4 curvetun is a lightweight, high-speed ECDH multiuser IP tunnel for Linux
5 that is based on epoll(2). curvetun uses the Linux TUN/TAP interface and
6 supports {IPv4,IPv6} over {IPv4,IPv6} with UDP or TCP as carrier protocols.
7 It has an integrated packet forwarding trie, thus multiple users with
8 different IPs can be handled via a single tunnel device on the server side
9 and flows are scheduled for processing in a CPU-local manner. For transmission,
10 packets are being compressed and encrypted by both, the client and the
11 server side. As an appropriate key management, public-key cryptography based
12 on elliptic curves are being used and packets are encrypted by a symmetric
13 stream cipher (Salsa20) and authenticated by a MAC (Poly1305), where keys
14 have previously been computed with the ECDH key agreement protocol (Curve25519).
15 Cryptography is based on Daniel J. Bernsteins Networking and Cryptography
16 library (NaCl). One of the motivations for curvetun is to 'bypass' Internet
17 censorship, filtering or wiretapping with the help of modern cryptography as
18 it is becoming more and more a trend by todays politicians or lobbies of
19 large media companies to 'regulate' the Internet. With curvetun, network
20 traffic can be tunneled encrypted to censorship-free regions of the Internet.
25 IP tunnels are usually used to create virtual private networks (VPN) where
26 parts of the network can only be reached via an unsecure or untrusted underlay
27 network like the Internet. Only few software exists to create such tunnels,
28 or, VPNs. Two popular representatives of such software are OpenVPN and VTUN.
29 The latter also introduced the TUN/TAP interfaces into the Linux kernel.
30 VTUN only has a rather basic encryption module, that doesn’t fit into todays
31 cryptographic needs. By default MD5 is used to create 128-Bit wide keys for
32 the symmetric BlowFish cipher in ECB mode. Although OpenSSL is used in both,
33 VTUN and OpenVPN, OpenVPN is much more feature rich regarding ciphers and user
34 authentication. Nevertheless, letting people choose ciphers or authentication
35 methods does not necessarily mean a good thing: administrators could either
36 prefer speed over security and therefore choose weak ciphers, so that the
37 communication system will be as good as without any cipher, they could choose
38 weak passwords for symmetric encryption or they could misconfigure the
39 communication system by having too much choices of ciphers and too little
40 experience for picking the right one. Next to the administration issues,
41 there are also software development issues. Cryptographic libraries like
42 OpenSSL are too low-level and too complex to fully understand or correctly
43 apply, so that they form a further ground for vulnerabilities of such software.
44 In 2010, the famous cryptographers Tanja Lange and Daniel J. Bernstein have
45 therefore created and published a cryptography library for networking, which
46 is called NaCl (pronounced 'salt'). NaCl challenges such addressed problems
47 as in OpenSSL and, in contrast to the rather generic use of OpenSSL, was
48 created with a strong focus on public-key authenticated encryption based on
49 elliptic curve cryptography, which is used in curvetun.
51 Elliptic-curve cryptography and Curve25519
52 //////////////////////////////////////////
54 From http://dnscurve.org/crypto.html:
56 RSA is somewhat older than elliptic-curve cryptography: RSA was introduced
57 in 1977, while elliptic-curve cryptography was introduced in 1985. However,
58 RSA has shown many more weaknesses than elliptic-curve cryptography. RSA's
59 effective security level was dramatically reduced by the linear sieve in the
60 late 1970s, by the quadratic sieve and ECM in the 1980s, and by the
61 number-field sieve in the 1990s. For comparison, a few attacks have been
62 developed against some rare elliptic curves having special algebraic
63 structures, and the amount of computer power available to attackers has
64 predictably increased, but typical elliptic curves require just as much
65 computer power to break today as they required twenty years ago.
67 IEEE P1363 standardized elliptic-curve cryptography in the late 1990s,
68 including a stringent list of security criteria for elliptic curves. NIST
69 used the IEEE P1363 criteria to select fifteen specific elliptic curves at
70 five different security levels. In 2005, NSA issued a new "Suite B"
71 standard, recommending the NIST elliptic curves (at two specific security
72 levels) for all public-key cryptography and withdrawing previous
73 recommendations of RSA.
75 [curvetun] uses a particular elliptic curve, Curve25519, introduced in the
76 following paper: Daniel J. Bernstein, "Curve25519: new Diffie–Hellman speed
77 records," pages 207–228 in Proceedings of PKC 2006, edited by Moti Yung,
78 Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, Lecture Notes in Computer
79 Science 3958, Springer, 2006, ISBN 3-540-33851-9.
81 This elliptic curve follows all of the standard IEEE P1363 security criteria.
82 It also follows new recommendations that achieve "side-channel immunity"
83 and "twist security" while improving speed. What this means is that secure
84 implementations of Curve25519 are considerably simpler and faster than secure
85 implementations of (e.g.) NIST P-256; there are fewer opportunities for
86 implementors to make mistakes that compromise security, and mistakes are
87 more easily caught by reviewers.
89 An attacker who spends a billion dollars on special-purpose chips to attack
90 Curve25519, using the best attacks available today, has about 1 chance in
91 1000000000000000000000000000 of breaking Curve25519 after a year of computation.
92 One could achieve similar levels of security with 3000-bit RSA, but
93 encryption and authentication with 3000-bit RSA are not nearly fast enough
94 to handle [tunnel traffic] and would require much more space in [network]
97 More can be found here: http://cr.yp.to/highspeed/naclcrypto-20090310.pdf
99 Using the curvetun tunnel for browsing the web (example howto):
100 ///////////////////////////////////////////////////////////////
102 curvetun inital setup example:
104 If you've never run curvetun before, you need to do an initial setup once.
106 At first, make sure that the servers and clients clocks are periodically
107 synced, i.e. with ntpdate ntp.ubuntu.com pool.ntp.org as a cronjob or simply
108 install the ntp daemon. This is necessary to protect against replay attacks.
110 Also, make sure if you have read/write access to /dev/net/tun. You should not
111 run curvetun as root!
113 Then, the first step is to create keys and config files. On both, the client
118 You are asked for a username. You can use an email address or whatever. Here,
119 we assume, you've entered 'mysrv1' on the server and 'myclient1' on the client
122 Now on the necessary file have been created:
123 ~/.curvetun/priv.key - Your private key
124 ~/.curvetun/pub.key - Your public key
125 ~/.curvetun/username - Your username (here: mysrv1 or myclient1)
126 ~/.curvetun/clients - Participants the server accepts
127 ~/.curvetun/servers - Possible servers the client can connect to
129 'clients' and 'servers' are empty at the beginning and need to be filled now.
130 The 'clients' file is meant for the server, so that it knows what clients
131 may connect. The 'servers' file is for the client, where it can select
132 curvetun servers to connect to.
134 Now the client exports it's public key for the server:
138 ... where it prints sth like:
140 myclient1;11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
141 \_______/ \_____________________________________________________________________________________________/
142 username 32 byte public key for 'myclient1'
144 This line is transferred to the server admin, where the admin add this entry
145 into his 'clients' file like:
147 server$ echo "myclient1;11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11" >> ~/.curvetun/clients
149 The server admin can check, if the server has registered it properly by ...
153 ... which prints all parsed clients from ~/.curvetun/clients.
155 [Note: in src/ there is also a Perl script curvetun_ldap.pl that can generate
156 a client file from LDAP entries!]
158 Now, the client 'myclient1' is known to the server; that's it for the server
159 config. The next step is to tell the client what he needs to connect to the
162 We hereby assume, the tunnel server has an public IP i.e. 1.2.3.4, runs on
163 port 6666 and uses UDP as a carrier protocol. In case you are behind a NAT,
164 you can use curvetun's --stun option for starting the server, to obtain your
165 mapping. However, in this example we continue with 1.2.3.4 and 6666, UDP.
167 First, the server needs to export its key to the client, as:
171 ... where it prints sth like:
173 mysrv1;22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
174 \____/ \_____________________________________________________________________________________________/
175 username 32 byte public key for 'mysrv1'
176 ^-- you need this public key
178 Now, you give the client your connection information:
182 * Pubkey 22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
184 ... and the client puts it all together in its config like:
186 client$ echo "myfirstserver;1.2.3.4;6666;udp;22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22" >> ~/.curvetun/servers
188 ... again, where he can check his config with:
192 Okay, assuming we've made it, then we start the server with:
194 server$ curvetun -s -p 6666 -u
195 server# ifconfig curves0 up
196 server# ifconfig curves0 10.0.0.1/24
198 Server-side information, errors or warnings will appear in syslog!
200 Then, we start the client with ...
202 client$ curvetun -c=myfirstserver
203 client# ifconfig curvec0 up
204 client# ifconfig curvec0 10.0.0.2/24
206 Also, client-side information, errors or warnings will appear in syslog!
207 ... and we're now able to ping the server:
209 client$ ping 10.0.0.1
213 IPv4 routing example:
215 Server side: your public IP on eth0 is i.e. 1.2.3.4
217 server$ ... start curvetun server ...
218 server# ifconfig curves0 up
219 server# ifconfig curves0 10.0.0.1/24
220 server# echo 1 > /proc/sys/net/ipv4/ip_forward
221 server# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
222 server# iptables -A FORWARD -i eth0 -o curves0 -m state --state RELATED,ESTABLISHED -j ACCEPT
223 server# iptables -A FORWARD -i curves0 -o eth0 -j ACCEPT
225 Client side: your IP on eth0 is i.e. 5.6.7.8
227 client$ ... start curvetun client ...
228 client# ... lookup your default gateway ...
229 -> either stated in route, or
230 -> traceroute google.ch and take the first IP entry
231 -> default gw here i.e. 5.6.7.9
232 client# ifconfig curvec0 up
233 client# ifconfig curvec0 10.0.0.2/24
234 client# route add -net 1.2.3.0 netmask 255.255.255.0 gw 5.6.7.9 dev eth0
235 client# route add default gw 10.0.0.1
236 client# route del default gw 5.6.7.9
238 ... and there you go, now open your browser on the client side and surf the
239 web or do whatever you want. All your traffic will then be tunneled encrypted