mirror of https://github.com/dswd/vpncloud.git
Small fixes
This commit is contained in:
parent
da70553612
commit
80119c4c5a
|
@ -69,15 +69,12 @@ For all the test, the best average RTT out of 3 runs is selected. The latency is
|
||||||
assumed to be half of the RTT.
|
assumed to be half of the RTT.
|
||||||
|
|
||||||
|
|
||||||
| Payload size | 100 bytes | 500 bytes | 1000 bytes |
|
| Payload size | 100 bytes | 500 bytes | 1000 bytes |
|
||||||
| ----------------------------- | --------- | --------- | ---------- |
|
| ----------------------------- | --------------- | --------------- | --------------- |
|
||||||
| Without VpnCloud | 158 µs | 164 µs | 171 µs |
|
| Without VpnCloud | 158 µs | 164 µs | 171 µs |
|
||||||
| Unencrypted VpnCloud | 208 µs | 225 µs | 236 µs |
|
| Unencrypted VpnCloud | 208 µs (+50 µs) | 225 µs (+61 µs) | 236 µs (+65 µs) |
|
||||||
| Difference | +50 µs | +61 µs | +65 µs |
|
| Encrypted VpnCloud (ChaCha20) | 229 µs (+21 µs) | 242 µs (+17 µs) | 259 µs (+23 µs) |
|
||||||
| Encrypted VpnCloud (ChaCha20) | 229 µs | 242 µs | 259 µs |
|
| Encrypted VpnCloud (AES256) | 223 µs (+15 µs) | 232 µs ( +7 µs) | 249 µs (+13 µs) |
|
||||||
| Difference | +21 µs | +17 µs | +23 µs |
|
|
||||||
| Encrypted VpnCloud (AES256) | 223 µs | 232 µs | 249 µs |
|
|
||||||
| Difference | +15 µs | +7 µs | +13 µs |
|
|
||||||
|
|
||||||
|
|
||||||
### Conclusion
|
### Conclusion
|
||||||
|
|
24
src/cloud.rs
24
src/cloud.rs
|
@ -11,13 +11,13 @@ use epoll;
|
||||||
use nix::sys::signal::{SIGTERM, SIGQUIT, SIGINT};
|
use nix::sys::signal::{SIGTERM, SIGQUIT, SIGINT};
|
||||||
use signal::trap::Trap;
|
use signal::trap::Trap;
|
||||||
use time::SteadyTime;
|
use time::SteadyTime;
|
||||||
use rand::random;
|
use rand::{random, sample, thread_rng};
|
||||||
|
|
||||||
use super::types::{Table, Protocol, Range, Error, NetworkId, NodeId};
|
use super::types::{Table, Protocol, Range, Error, NetworkId, NodeId};
|
||||||
use super::device::Device;
|
use super::device::Device;
|
||||||
use super::udpmessage::{encode, decode, Options, Message};
|
use super::udpmessage::{encode, decode, Options, Message};
|
||||||
use super::crypto::Crypto;
|
use super::crypto::Crypto;
|
||||||
use super::util::{now, Time, Duration, time_rand};
|
use super::util::{now, Time, Duration};
|
||||||
|
|
||||||
struct PeerList {
|
struct PeerList {
|
||||||
timeout: Duration,
|
timeout: Duration,
|
||||||
|
@ -67,15 +67,8 @@ impl PeerList {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[inline]
|
#[inline]
|
||||||
fn subset(&self, size: usize, seed: u32) -> Vec<SocketAddr> {
|
fn subset(&self, size: usize) -> Vec<SocketAddr> {
|
||||||
let mut peers = self.as_vec();
|
sample(&mut thread_rng(), self.as_vec(), size)
|
||||||
let mut psrng = seed;
|
|
||||||
let len = peers.len();
|
|
||||||
for i in size..len {
|
|
||||||
peers.swap_remove(psrng as usize % (len - i));
|
|
||||||
psrng = ((1664525 as u64) * (psrng as u64) + (1013904223 as u64)) as u32;
|
|
||||||
}
|
|
||||||
peers
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[inline]
|
#[inline]
|
||||||
|
@ -165,8 +158,11 @@ impl<P: Protocol> GenericCloud<P> {
|
||||||
}
|
}
|
||||||
debug!("Connecting to {}", addr);
|
debug!("Connecting to {}", addr);
|
||||||
if reconnect {
|
if reconnect {
|
||||||
let addr = addr.to_socket_addrs().unwrap().next().unwrap();
|
if let Ok(mut addrs) = addr.to_socket_addrs() {
|
||||||
self.reconnect_peers.push(addr);
|
while let Some(addr) = addrs.next() {
|
||||||
|
self.reconnect_peers.push(addr);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
let addrs = self.addresses.clone();
|
let addrs = self.addresses.clone();
|
||||||
let node_id = self.node_id.clone();
|
let node_id = self.node_id.clone();
|
||||||
|
@ -185,7 +181,7 @@ impl<P: Protocol> GenericCloud<P> {
|
||||||
peer_num = 10;
|
peer_num = 10;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
let peers = self.peers.subset(peer_num, time_rand() as u32);
|
let peers = self.peers.subset(peer_num);
|
||||||
let msg = Message::Peers(peers);
|
let msg = Message::Peers(peers);
|
||||||
for addr in &self.peers.as_vec() {
|
for addr in &self.peers.as_vec() {
|
||||||
try!(self.send_msg(addr, &msg));
|
try!(self.send_msg(addr, &msg));
|
||||||
|
|
|
@ -143,7 +143,9 @@ fn inc_nonce_12(nonce: &mut [u8; 12]) {
|
||||||
|
|
||||||
impl Crypto {
|
impl Crypto {
|
||||||
pub fn init() {
|
pub fn init() {
|
||||||
unsafe { sodium_init() };
|
if unsafe { sodium_init() } != 0 {
|
||||||
|
fail!("Failed to initialize crypto library");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn sodium_version() -> String {
|
pub fn sodium_version() -> String {
|
||||||
|
@ -196,7 +198,7 @@ impl Crypto {
|
||||||
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE
|
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE
|
||||||
) };
|
) };
|
||||||
if res != 0 {
|
if res != 0 {
|
||||||
panic!("Key derivation failed");
|
fail!("Key derivation failed");
|
||||||
}
|
}
|
||||||
match method {
|
match method {
|
||||||
CryptoMethod::ChaCha20 => {
|
CryptoMethod::ChaCha20 => {
|
||||||
|
|
|
@ -11,13 +11,6 @@ pub fn now() -> Time {
|
||||||
tv.tv_sec
|
tv.tv_sec
|
||||||
}
|
}
|
||||||
|
|
||||||
#[inline]
|
|
||||||
pub fn time_rand() -> i64 {
|
|
||||||
let mut tv = libc::timespec { tv_sec: 0, tv_nsec: 0 };
|
|
||||||
unsafe { libc::clock_gettime(libc::CLOCK_MONOTONIC, &mut tv); }
|
|
||||||
tv.tv_sec ^ tv.tv_nsec
|
|
||||||
}
|
|
||||||
|
|
||||||
#[inline(always)]
|
#[inline(always)]
|
||||||
pub fn memcopy(src: &[u8], dst: &mut[u8]) {
|
pub fn memcopy(src: &[u8], dst: &mut[u8]) {
|
||||||
assert!(dst.len() >= src.len());
|
assert!(dst.len() >= src.len());
|
||||||
|
|
24
vpncloud.md
24
vpncloud.md
|
@ -182,8 +182,8 @@ vpncloud -t tun -c REMOTE_HOST:PORT --subnet 10.0.0.X/32 --ifup 'ifconfig $IFNAM
|
||||||
### Important notes
|
### Important notes
|
||||||
|
|
||||||
- It is important to configure the interface in a way that all addresses on the
|
- It is important to configure the interface in a way that all addresses on the
|
||||||
VPN can be reached directly. E.g. if addresses 10.0.0.1 and 10.0.0.2 are used,
|
VPN can be reached directly. E.g. if addresses 10.0.0.1, 10.0.0.2 and so on
|
||||||
the interface needs to be configured as /24.
|
are used, the interface needs to be configured as /24.
|
||||||
For TUN devices, this means that the prefix length of the subnets must be
|
For TUN devices, this means that the prefix length of the subnets must be
|
||||||
different than the prefix length that the interface is configured with.
|
different than the prefix length that the interface is configured with.
|
||||||
|
|
||||||
|
@ -201,12 +201,12 @@ vpncloud -t tun -c REMOTE_HOST:PORT --subnet 10.0.0.X/32 --ifup 'ifconfig $IFNAM
|
||||||
primitives are expected to be very secure, their application has not been
|
primitives are expected to be very secure, their application has not been
|
||||||
reviewed.
|
reviewed.
|
||||||
The shared key is hashed using *ScryptSalsa208Sha256* to derive a key,
|
The shared key is hashed using *ScryptSalsa208Sha256* to derive a key,
|
||||||
which is used to encrypt the payload of messages using *ChaCha20Poly1305*.
|
which is used to encrypt the payload of messages using *ChaCha20Poly1305* or
|
||||||
The encryption includes an authentication that also protects the header and
|
*AES256-GCM*. The encryption includes an authentication that also protects the
|
||||||
all additional headers.
|
header and all additional headers.
|
||||||
This method does only protect against attacks on single messages but not
|
This method does only protect against attacks on single messages but not
|
||||||
on attacks that manipulate the message series itself (i.e. suppress messages,
|
against attacks that manipulate the message series itself (i.e. suppress
|
||||||
reorder them, and duplicate them).
|
messages, reorder them, or duplicate them).
|
||||||
|
|
||||||
|
|
||||||
## NETWORK PROTOCOL
|
## NETWORK PROTOCOL
|
||||||
|
@ -300,8 +300,11 @@ field will follow:
|
||||||
and the later 2 bytes are port number (both in network byte order).
|
and the later 2 bytes are port number (both in network byte order).
|
||||||
|
|
||||||
* **Initial message** (message type 2):
|
* **Initial message** (message type 2):
|
||||||
This packet contains all the local subnets claimed by the nodes.
|
This packet contains the following information:
|
||||||
Its first byte marks the stage of the initial handshake process. After that,
|
- A random node id to distinguish different nodes
|
||||||
|
- All the local subnets claimed by the nodes
|
||||||
|
Its first byte marks the stage of the initial handshake process.
|
||||||
|
The next 16 bytes contain the unique node id. After that,
|
||||||
the list of local subnets follows.
|
the list of local subnets follows.
|
||||||
The subnet list is encoded in the following way: Its first byte of data
|
The subnet list is encoded in the following way: Its first byte of data
|
||||||
contains the number of encoded subnets that follow. After that, the given
|
contains the number of encoded subnets that follow. After that, the given
|
||||||
|
@ -328,8 +331,7 @@ of their peers to spread this information and to avoid peer timeouts.
|
||||||
To avoid the cubic growth of management traffic, nodes should at a certain
|
To avoid the cubic growth of management traffic, nodes should at a certain
|
||||||
network size start sending partial peer lists instead of the full list.
|
network size start sending partial peer lists instead of the full list.
|
||||||
A reasonable number would be the square root of the number of peers.
|
A reasonable number would be the square root of the number of peers.
|
||||||
The subsets can be selected using round robin (making sure all peers eventually
|
The subsets should be selected randomly.
|
||||||
receive all information) or randomly.
|
|
||||||
|
|
||||||
Nodes should remove peers from their peer list after a certain period of
|
Nodes should remove peers from their peer list after a certain period of
|
||||||
inactivity or when receiving a **closing message**. Before shutting down, nodes
|
inactivity or when receiving a **closing message**. Before shutting down, nodes
|
||||||
|
|
Loading…
Reference in New Issue