• This repository has been archived on 02/Jan/2024
  • Stars
    star
    1,058
  • Rank 43,617 (Top 0.9 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 8 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple, auditable & elegant VPN, built with TLS mutual authentication and TUN.

subnet

VPN server/client for the rest of us.

Authors note: Subnet works but lacks thorough review, and hits performance limits over ~100Mbps. I strongly recommend Wireguard instead for real deployments.

Overview

subnet establishes a TLS connection to the server. A TUN interface is created, and setup with the given network parameters (local IP, subnet). All traffic that matches the localIP + subnet gets routed to the VPN server.

On the server, all traffic which is received is checked against all client's localIPs. If it matches, it goes down there. If it doesn't, it gets routed to the servers TUN device (to its network). If the server's kernel is configured correctly, packets coming back into the TUN device will be NATed, and hence can be routed correctly. They then get routed back to the correct client.

Use cases

Tunnel all non-LAN traffic through another box on the internet (traditional VPN).

Setup the server:

export GOPATH=`pwd` #set your GOPATH where you want the build to happen
go get -u github.com/twitchyliquid64/subnet
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -j MASQUERADE
./bin/subnet --mode init-server-certs --cert server.certPEM --key server.keyPEM --ca ca.certPEM --ca_key ca.keyPEM
./bin/subnet --mode server --key server.keyPEM --cert server.certPEM --ca ca.certPEM --network 192.168.69.1/24 0.0.0.0

Setup the client:

First, generate a certificate/key pair for each client, by running this on the server:

./bin/subnet --mode make-client-cert --ca ca.certPEM --ca_key ca.keyPEM client.certPEM client.keyPEM

Then, transfer client.certPEM, client.keyPEM and ca.certPEM to your client.

Now, run this on the client:

export GOPATH=`pwd` #set your GOPATH where you want the build to happen
go get -u github.com/twitchyliquid64/subnet
sudo ./bin/subnet -gw 192.168.69.1 -network 192.168.69.4/24 -cert client.certPEM -key client.keyPEM -ca ca.certPEM <server address>

#If you are on Mac OSX (replace 'Wi-Fi' with your interface):
networksetup -setdnsservers Wi-Fi 8.8.8.8

Explanation:

  • subnet is downloaded and compiled on both client and server.
  • A CA certificate is generated, and a server certificate is generated which is signed by the CA cert (init-server-certs mode).
  • A client certificate is generated, which again is based off the CA cert (make-client-cert mode).
  • Server's networking stack is told to allow the forwarding of packets and to apply NAT to the packets.
  • Server gets the VPN address 192.168.69.1, managing traffic for 192.168.69.1 - 192.168.69.255.
  • Client gets the address 192.168.69.4.
  • Client remaps its default gateway to 192.168.69.1, forcing all non-LAN traffic through the VPN server.
  • On connection, both sides verify the TLS cert against the CA cert given on the command line.

Make a remote LAN accessible on your machine.

Setup the server (linux only):

export GOPATH=`pwd` #set your GOPATH where you want the build to happen
go get -u github.com/twitchyliquid64/subnet
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -j MASQUERADE
./bin/subnet --mode init-server-certs --cert server.certPEM --key server.keyPEM --ca ca.certPEM --ca_key ca.keyPEM
./bin/subnet --mode server --key server.keyPEM --cert server.certPEM --ca ca.certPEM --network 192.168.69.1/24 0.0.0.0

Setup the client:

First, generate a certificate/key pair for each client, by running this on the server:

./bin/subnet --mode make-client-cert --ca ca.certPEM --ca_key ca.keyPEM client.certPEM client.keyPEM

Then, transfer client.certPEM, client.keyPEM and ca.certPEM to your client.

Now, run this on the client:

export GOPATH=`pwd` #set your GOPATH where you want the build to happen
go get -u github.com/twitchyliquid64/subnet
sudo ./bin/subnet -network 192.168.69.4/24 -cert client.certPEM -key client.keyPEM -ca ca.certPEM <server address>

Explanation:

  • subnet is downloaded and compiled on both client and server.
  • Certificates are generated, all based on the CA cert which is also generated.
  • Server gets the VPN address 192.168.69.1, managing traffic for 192.168.69.1 - 192.168.69.255.
  • Client gets the address 192.168.69.4. The /24 subnet mask means traffic for addresses 192.168.69.1 to 192.168.69.255 will be routed through the VPN.
  • Any traffic to 192.168.69.1 will go to the VPN server. Any traffic to 192.168.69.1 to 192.168.69.255 will go to clients connected to the same server with that address. All other traffic is routed outside of subnet.

Usage

Usage of ./subnet:
./subnet <server address>
  -blockProfile
    	Enable block profiling
  -ca string
    	Path to PEM-encoded cert to validate client/serv
  -ca_key string
    	Path to PEM-encoded key to use generating certificates
  -cert string
    	Path to PEM-encoded cert for our side of the connection
  -cpuProfile
    	Enable CPU profiling
  -gw string
    	(Client only) Set the default gateway to this value
  -i string
    	TUN interface, one is picked if not specified
  -key string
    	Path to PEM-encoded key for our cert
  -mode string
    	Whether the process starts a server or as a client (default "client")
  -network string
    	Address for this interface with netmask (default "192.168.69.1/24")
  -port string
    	Port for the VPN connection (default "3234")

TODO

  • Fix server crash when processing packet when the client closes connection
  • Document server setup procedure, inc forward, masquasde & cert setup
  • Make client resilient to connection failures to the server
  • Test routing between two clients on the same server.
  • Fix throughput issues - 5% of normal connection speed. Latency is good though.
  • Get working on OSX.

More Repositories

1

golang-asm

The assembler from the Go compiler, in library form.
Go
158
star
2

usbd-hid

Rust
87
star
3

kcdb

Unofficial KiCad footprint database & indexer
Go
42
star
4

liquid-cad

A 2-d, constraint-solving CAD for rapid prototyping
Rust
31
star
5

pushtart

The worlds lightest PaaS host.
Go
11
star
6

seeed-erpc-rs

Drivers for Seeed Studio's eRPC-based wifi protocol
Rust
11
star
7

kicad2pcbshopper

Give it a KiCad PCB file, it will extract all the parameters and find the cheapest/best PCB manufacturers for you.
KiCad Layout
11
star
8

Micstream

A JS library for audio calls, using webSockets instead of webRTC.
Go
8
star
9

minikernel

Go
7
star
10

bob-the-builder

A very simple run tool with a user interface - intended for build automation - designed for home use on a raspberry pi with minimal resource usage.
Go
6
star
11

kcgen

Go library and tools for generating kicad footprints and libraries.
Go
6
star
12

subshard

Chrome based proxy, built with Golang & Python.
Go
5
star
13

gofi

Open-source implementation of a controller which is compatible with ubiquiti APs.
Go
5
star
14

raspberry-box

Makefiles for modifying a Raspberry Pi .img
Go
5
star
15

go-liquiddsp

Go
4
star
16

time2go

Our submission for GovHack 2016. time2go finds public transport for you, optimizing the route so you can hits as many pokestops as possible.
Python
3
star
17

pamtls

Authenticate/login to Linux machines by querying a JSON webservice.
Go
3
star
18

harsh

The beginnings of a generic AST, executor, visualizer, and go-parser.
Go
3
star
19

oww-rust-core

Rust
3
star
20

go-apriltag

Apriltag image recognition for Go.
C
3
star
21

nexus

Go
2
star
22

nsstls

NSS module to get user information from a JSON webservice.
Go
2
star
23

wifidec

Repository for scriptz playing around with decoding elements of the Wifi stack (mainly Radiotap and 802.11 frames)
Python
2
star
24

CNC

Generic architecture 4 command and control for distributed organisations.
Go
2
star
25

nugget

Building a network filesystem - an exercise in learning how FUSE works.
Go
2
star
26

fz-rust

A demo compiling the flipperzero-hello-rust plugin without the firmware toolchain
Rust
2
star
27

babysitter

Simple system service to keep daemons running.
Go
2
star
28

archive

Where old/crappy repos go - to avoid github clutter
Go
1
star
29

R2K9

Browser based parametric CAD
JavaScript
1
star
30

esp32-riscv-emu

C++
1
star
31

kan

Rust
1
star
32

rwords

Randomly generate english words.
Go
1
star
33

rnd

Go
1
star
34

liquid-launcher

Rust
1
star
35

debdep

Go
1
star