QuickTun is probably the simplest VPN tunnel software ever, yet it's very secure. It relies on the NaCl encryption library. QuickTun uses the curve25519xsalsa20poly1305 crypto-box functionality of the NaCl library for secure public-key encryption.

Marek Küthe a97ce9d49b Build script: Fix path for debian directory 11 月之前
deb ac1aa715ac Debian: Improve script style 11 月之前
src 3aba4e82b2 Drop support of libnacl 11 月之前
.gitignore a97ce9d49b Build script: Fix path for debian directory 11 月之前
CONTRIBUTORS e9745dd0a7 Add a README 11 月之前
LICENSE e9745dd0a7 Add a README 11 月之前
README.md e9745dd0a7 Add a README 11 月之前
build.sh a97ce9d49b Build script: Fix path for debian directory 11 月之前
clean.sh 53d5c5b5b8 Clean script: Fix bug 11 月之前
version 15db6b9594 Renamed debian directory to prepare for debian packaging, fixed possible crash in PI mode 2 7 年之前

README.md

QuickTun

QuickTun is probably the simplest VPN tunnel software ever, yet it's very secure. It relies on the NaCl encryption library by D. J. Bernstein.

QuickTun uses the curve25519xsalsa20poly1305 crypto-box functionality of the NaCl library for secure public-key encryption.

And that's about all QuickTun does; encrypting and sending data. No fancy features which would only lead to bloating the binary. In fact, QuickTun itself has only a few hundred lines of pure C code, making it dead simple to maintain, analyze, debug and fix.

Configuration

Debian

The tunnel can be configured in a debian interface file:

auto tun0
iface tun0 inet static
       address 192.168.77.1
       pointopoint 192.168.77.2
       netmask 255.255.255.255
       qt_tun_mode 1
       qt_protocol nacltai
       qt_remote_address 1.2.3.4
       qt_local_address 9.8.7.6
       qt_private_key_file <LOCAL-SECRET-KEY-FILE>
       qt_public_key <REMOTE-PUBLIC-KEY>

See below for supported configuration options. Please note that all options are written in lower case and are prefixed with qt_. The interface name is taken from the 'iface' entry.

Non-Debian

QuickTun configuration is usually stored in a shell script like this:

#!/bin/sh

export TUN_MODE=1
export PROTOCOL=nacltai
export REMOTE_ADDRESS=ipaddress-of-remote-end
export LOCAL_ADDRESS=ipaddress-of-local-end
export PRIVATE_KEY=private-key-of-local-end
export PUBLIC_KEY=public-key-of-remote-end
/usr/sbin/quicktun

Make sure that the script is not publicly readable because it contains the secret key: chmod 700 will do! To start the VPN tunnel, simply run the shellscript. You can also run the script using some service supervisor (daemon tools, supervisord).

Alternatively all configuration can be specified on the command line like this:

/usr/sbin/quicktun -c PROTOCOL nacltai -c TUN_MODE 1 -c PRIVATE_KEY_FILE secret.key -c PUBLIC_KEY public-key-of-remote-end

Configuration options

  • INTERFACE - interface name (non-debian systems only)
  • TUN_MODE - set to 1 to operate in tun (IP), unset or 0 (recent versions only) for tap (Ethernet) mode
  • USE_PI - set to 1 to include packet information header in wire packets, must be set on both sides if used; set to 2 to automatically add the packet information header for cross-platform compatibility (also compatible with USE_PI=0), some (BSD) kernels need USE_PI to be enabled for IPv6 support
  • REMOTE_ADDRESS - IP address or hostname of the remote end (use 0.0.0.0 for a floating/dynamic remote endpoint)
  • LOCAL_ADDRESS - IP address or hostname of the local end, optional
  • LOCAL_PORT - local UDP port, optional, defaults to 2998
  • REMOTE_PORT - remote UDP port, optional, defaults to LOCAL_PORT
  • REMOTE_FLOAT - allows the remote address and port to change when properly encrypted packets are received
  • TUN_UP_SCRIPT - run specified command or script after the tunnel device has been opened
  • SETUID - drop privileges and change user and group IDs to specified username after setting up the tunnel
  • nacl0, nacltai and salty (encrypted) protocols only:
    • PRIVATE_KEY - local secret key in hexadecimal form (not needed for raw protocol)
    • PUBLIC_KEY - remote public key in hexadecimal form (not needed for raw protocol)
    • PRIVATE_KEY_FILE - file containing local secret key in binary or hexadecimal form (not needed for raw protocol)
  • nacltai (encrypted) protocol only:
    • TIME_WINDOW - allowed time window for first received packet in seconds (positive number allows packets from history)
  • Combined binary only (quicktun.debian and quicktun.combined executables, Debian based systems):
  • PROTOCOL - the protocol to use, one of "raw", "nacl0" and "nacltai"
  • Debian /etc/network/interfaces only:
  • NO_PRECREATE - set to 1 to run QuickTun as root and not use a persistent tunnel device, unset otherwise

Protocol

Protocol name Security Overhead Remarks Details
raw None 0 bytes Compatible with VirtualBox UDPTunnel The IP or ethernet packet as it was read from the device is sent directly in an UDP packet
nacl0 Very weak 16 bytes The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce set to all zero, the first 16 all-zero bytes of the result are stripped off, the rest is sent in an UDP packet
nacltai Secure 32 bytes The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with the nonce being <7bytes=0><1byte=local_pub_key>remote_pub_key?1:0>16bytes:tai64an_packed_timestamp, the tai64an_packed_timestamp is copied to the beginning of the encrypted buffer (to the area that is normally all zero), the entire buffer is sent (crypto adds 32 bytes of overhead)
salty Secure with PFS 20 bytes + control packets Requires at least one endpoint to have a fixed address The IP or ethernet packet is encrypted using the curve25519xsalsa20poly1305_box function, with temporary keys and nonces which are periodically regenerated and exchanged; this protocol provides Perfect Forward Secrecy and does not depend on clock synchronization for replay protection; the current implementation does not work well if both endpoints are floating

Fork

This is a fork of UCIS/QuickTun. The fork is not being actively developed. The fork contains some pull requests that are not merged upstream.