Plan

• d TUN (or TAP) iface
• d listener
• d sender
• d test via net.Pipe mock
• u MTU for buf sizes etc
• u Read peers from cli args
• u device mock
  • u tun iface mock
  • u sender test
• d connections
  • d handle closing, errors, etc
• d encryption
  • c openssl
  • d belt wrapper
• c vpn capabilities
  • c routing

Encryption

https://github.com/agievich/bee2

• d build this for nix

https://apmi.bsu.by/resources/std.html https://www.wireguard.com/papers/wireguard.pdf

CBC is preferable as a good mix of simplicity and performance, but doesn't necessarily support stream processing, where data can be arbitrarily postpended, which might be really important. Example algo would look like this: data from tun is read until outgoing socket's MTU is reached or queue timeout expires, after which encrypted data (possibly containing multiple actual packets) is sent out in a single packet. Difference between streaming and single-pass encryption in this case would be that the later blocs before sending for longer.

Encryption itself can work like this:

• a salt is generated, for example as a random 16-byte string or derived from current time.
• salt is transmitted as a part of a handshake, after which both sides derive a session key
• session key is used alongside a nonce, which is a simple counter starting from salt, incrementing by one for every packet encrypted.

In-memory key storage can be organised.

Language

go

• fairly low-level
• decent syntax
• garbage collected
• calling C is fairly straight-forward: https://karthikkaranth.me/blog/calling-c-code-from-go/

Wireguard

WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec for most use cases, as well as popular user space and/or TLS-based solutions like OpenVPN, while being more secure, more performant, and easier to use. The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys - Curve25519 points - are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS's cookie mechanisms to add encryption and authentication. The overall design allows for allocating no resources in response to received packets, and from a systems perspective, there are multiple interesting Linux implementation techniques for queues and parallelism. Finally, WireGuard can be simply implemented for Linux in less than 4,000 lines of code, making it easily audited and verified.

Design

• Each peer is identified by its public key and has a list of allowed source IPs.
• Uses UDP/IP for transferring encrypted packets.