One comment I'll make because it's kind of buried in the first paragraph and not really called out: this project is one of the very early adopters of Trevor Perrin's state-of-the-art Noise protocol framework design https://noiseprotocol.org/, so you're looking at something dramatically more modern, auditable and (potentially) secure than older, hairier protocols like IPsec, TLSv1.2, OpenVPN, etc.
If you want a reliable VPN you can use today on nearly every platform, try Algo VPN. It uses simplifies using IPSEC so that anyone who can run a few command line scripts can use it.
It's great that someone is working on what comes next after IPSEC, but the platform support for everyone won't come any time soon. If you need a VPN today, Algo is your best answer.
I like Algo a lot, but find it approximately as hard to recommend an IPSEC head-end to a sensitive network as I do recommending OpenVPN, and OpenVPN has better clients. Algo makes sense to me as the kind of VPN I set up to run traffic through when I travel, but not for protecting networks.
I'm not convinced that the problem of replacing VPN protocols is so difficult that we should get comfortable with IPSEC. We're really just an OSX client away from WireGuard in the mainstream. And unlike IPSEC vs. OpenVPN, WG is clearly better than the alternative.
Algo looks good if you stick to IPSEC but WireGuard is years ahead, and much sounder. Considering WireGuard's promising start, imo it's OK if platform support isn't broad yet. You don't need Solaris support to start having your state-of-the art VPN between your servers and workstations.
Another good alternative to IPsec is OpenVPN. It's called a "TLS VPN" but really, it simplifies TLS a lot and doesn't use many of the complicated parts of the protocol. It's much more sane than I had expected, and likely easier to secure than IPsec.
I've recently started recommending it for a everyone who doesn't have IPsec hardware, something I should have done long ago (but I mistakenly thought it to be less thought out than it was). Android support is solid too.
It automates the process of installing & creating OpenVPN, and means so that anyone who can download a file & run a bash file will be able to make a VPN.
It's not clear to me that this really solves any of the UI and management problems associated with VPNs. I'm sure the new crypto-design is interesting, but exchanging SSH public keys is actually a huge logistical hassle which scales very poorly.
The other thing is "container-ready" ... well it just isn't. I can use OpenVPN to do the same interface migration trick with a container today. That's not the challenge - the challenge is things like managing what happens when the VPN interface goes down and I need to recycle and reconfigure that interface (at which point you end up back at "allocate a private address space, stick the VPN container in a new address space, play with IPTables there to make sure losing the VPN routes doesn't mean you start routing over the regular NIC".
> but exchanging SSH public keys is actually a huge logistical hassle which scales very poorly.
How do current solutions tackle this? It seems that at some point, if you want something to be two-way authenticated then you need to exchange some public keys.
Well that's the thing: SSH has recently gained support for signed public keys - i.e. x.509 style certificate authorities. Outside of that you have things like monkeysphere doing the same with GPG, or simpler things like LDAP scripts which just check the key against LDAP (Hashicorp Vault does something similar).
But it's why I'm skeptical the UI is substantially improved: the simplest UI for VPN tends to be pre-shared keys - because everything more complicated simplifies to that interface "somehow everyone needs to agree who's allowed in" - and differs to SSH because SSH has more of a one-way contract "let this connection in, but I can't make the same connection back".
I believe they meant to say "symmetric key without any public key exchange protocol", e.g. like spiped, more than SSH. ("Pre-shared" is a bit more confusing in this particular context, admittedly.)
Is there a guide somewhere on how to partition applications on Linux so different apps use different VPNs?
Obviously the easier way is SSH SOCKS tunnels if the app supports it, but I'd like a more general method.
I believe it is possible by namespacing the apps (or I guess going all the way and containerizing them) and then setting the routing on a per-namespace basis.
Is there anywhere this is written down so I don't have to spent 6 hours trying to work out how to do it?
Set a tag based on the uid with iptables (set-mark), then set up a separate routing table (ip rule .. fwmark ..) for those packets. It's always a good idea to run application with a unique id to set ulimit anyway, even if you can identify traffic by other means (such as source ports). These things are well covered in the Advanced Routing Howto available at lartc.org.
Namespacing would work, but it might be simpler to use multiple routing tables and "ip rule" to match each app and direct it to the right routing table. You can use iptables to match on the process and set a mark on the packet that "ip rule" will match on.
For example, to limit a browser process from connecting to anything except the TOR proxy.
So, in case someone tries to de-anonymize you, unless the attacker has a kernel-level exploit, no packet will ever reach the attacker without going through TOR.
This could also be linked with a VM - so even if the attacker has a kernel-level exploit, there still won't be any outgoing packets.
It seems worrying to me to put something so complicated in the kernel. Perhaps, not even that, but it feels to me as though the fact that this requires in tree changes seems wrong, given the way that networking is going is to enable these network functions via mechanisms such as BPF.
I'm less worried about that because it's so small. WireGuard is ~4k LOC -- thus measurably less complicated than OpenVPN (~100k LOC + OpenSSL), StrongSwan (~410k), or SoftEther (~330k).
Moving to kernelspace brings it up to par with plain IP networking, minus a bit of overhead for the cryptographic operations. Userspace networking has overhead which is hard to overcome: context switching and CPU cache invalidation, copying packets between kernelspace and userspace, etc.
Yeah, but BPF can operate in kernel space directly on SKBs. If you look at the XDP work, there's a lot of promise. In fact I've implemented ECC in BPF -- other than the state, and negotiation components, I don't see why this can't adapt BPF.
So, for one of the implementations, yes, we implemented Curve25519 inside of the Kernel. Basically, every node was pushed into a map with the association of IP/Port to key data.
At the reception of a packet, if we didn't have a key, we'd punt the packet to userspace, asking it to do an exchange.
For some reason -- That I forget, we ended up putting the entire key into each packet. I think that when the "exchange" happened in userspace, we didn't actually store the entire box and key, instead we just generated an association specific key, and we wanted to be able to rotate this quickly. I think we just came up with the fact that doing the derivation was cheap enough that it'd be better to do it on every message.
What would then happen is that if we didn't have a box cached, we would calculate it, and this code was implemented as a helper function outside of the BPF itself. Then we did Poly1305 + XSalsa20 with a random nonce.
Why? Because IPSec is fucking complicated, and because I can?
Has a cryptographer ever looked at the protocol you invented? Maybe doing the asymmetric crypto on every packet is just a harmless performance problem that, but maybe you invented something insecure. Or is the protocol strictly from the spec (NaCl?) and just the implementation strange?
No, the project never got that far. I did discuss with a security researcher though, and it was secure, but it lacked features like PFS, and the handshake protocol could leak information.
In addition, using "pure" random nonces has all sorts of interesting problems.
Sidechannel free - Curve25519 is meant to be resistant to side channel attacks. We didn't spend much time seeing if the actual cryptographic code was secure.
Multicore - Yeah, we basically got that for free with BPF/XDP. It's kinda neat. You just load programs, and arrays get processes in parallel. We didn't have much state because we used random nonces, so there was no need for synchronization.
Unfortunately, the code will not be public because the project was closed source, it never shipped, and I'm no longer with the organization that paid for the work.
Sorry! Once you get deep enough in this tech, you seem to have more in common with an alien language than actual common English.
* BPF - Berkeley Packet Filter - BPF is a safe, in-kernel virtual machine that's meant to be able to introduce next generation functionality into the Kernel: https://lwn.net/Articles/603983/
* ECC - Elliptical Curve Encryption - Enough said
* XDP - eXpress Data Plane - This is a project atop BPF that's being merged into the Kernel to implement programmability features in the kernel, without requiring that people write crazypants code or unsafe code. It's backed, and used by Facebook. If you're familiar with Intel's DPDK, it's similar.
* SKB - Socket Buffers - These are the components that make up the data you send over the wire in the Kernel. When they come out of the kernel, they have to be flattened, and copied which is expensive. This is one of the biggest problems with usermode networking.
This was actually around the time that WireGuard initially announced. We had a product that we ship on-prem that needs end-to-end security guarantees. Unfortunately, IPSec has a bunch of issues around IKE and maintaining sanity at a medium node count.
Our implementation was not..performant, hence why we abandoned it. Our thought was that we could make it work, but instead we ended up building our own key negotiation / management code atop some other stuff we had in order to setup the IPSec SAs.
Best of luck, Jason!