Changes in VpnCloud version 2
Major version 2 of VpnCloud contains a lot of changes that will be explained on this page.
Strong encryption
In version 2, VpnCloud now supports strong cryptography. While version 1.x only supported a very simple cryptography with a single secret key that is shared by all nodes and a simple packet-per-packet encryption, version 2 contains a complete rewrite of the cryptographic subsystem with enhanced encryption.
The new encryption uses public/private key pairs per node and trust relations instead of a single secret key shared by all nodes. Each node has one public/private key pair and a set of public keys of trusted nodes that are allowed to communicate with the node. This way, security relations can be configured more fine grained and trust can be revoked.
For users that do not want to configure key pairs and trusted peer keys, VpnCloud also supports a simple password mode. Given a password, the node will derive a stable key pair and without configured trusted keys, the node will only trust its own public key. Therefore in password mode, all nodes with the same password can communicate.
The new encryption uses temporary keys that are rotated frequently in order to provide forward secrecy. A new message exchange for key rotation is introduced and also as acts a keep-alive mechanism.
Also in version 2, VpnCloud does no longer require users to select an encryption algorithm. Instead all supported algorithms are benchmarked and a common fastest algorithm is negotiated between each pair of nodes. The set of supported algorithms can be configured.
New network protocol
As the encryption and the network protocol are highly related, VpnCloud version 2 also features a rewrite of the network protocol.
The new network protocol has no magic header anymore which makes it almost impossible to detect the protocol. Also this removes support for the --network-id
or --magic
parameters.
Also, the rewrite moves the message type into to encrypted part to hide this information.
All messages, except for the performance sensitive payload messages, are now flexible and extensible to allow future protocol changes.
In total, the new network protocol cuts down a few bytes of overhead.
Usability improvements
VpnCloud version 2 has some additional functionality to improve the usability:
- The optimal MTU (based on device type and MTU of the main network device) is now automatically configured on the device. This removes the need to use the
mtu
option in theifup
parameter. - The device is automatically activated, so there is no need to use
ip link set up
anymore. - If configured via
--ip
an IP address and netmask (default:/24
) can be automatically configured on the device by VpnCloud. This removes most use cases of the--ifup
parameter and reserves this parameter for initialization scripts. - If the device type is
tun
, the IP address on the device will automatically added as a claim (with prefix length/32
). This functionality can be deactivated via--no-auto-claim
. - VpnCloud now detects a common misconfiguration of the system packet filter that can lead to a vulnerability on VPNs. The configuration can be automatically fixed when
--fix-rp-filter
is set.
Parameter and config changes
VpnCloud 2 changes some parameters and configuration options that constitute breaking changes:
- The default device type is now
tun
instead oftap
. - The new option
--fix-rp-filter
has been added as parameter or config optiondevice.fix-rp-filter
. - The deprecated
port
option has been removed in favor oflisten
. - The new option
--beacon-password
/beacon.password
is used instead ofsecret
to encrypt beacons. - The new option
ip
can be used to set an IP address on the device on startup. - The new option
--no-auto-claim
(andauto-claim
in config file) deactivates (or activates) the new behavior to automatically claim the IP configured on tun devices. - The
subnet
option has been renamed toclaim
(as parameter) andclaims
(in config) - The option
shared-key
has been renamed topassword
(parameter) andcrypto.password
(in config). - The
crypto
option has been renamed to--algorithm
(parameter) andcrypto.algorithms
(in config). - The new options
public-key
,private-key
allow to specify a key pair. - The new option
--trusted-key
andcrypto.trusted-keys
allow to specify trusted public keys. - The
magic
option has been removed without replacement. - The
dst_timeout
has been renamed to--switch-timeout
(parameter) andswitch-timeout
(in config). - The config file now combines related options into groups sharing a parent key:
- The
crypto
group contains the subkeyspassword
,private_key
,public_key
,trusted_keys
, andalgorithms
. - The
device
group contains the subkeystype
,name
,path
, andfix-rp-filter
. - The
beacon
group contains the subkeysstore
,load
,interval
, andpassword
. - The
statsd
group contains the subkeysserver
andprefix
.
- The