduino-mega-z80-simplest

The simplest possible project combining an Arduino Mega and a Zilog Z80 processor
C++
4
star
81

turtle

A simple turtle-implementation, using FORTH as a scripting-language
Go
4
star
82

purple

A simplified version of mauvealert
Perl
3
star
83

subcommands

Easy subcommand handling for a golang based command-line application
Go
3
star
84

runme

A quick hack for running commands from README.md files
Go
3
star
85

thyme

A simple package-building system, using docker
Perl
2
star
86

httpd

Simple golang HTTP server
Go
2
star
87

edinburgh.io

Open pub database
JavaScript
2
star
88

lexing-parsing-linting-stuffs

Code to go with my talk
Python
2
star
89

run-directory

A simple application inspired by `run-parts`.
Go
2
star
90

Redis--SQLite

Redis-Compatible module which writes to SQLite
Perl
2
star
91

devopswithdocker.com

Repository created for the Helsinki University course.
Dockerfile
2
star
92

aws-list

Export a dump of all running EC2 instances, along with AMI details, AMI age, etc, etc.
1
star
93

WebService--Amazon--Route53--Caching

Perl module to cache the results of WebService::Amazon::Route53
Perl
1
star
94

calibre-plugins

A small collection of calibre-plugins.
Python
1
star
95

org-tag-cloud

Easily maintain a tag-cloud of org-mode tags.
Emacs Lisp
1
star
96

headerfile

Parse files with simple key:value headers, easily.
Go
1
star
97

z80-cpm-scripting-interpreter

A trivial I/O language, with repl, written in z80 assembler to run under CP/M.
Makefile
1
star
98

Test--RemoteServer

The Perl module Test::RemoteServer
Perl
1
star