QuickTun is probably the simplest VPN tunnel software ever, yet it's very secure. It relies on the NaCl encryption library. QuickTun uses the curve25519xsalsa20poly1305 crypto-box functionality of the NaCl library for secure public-key encryption.
Marek Küthe
a97ce9d49b
Build script: Fix path for debian directory
|
11 months ago | |
|---|---|---|
| deb | 11 months ago | |
| src | 11 months ago | |
| .gitignore | 11 months ago | |
| CONTRIBUTORS | 11 months ago | |
| LICENSE | 11 months ago | |
| README.md | 11 months ago | |
| build.sh | 11 months ago | |
| clean.sh | 11 months ago | |
| version | 7 years ago |
README.md
QuickTun
QuickTun is probably the simplest VPN tunnel software ever, yet it's very secure. It relies on the NaCl encryption library by D. J. Bernstein.
QuickTun uses the curve25519xsalsa20poly1305 crypto-box functionality of the NaCl library for secure public-key encryption.
And that's about all QuickTun does; encrypting and sending data. No fancy features which would only lead to bloating the binary. In fact, QuickTun itself has only a few hundred lines of pure C code, making it dead simple to maintain, analyze, debug and fix.
Configuration
Debian
The tunnel can be configured in a debian interface file:
auto tun0
iface tun0 inet static
address 192.168.77.1
pointopoint 192.168.77.2
netmask 255.255.255.255
qt_tun_mode 1
qt_protocol nacltai
qt_remote_address 1.2.3.4
qt_local_address 9.8.7.6
qt_private_key_file <LOCAL-SECRET-KEY-FILE>
qt_public_key <REMOTE-PUBLIC-KEY>
See below for supported configuration options. Please note that all options are written in lower case and are prefixed with qt_. The interface name is taken from the 'iface' entry.
Non-Debian
QuickTun configuration is usually stored in a shell script like this:
#!/bin/sh
export TUN_MODE=1
export PROTOCOL=nacltai
export REMOTE_ADDRESS=ipaddress-of-remote-end
export LOCAL_ADDRESS=ipaddress-of-local-end
export PRIVATE_KEY=private-key-of-local-end
export PUBLIC_KEY=public-key-of-remote-end
/usr/sbin/quicktun
Make sure that the script is not publicly readable because it contains the secret key: chmod 700 will do! To start the VPN tunnel, simply run the shellscript. You can also run the script using some service supervisor (daemon tools, supervisord).
Alternatively all configuration can be specified on the command line like this:
/usr/sbin/quicktun -c PROTOCOL nacltai -c TUN_MODE 1 -c PRIVATE_KEY_FILE secret.key -c PUBLIC_KEY public-key-of-remote-end
Configuration options
- INTERFACE - interface name (non-debian systems only)
- TUN_MODE - set to 1 to operate in tun (IP), unset or 0 (recent versions only) for tap (Ethernet) mode
- USE_PI - set to 1 to include packet information header in wire packets, must be set on both sides if used; set to 2 to automatically add the packet information header for cross-platform compatibility (also compatible with USE_PI=0), some (BSD) kernels need USE_PI to be enabled for IPv6 support
- REMOTE_ADDRESS - IP address or hostname of the remote end (use 0.0.0.0 for a floating/dynamic remote endpoint)
- LOCAL_ADDRESS - IP address or hostname of the local end, optional
- LOCAL_PORT - local UDP port, optional, defaults to 2998
- REMOTE_PORT - remote UDP port, optional, defaults to LOCAL_PORT
- REMOTE_FLOAT - allows the remote address and port to change when properly encrypted packets are received
- TUN_UP_SCRIPT - run specified command or script after the tunnel device has been opened
- SETUID - drop privileges and change user and group IDs to specified username after setting up the tunnel
- nacl0, nacltai and salty (encrypted) protocols only:
- PRIVATE_KEY - local secret key in hexadecimal form (not needed for raw protocol)
- PUBLIC_KEY - remote public key in hexadecimal form (not needed for raw protocol)
- PRIVATE_KEY_FILE - file containing local secret key in binary or hexadecimal form (not needed for raw protocol)
- nacltai (encrypted) protocol only:
- TIME_WINDOW - allowed time window for first received packet in seconds (positive number allows packets from history)
- Combined binary only (quicktun.debian and quicktun.combined executables, Debian based systems):
- PROTOCOL - the protocol to use, one of "raw", "nacl0" and "nacltai"
- Debian /etc/network/interfaces only:
- NO_PRECREATE - set to 1 to run QuickTun as root and not use a persistent tunnel device, unset otherwise
Protocol
| Protocol name | Security | Overhead | Remarks | Details |
|---|---|---|---|---|
| raw | None | 0 bytes | Compatible with VirtualBox UDPTunnel | The IP or ethernet packet as it was read from the device is sent directly in an UDP packet |
| nacl0 | Very weak | 16 bytes | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce set to all zero, the first 16 all-zero bytes of the result are stripped off, the rest is sent in an UDP packet | |
| nacltai | Secure | 32 bytes | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce being <7bytes=0><1byte=local_pub_key>remote_pub_key?1:0>16bytes:tai64an_packed_timestamp, the tai64an_packed_timestamp is copied to the beginning of the encrypted buffer (to the area that is normally all zero), the entire buffer is sent (crypto adds 32 bytes of overhead) | |
| salty | Secure with PFS | 20 bytes + control packets | Requires at least one endpoint to have a fixed address | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with temporary keys and nonces which are periodically regenerated and exchanged; this protocol provides Perfect Forward Secrecy and does not depend on clock synchronization for replay protection; the current implementation does not work well if both endpoints are floating |
Fork
This is a fork of UCIS/QuickTun. The fork is not being actively developed. The fork contains some pull requests that are not merged upstream.