From: Sergey Matveev Date: Sat, 29 Oct 2016 16:38:13 +0000 (+0300) Subject: Ability to use TUN-interfaces under GNU/Linux X-Git-Tag: 7.0^2~2 X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=commitdiff_plain;h=a11b0bda178937e6891770f40f800d69b5640313 Ability to use TUN-interfaces under GNU/Linux --- diff --git a/TODO b/TODO index a40620f..3c1c91b 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,3 @@ -* Support TUN interfaces additionally to TAP ones * When govpn-server opens TAP files, then it won't release them until daemon itself is exited * Randomize ports usage diff --git a/doc/about.ru.texi b/doc/about.ru.texi index b911083..0c45017 100644 --- a/doc/about.ru.texi +++ b/doc/about.ru.texi @@ -70,7 +70,7 @@ A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)). идентификатор}, невидимый третьим лицам (они анонимны для них). @item -Использует @url{https://ru.wikipedia.org/wiki/TUN/TAP, TAP} низлежащие +Использует @url{https://ru.wikipedia.org/wiki/TUN/TAP, TUN/TAP} низлежащие сетевые интерфейсы. @item diff --git a/doc/about.texi b/doc/about.texi index 59359c8..7cda5af 100644 --- a/doc/about.texi +++ b/doc/about.texi @@ -66,7 +66,7 @@ options. Clients have pre-established @ref{Identity, identity} invisible for third-parties (they are anonymous). @item -Uses @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP} +Uses @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TUN/TAP} underlying network interfaces. @item diff --git a/doc/client.texi b/doc/client.texi index 58dc74b..42b8a65 100644 --- a/doc/client.texi +++ b/doc/client.texi @@ -7,7 +7,7 @@ options client has the following ones: @table @option @item -mtu -Expected TAP interface @ref{MTU}. +Expected TUN/TAP interface @ref{MTU}. @item -proto @ref{Network, Network protocol} to use. Can be either @emph{udp} @@ -25,7 +25,7 @@ server. Address (@code{host:port} format) of remote server we need to connect to. @item -iface -TAP interface name. +TUN/TAP interface name. @item -verifier Our client's @ref{Verifier}. diff --git a/doc/example.texi b/doc/example.texi index 4831772..688898a 100644 --- a/doc/example.texi +++ b/doc/example.texi @@ -9,7 +9,7 @@ WiFi-reachable gateway. @item You want to create virtual encrypted and authenticated 172.16.0/24 network and use it as a default transport. @item Assume that outgoing GoVPN packets can be fragmented, so we do not -bother configuring MTU of TAP interfaces. For better performance just +bother configuring MTU of TUN/TAP interfaces. For better performance just lower it and check that no fragmentation of outgoing UDP packets occurs. @end itemize @@ -29,7 +29,7 @@ Place the following YAML configuration entry on the server's side: Alice: up: /path/to/up.sh - iface: or TAP interface name + iface: or TUN/TAP interface name verifier: $balloon$s=32768,t=16,p=2$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10 @end verbatim diff --git a/doc/mtu.texi b/doc/mtu.texi index c11cef9..00aa7e7 100644 --- a/doc/mtu.texi +++ b/doc/mtu.texi @@ -2,7 +2,7 @@ @subsection Maximum Transmission Unit MTU option tells what maximum transmission unit is expected to get from -TAP interface. It is per-user configuration. Incoming packets of bigger +TUN/TAP interface. It is per-user configuration. Incoming packets of bigger sizes (including the padding byte) will be ignored. If either @ref{Noise, noise}, @ref{Encless, encryptionless mode} or @ref{CPR} are enabled, then all outgoing packets are filled up to that MTU value. diff --git a/doc/news.ru.texi b/doc/news.ru.texi index db4a6ed..86b9f5e 100644 --- a/doc/news.ru.texi +++ b/doc/news.ru.texi @@ -6,6 +6,8 @@ @itemize @item (X)Salsa20 заменён на ChaCha20. Теоретически он должен быть быстрее и более безопасным. +@item Возможность использовать TUN-интерфейсы под GNU/Linux. FreeBSD без +изменений уже поддерживала эту возможность. @end itemize @node Релиз 6.0 diff --git a/doc/news.texi b/doc/news.texi index 10a2aab..5cfe47d 100644 --- a/doc/news.texi +++ b/doc/news.texi @@ -8,6 +8,8 @@ See also this page @ref{Новости, on russian}. @itemize @item (X)Salsa20 is replaced with ChaCha20. Theoretically it should be faster and more secure. +@item Ability to use TUN-interfaces under GNU/Linux. FreeBSD has already +supported them without any modifications. @end itemize @node Release 6.0 diff --git a/doc/scripts.texi b/doc/scripts.texi index 7b2e3c0..69848a0 100644 --- a/doc/scripts.texi +++ b/doc/scripts.texi @@ -11,7 +11,7 @@ their execution: Remote peer's address. In client mode it is server's address. @item GOVPN_IFACE -TAP interface name. In server mode this can be empty: that means that +TUN/TAP interface name. In server mode this can be empty: that means that script must output its name as the first line to stdout. @end table diff --git a/doc/server.texi b/doc/server.texi index 325d317..b3e9ac7 100644 --- a/doc/server.texi +++ b/doc/server.texi @@ -25,7 +25,7 @@ Configuration file is YAML file with following example structure: @verbatim stargrave: <-- Peer human readable name - iface: tap10 <-- OPTIONAL TAP interface name + iface: tap10 <-- OPTIONAL TUN/TAP interface name mtu: 1515 <-- OPTIONAL overriden MTU up: ./stargrave-up.sh <-- OPTIONAL up-script down: ./stargrave-down.sh <-- OPTIONAL down-script @@ -40,7 +40,7 @@ stargrave: <-- Peer human readable name At least one of either @code{iface} or @code{up} must be specified. If you specify @code{iface}, then it will be forcefully used to determine -what TAP interface will be used. If it is not specified, then +what TUN/TAP interface will be used. If it is not specified, then up-@ref{Scripts, script} must output interface's name to stdout (first output line). @@ -69,7 +69,7 @@ Place the following YAML configuration entry on the server's side: Alice: up: /path/to/up.sh - iface: or TAP interface name + iface: or TUN/TAP interface name verifier: $balloon$s=32768,t=16,p=2$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10 @end verbatim diff --git a/doc/timeout.texi b/doc/timeout.texi index 89dd5b0..2cb5201 100644 --- a/doc/timeout.texi +++ b/doc/timeout.texi @@ -8,7 +8,7 @@ dead. Timeout option should be synchronized both for server and client. If there were no packets at all during fourth part of timeout, then special heartbeat packet is sent. So VPN connection should be alive all -the time, even if there is no traffic in corresponding TAP interfaces. +the time, even if there is no traffic in corresponding TUN/TAP interfaces. @strong{Beware}: this consumes traffic. Stale peers and handshake states are cleaned up every timeout period. diff --git a/doc/user.texi b/doc/user.texi index b27b356..34a93c3 100644 --- a/doc/user.texi +++ b/doc/user.texi @@ -5,7 +5,7 @@ Announcements about updates and new releases can be found in @ref{Contacts, contacts}. GoVPN is split into two pieces: @ref{Client} and @ref{Server}. Each of -them work on top of @ref{Network, UDP/TCP} and TAP virtual network +them work on top of @ref{Network, UDP/TCP} and TUN/TAP virtual network interfaces. GoVPN is just a tunnelling of Ethernet frames, nothing less, nothing more. All you IP-related network management is not touched by VPN at all. You can automate it using up and down shell scripts. diff --git a/src/cypherpunks.ru/govpn/cmd/govpn-client/main.go b/src/cypherpunks.ru/govpn/cmd/govpn-client/main.go index c7b04a7..36ff72a 100644 --- a/src/cypherpunks.ru/govpn/cmd/govpn-client/main.go +++ b/src/cypherpunks.ru/govpn/cmd/govpn-client/main.go @@ -34,7 +34,7 @@ import ( var ( remoteAddr = flag.String("remote", "", "Remote server address") proto = flag.String("proto", "udp", "Protocol to use: udp or tcp") - ifaceName = flag.String("iface", "tap0", "TAP network interface") + ifaceName = flag.String("iface", "tap0", "TUN/TAP network interface") verifierRaw = flag.String("verifier", "", "Verifier") keyPath = flag.String("key", "", "Path to passphrase file") upPath = flag.String("up", "", "Path to up-script") @@ -42,7 +42,7 @@ var ( stats = flag.String("stats", "", "Enable stats retrieving on host:port") proxyAddr = flag.String("proxy", "", "Use HTTP proxy on host:port") proxyAuth = flag.String("proxy-auth", "", "user:password Basic proxy auth") - mtu = flag.Int("mtu", govpn.MTUDefault, "MTU of TAP interface") + mtu = flag.Int("mtu", govpn.MTUDefault, "MTU of TUN/TAP interface") timeoutP = flag.Int("timeout", 60, "Timeout seconds") timeSync = flag.Int("timesync", 0, "Time synchronization requirement") noreconnect = flag.Bool("noreconnect", false, "Disable reconnection after timeout") @@ -127,7 +127,7 @@ func main() { tap, err = govpn.TAPListen(*ifaceName, *mtu) if err != nil { - log.Fatalln("Can not listen on TAP interface:", err) + log.Fatalln("Can not listen on TUN/TAP interface:", err) } if *stats != "" { diff --git a/src/cypherpunks.ru/govpn/tap.go b/src/cypherpunks.ru/govpn/tap.go index 8a44575..9010c55 100644 --- a/src/cypherpunks.ru/govpn/tap.go +++ b/src/cypherpunks.ru/govpn/tap.go @@ -58,7 +58,7 @@ func NewTAP(ifaceName string, mtu int) (*TAP, error) { bufZ = !bufZ n, err = tap.dev.Read(buf) if err != nil { - panic("Reading TAP:" + err.Error()) + panic("Reading TUN/TAP:" + err.Error()) } tap.Sink <- buf[:n] } diff --git a/src/cypherpunks.ru/govpn/tap_linux.go b/src/cypherpunks.ru/govpn/tap_linux.go index fb9df56..8c5e883 100644 --- a/src/cypherpunks.ru/govpn/tap_linux.go +++ b/src/cypherpunks.ru/govpn/tap_linux.go @@ -9,10 +9,15 @@ package govpn import ( "io" + "strings" "github.com/bigeagle/water" ) func newTAPer(ifaceName string) (io.ReadWriter, error) { - return water.NewTAP(ifaceName) + if strings.HasPrefix(ifaceName, "tap") { + return water.NewTAP(ifaceName) + } else { + return water.NewTUN(ifaceName) + } } diff --git a/utils/newclient.sh b/utils/newclient.sh index aebc975..98957ef 100755 --- a/utils/newclient.sh +++ b/utils/newclient.sh @@ -26,6 +26,6 @@ Place the following YAML configuration entry on the server's side: $username: up: /path/to/up.sh - iface: or TAP interface name + iface: or TUN/TAP interface name verifier: $verifierS EOF