QuickTun is probably the simplest VPN tunnel software ever, yet it's very secure. It relies on the NaCl encryption library by D. J. Bernstein.
QuickTun uses the curve25519xsalsa20poly1305 crypto-box functionality of the NaCl library for secure public-key encryption.
And that's about all QuickTun does; encrypting and sending data. No fancy features which would only lead to bloating the binary. In fact, QuickTun itself has only a few hundred lines of pure C code, making it dead simple to maintain, analyze, debug and fix.
The tunnel can be configured in a debian interface file:
auto tun0
iface tun0 inet static
address 192.168.77.1
pointopoint 192.168.77.2
netmask 255.255.255.255
qt_tun_mode 1
qt_protocol nacltai
qt_remote_address 1.2.3.4
qt_local_address 9.8.7.6
qt_private_key_file <LOCAL-SECRET-KEY-FILE>
qt_public_key <REMOTE-PUBLIC-KEY>
See below for supported configuration options. Please note that all options are written in lower case and are prefixed with qt_. The interface name is taken from the 'iface' entry.
QuickTun configuration is usually stored in a shell script like this:
#!/bin/sh
export TUN_MODE=1
export PROTOCOL=nacltai
export REMOTE_ADDRESS=ipaddress-of-remote-end
export LOCAL_ADDRESS=ipaddress-of-local-end
export PRIVATE_KEY=private-key-of-local-end
export PUBLIC_KEY=public-key-of-remote-end
/usr/sbin/quicktun
Make sure that the script is not publicly readable because it contains the secret key: chmod 700 will do! To start the VPN tunnel, simply run the shellscript. You can also run the script using some service supervisor (daemon tools, supervisord).
Alternatively all configuration can be specified on the command line like this:
/usr/sbin/quicktun -c PROTOCOL nacltai -c TUN_MODE 1 -c PRIVATE_KEY_FILE secret.key -c PUBLIC_KEY public-key-of-remote-end
Protocol name | Security | Overhead | Remarks | Details |
---|---|---|---|---|
raw | None | 0 bytes | Compatible with VirtualBox UDPTunnel | The IP or ethernet packet as it was read from the device is sent directly in an UDP packet |
nacl0 | Very weak | 16 bytes | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce set to all zero, the first 16 all-zero bytes of the result are stripped off, the rest is sent in an UDP packet | |
nacltai | Secure | 32 bytes | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce being <7bytes=0><1byte=local_pub_key>remote_pub_key?1:0>16bytes:tai64an_packed_timestamp, the tai64an_packed_timestamp is copied to the beginning of the encrypted buffer (to the area that is normally all zero), the entire buffer is sent (crypto adds 32 bytes of overhead) | |
salty | Secure with PFS | 20 bytes + control packets | Requires at least one endpoint to have a fixed address | The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with temporary keys and nonces which are periodically regenerated and exchanged; this protocol provides Perfect Forward Secrecy and does not depend on clock synchronization for replay protection; the current implementation does not work well if both endpoints are floating |
This is a fork of UCIS/QuickTun. The fork is not being actively developed. The fork contains some pull requests that are not merged upstream.