
DSVPN – VPN using TCP at port 80 and 443 - northfoxz
https://github.com/jedisct1/dsvpn
======
Znafon
> WireGuard doesn't work over TCP.

I see this repeated in a lot of places about WireGuard but is there anything
wrong with UDPTunnel
([http://www.cs.columbia.edu/~lennox/udptunnel/](http://www.cs.columbia.edu/~lennox/udptunnel/))?

Why would one prefer this instead of WireGuard + UDPTunnel?

~~~
comex
There's also udp2raw-tunnel: [https://github.com/wangyu-/udp2raw-
tunnel](https://github.com/wangyu-/udp2raw-tunnel)

It allows you to tunnel UDP over a fake, non-lossless TCP connection. That is,
it wraps packets in TCP headers to make them look like TCP to firewalls, but
it doesn't actually implement TCP; instead, each "TCP" packet corresponds to
one UDP packet, and it makes no attempt to resend dropped packets. This way
you avoid the problems with TCP-over-TCP.

~~~
mhandley
If you're going to pretend to be TCP, you probably need to look like TCP to
middleboxes. When we investigated this a few years back, we found that on port
80, only 85% of the client locations we tested would pass TCP if there were
holes in the sequence space. In fact this heavily influenced the design of
Multipath TCP (MPTCP). The paper is here, relevant section is 4.3:
[https://conferences.sigcomm.org/imc/2011/docs/p181.pdf](https://conferences.sigcomm.org/imc/2011/docs/p181.pdf)

~~~
Hello71
ctrl-f "seq"

In FakeTCP header mode,udp2raw simulates 3-way handshake while establishing a
connection, _simulates seq and ack_seq while data transferring_.

    
    
        --seq-mode            <number>        seq increase mode for faketcp:
                                              0:static header,do not increase seq and ack_seq
                                              1:increase seq for every packet,simply ack last seq
                                              2:increase seq randomly, about every 3 packets,simply ack last seq
                                              3:simulate an almost real seq/ack procedure(default)
                                              4:similiar to 3,but do not consider TCP Option Window_Scale,
                                              maybe useful when firewall doesnt support TCP Option
    

\--seq-mode

The FakeTCP mode does not behave 100% like a real tcp connection. ISPs may be
able to distinguish the simulated tcp traffic from the real TCP traffic
(though it's costly). seq-mode can help you change the seq increase behavior
slightly. If you experience connection problems, try to change the value.

------
Sirened
It's cool but the author's motivation doesn't make sense.

OpenVPN was too hard to setup so they decided to write their own VPN from
scratch? It's cool as an academic endeavor but by actually using it, they not
only tossed out all the years of security work and the audits OpenVPN has gone
through but also spent a ton of time creating something that they now will
have to personally maintain.

~~~
faissaloo
OpenVPN is more than just hard to setup, it's legitimately absurd and the
documentation isn't even close to navigable.

~~~
adonnjohn
I'm glad it's not just me...

I've tried 3 separate times now to set up the necessary pieces. I get all the
way to the end and it just... doesn't work. And I'm just not a good enough
network engineer to sniff out why.

~~~
stevewillows
A lot of people in the low-end VPS community use this [1] -- and I've used it
ever since. The installation script just works. Adding a new user? Run the
script. I don't think we're alone in the struggle.

[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

~~~
adonnjohn
Thanks for the resource! It's always a pet project to try and set it up, so I
never researched any install helpers very heavily. I'll definitely try this
next.

------
isatty
3 source files, amazing. This is a great opportunity for folks to learn more
about implementing a VPN.

I'm planning to re-implement it in rust (to learn from) and then contribute to
Wireguards rust effort.

------
ComputerGuru
I automatically cringe and walk away when I see tcp over tcp. I’ve been bitten
by it too many times. Someone correct me if I’m wrong, but it’s fundamentally
incorrect and is pretty much guaranteed to devolve into pathological cases.

~~~
mrb
Here is what the author of DSVPN says in the readme about that: « _TCP-over-
TCP is not as bad as some documents describe. It works surprisingly well in
practice, especially with modern congestion control algorithms (BBR). For
traditional algorithms that rely on packet loss, DSVPN couples the inner and
outer congestion controllers by lowering TCP_NOTSENT_LOWAT and dropping
packets when congestion is detected at the outer layer._ »

~~~
xfs
This is wrong. BBR still does retransmission if packets do not arrive on time,
and any retransmission in the inner TCP stack automatically becomes badput
that wastes the outer TCP stack which is likely at the same time also doing
retransmission for packet losses at lower layer.

TCP_NOTSENT_LOWAT is not a solution to this either. It is a solution for
HTTP/2 to be more aware of the congestion state and prioritize traffic
properly, which itself does not do retransmission. It makes the buffer smaller
so congestion is reported to upper layer earlier but still much later than
when the actual congestion happens, distorting the upper/inner TCP congestion
control. Also, a 128KiB value is hardcoded here for this knob, effectively
rendering it only useful for a bandwidth delay product of 5Mbps * 200ms RTT.

~~~
apenwarr
I’ve noticed a pattern where crypto people don’t seem to understand the edge
cases of tcp congestion control, so I agree that this workaround is
suspicious. Of course, it’s better than no VPN if your UDP is blocked. I like
sshuttle’s way better (but I’m biased).

However, it’s not broken in the exact way you’re thinking. TCP_NOTSENT_LOWAT
is diffent from TCP_LOWAT. The latter would imply a hardcoded bandwidth-delay
product. The one they’re using is a margin on top of the bandwidth-delay
product, which mostly just depends on a fast enough CPU. They’re using a
surprisingly high value for it though.

------
Tepix
> Uses only modern cryptography, with formally verified implementations.

That's a bit light on details. Does it have hardware acceleration? Replay
attack protection? Perfect forward secrecy? What are the underlying
algorithms? Implementation verified by whom?

> Small (~25 KB), with an equally small and readable code base. _No external
> dependencies._

This looks cool, however I don't like the fact that it doesn't use a trusted
crypto library such as libsodium. It is likely to get less review and if
weaknesses are detected in the algorithms, it is less likely to be improved.

~~~
sa1
> This looks cool, however I don't like the fact that it doesn't use a trusted
> crypto library such as libsodium. It is likely to get less review and if
> weaknesses are detected in the algorithms, it is less likely to be improved.

That's somewhat amusing given that the author of dsvpn is the author of
libsodium.

~~~
forgotmypwd123
all the more reason for dsvpn to use libsodium!

------
mikroskeem
Reminds me this: [https://github.com/unbit/vpn-
ws](https://github.com/unbit/vpn-ws)

Too bad that it never evolved further.

------
progval
> Maybe:

> * Support for multiple clients.

As long as it doesn't support multiple clients that can connect to each other,
it's more of a proxy/gateway than a VPN.

------
sam_lowry_
> OpenVPN is horribly difficult to set up.

OpenVPN is dead easy to setup with a shared secret, and it can work over TCP
in pretty much the same way.

~~~
Naac
While I don't think setting up openvpn is "difficult", in the sense that it's
a hard problem to solve, I would definitely not go as far as to say that it is
"dead easy".

Setting up openvpn is definitely involved[0]. And I think being concerned that
you've configured something incorrectly is a real issue, especially when it
comes to security.

[0]
[https://wiki.archlinux.org/index.php/OpenVPN](https://wiki.archlinux.org/index.php/OpenVPN)

~~~
Erlich_Bachman
But you would trust this toy project in terms of security? The point of
something like OpenVPN is that all security cases and bugs are worked out
already, and there is tons of information for all use cases, and everything is
already polished.

Sure you might need to learn some new configuration options, but you won't
just use them in this project, they will serve you for the rest of your life
for all possible VPN usage cases.

~~~
sam_lowry_
The more complex the project, the less secure it is.

------
yeasayer
> WireGuard doesn't work over TCP

Can somebody well versed explain what the difference between TCP and UDP in
this case? I obviously know what these are, I just don't understand why it's
such a debatable choice applied to VPNs.

~~~
drewmol
01CGAT’s link sums it up as: TCP is not designed to be stacked and doing so
results in the exponentially increasing retry timeout feature, used for
reliability optimization of the protocol, conflicting to provoke excessive
retransmission attempts by the upper layer TCP.

The detailed explanation is in the linked article: “Why TCP over TCP is a bad
idea”[0]. It was broken for me so I dug up an archive.org copy.

The upper layer transmission control and and retransmission attempts are
completely unnecessary as transmission is already guaranteed by the lower
layer TCP. The upper layer TCP, unaware of TCP underneath and having an
increasing timeout on acknowledgment failure, can begin to queue up more
retransmission than the lower layer can process increasing congestion and
inducing a meltdown effect.

Explained better here:
[0][https://web.archive.org/web/20190531210932/https://sites.ink...](https://web.archive.org/web/20190531210932/https://sites.inka.de/bigred/devel/tcp-
tcp.html)

~~~
kazen44
mind you that this is not only applicable to any VPN setup, but any tunneling
or overlay protocol.

~~~
tptacek
It's applicable to any tunneling or overlay protocol that encapsulates TCP in
TCP.

------
kccqzy
What's the significance of emphasizing port 80 and 443? You can assign
basically any ports to any application. If some firewall blocks all traffic
but 443, you can configure the service yourself to listen on 443.

~~~
wongarsu
443 is a nice default since it's the most likely port to be both unblocked and
left alone by middleboxes. But I agree that it's not exactly a unique feature.
"DSVPN - Dead Simple VPN over TCP" would have been a better headline

------
parliament32
Is openvpn really that hard to set up? I don't remember having any issues just
tweaking the default config file. If you want tcp 443 you just:

    
    
      port 443
      proto tcp
    

Is that really too hard?

------
dzsekijo
I wonder how it fares compared to VPN over ssh,
[https://help.ubuntu.com/community/SSH_VPN](https://help.ubuntu.com/community/SSH_VPN)

~~~
davidcollantes
When it comes to simplicty, DSVPN beats it.

------
amaccuish
But does it look like SSL traffic? That's the problem with OpenVPN, it's quite
easy detect. For restrictive environments I much prefer Ocserv (uses
OpenConnect/AnyConnect protocol) or mirosoft's sstp protocol.

I was back in Dubai recently and sadly WireGuard didn't work, so I had to use
OpenConnect, which while doesn't have the connectionless-like behaviour of
WireGuard atleast worked.

~~~
privethedge
[https://en.wikipedia.org/wiki/SoftEther_VPN](https://en.wikipedia.org/wiki/SoftEther_VPN)
> Firewalls performing deep packet inspection are unable to detect SoftEther's
VPN transport packets as a VPN tunnel because HTTPS is used to camouflage the
connection.

~~~
amaccuish
Exactly. SoftEther is also one of the only linux servers I know of that can do
Microsoft's SSTP protocol, which is convenient since it's built in to Windows
and looks like HTTPS. I'm not sure SoftEther's own SSL protocol is widely
used, or it's more used for site-to-site.

------
hclaria
Or you could encapsulate OpenVPN inside stunnel to make it indiscernible from
regular HTTPS traffic

[https://www.perfect-
privacy.com/en/manuals/linux_openvpn_ste...](https://www.perfect-
privacy.com/en/manuals/linux_openvpn_stealth_stunnel)

------
aleks_me2
That's a great tool. Easy to use and really robust in daily use. thanks for
writing ;-)

------
ggregoire
A simple noob question: in this context where I want to access a private
remote machine, what are the advantages of a VPN (let's say over TCP, I don't
know if it matters?) vs. a simple ssh tunnel?

~~~
brennebeck
I think that really depends on whether you need all traffic routed through the
tunnel/vpn and what else you were trying to accomplish. For just basic system
access there isn’t much advantage to vpn, but it would really depend on what
you’re trying to accomplish (keep people out? Just secure your connection to
another machine? Etc.).

------
faissaloo
>Doesn't perform any heap memory allocations

That's fascinating, I wonder how they managed that (unless they used cheats
like sbrk of course).

~~~
oso2k
`sbrk` modifies the heap [0].

[0] [https://linux.die.net/man/2/sbrk](https://linux.die.net/man/2/sbrk)

~~~
faissaloo
Oh right I was confusing it with alloca() [http://man7.org/linux/man-
pages/man3/alloca.3.html](http://man7.org/linux/man-pages/man3/alloca.3.html)

------
dClauzel
> Blocks IPv6 on the client to prevent IPv6 leaks.

No IPv6? That's a no.

------
skanga
Any plans for a version on Windows?

~~~
microcolonel
Seems like it's a personal project, and the author is absolutely ruling out
supporting anything he doesn't like, including anything peripherally related
to systemd, which seems a bit childish to me; but heh, it's not _my_ work.

~~~
iamnotacrook
How is not doing something you don't want to do childish? Is it childish go to
Barcelona instead of Paris on holiday?

~~~
AnIdiotOnTheNet
> How is not doing something you don't want to do childish

Actually that's kind of the definition of childish isn't it? Being an adult is
often about recognizing you need to do things you don't want to do.

~~~
iamnotacrook
He's a developer who doesn't feel like doing something. It's childish to
expect him to do what YOU think he should be doing, isn't it? Why should he?
It's his project - he doesn't want to do it, doesn't have to, doesn't owe
anyone anything? I don't get this at all. Shifting change in society's
attitudes, maybe? It's not enough to take someone's work for free; now there's
an obligation that he answers to a higher power - anyone with an internet
connection?

~~~
AnIdiotOnTheNet
> He's a developer who doesn't feel like doing something. It's childish to
> expect him to do what YOU think he should be doing, isn't it?

If we're being asked to care about this developer's project, then I don't
think it is unfair at all to criticize. Let me see if I can explain where I'm
coming from with a short play representing many, many real dialogs I've had
and read in my years of computing:

Evangelist: "hey, you should use this thing I made!"

Me: "No, it doesn't seem to do what I want."

Evangelist: "You don't really need that anyway..."

Me: "No, I really do."

<20 minutes of pointlessness later>

Evangelist: "It's wrong of you to criticize all this hard work I've given you
for free!"

Me: "I didn't ask for it!"

So maybe too many years of dealing with open source software evangelists has
lead me to assume that anyone posting a project like this is doing so in this
vein.

------
sayrer
no one could have predicted this!

------
ac130kz
Again, no Windows support. The code base isn't that big though, maybe it's the
time to implement one myself.

