
Freelan - an open-source, multi-platform, peer-to-peer VPN software - bowyakka
http://www.freelan.org/
======
kika
btw, anyone interested in something like this? I have an extensive codebase
after trying to build a business around p2p vpn/filesync software. The
business didn't go too well (various reasons) but the code is very high
quality and still lying around collecting digital dust. We had (we think we
had :-)) the best NAT traversal algorithms at that time. Multiplatform -
Linux, Win, Mac. Written mostly in very readable old school die hard ANSI C
:-)

In the wake of the recent NSA-related news I thought that this stuff may find
a new use. If you have an idea and would like to devote some time and effort -
you're welcome (I guess my contact info is visible in the profile).

I have no issues opensourcing it, it contains no close licensed and/or GPL-
poisoned code. Everything we borrowed was BSD-type licensed. I just want to
have some product to opensource instead of just dumping it on the Github and
then waiting 4 billion years for life to conceive itself there :-)

Sorry for shameless plug.

Update for "Github ++" commenters: I'm all in to put it on Github (BitBucket
is more natural in my case, because it's a Hg repo). But: the architecture was
quite well thought out and internal APIs are quite clear, but they're not
documented. We didn't have immediate open source plans. You wont be able to
figure out how to use it, especially if you're going to use our "lower" layer
- NAT traversal and friends. You need to know how it works to build a more
universal API on top of it. Trust me, I know what I'm talking about - I did a
few experiments with this code about a year ago and I spent a _lot_ of time
figuring out how we did this and that. And it was _our_ code, we wrote it and
discussed it daily for two years.

~~~
belorn
For a otherwise very interesting and up-vote worthy comment, I really don't
know what to do with comments that also include derogatory terms.

The project sound interesting, the comment is very much relevant in today's
post-NSA world. So should I downvote, upvote, or not vote at all? If the
comment had used a neutral word, rather than a derogatory term, it would not
be a question about it.

~~~
kika
I'd admit a wrongdoing if you can explain how to poison a project with BSD.
For me (not an expert in OSS licenses in any way) it sounds like "the victim
was poisoned with glass of pure water".

You can vote whatever you feel like, but I'm not selling my opinion for a vote
on HN. My opinion is what it is and I can change it if you either provide
sufficient argument or threaten my life, health, family or some other factor
of my life, more important than my opinion on OSS licensing :-)

I can provide argument why I think GPL is what I think it is, but I seriously
doubt this thread is the right place for it.

~~~
belorn
Users of BSD software still need to follow the BSD license. This mean for 4
clause BSD that you must including the line "This product includes software
developed by the <organization>." in _All advertising materials_. If you are
using the Revised BSD License, you still need to include the BSD license in
any documentation or "other materials" that is shipped.

So if you like to be in full control over your advertisement, and your
documentation, bsd do indeed "poison" the project. It clearly adds
restrictions. I would however not use such derogatory term when describing the
BSD. Is it really that hard to avoid using derogatory terms and simply use
language without it?

~~~
kika
I wrote specifically "BSD-type" not BSD. We didn't use BSD license itself, as
far as I can tell and the project contains surprisingly small amount of _any_
third party code.

I do not consider "poisonous license" a derogatory term. English is not my
native language, may be this is why.

~~~
belorn
That's fair. I consider calling anything, be that GPL, BSD, or open source as
poisonous as to be on the side of derogatory term, similar to the cancer
comparison made by Steve Ballmer. I can see however if that’s not always the
case for others.

Just as a side note, I found an half year old HN article which talked about
the BSD requirements, with suggest that one might want to use ISC license in
some cases:
[https://news.ycombinator.com/item?id=5798431](https://news.ycombinator.com/item?id=5798431)

Not that your project is code for embedded software (or is it? C code tend to
be quite fast and have small memory footprint), but it might be an interesting
read.

~~~
kika
We designed and coded it with embedded in mind. We both have extensive
embedded experience and it was a no brainer with all that hype about "internet
of things". Our stack is naturally born IPv6 and as such is a natural match
for "things", so not thinking about embedding would have been clearly a
mistake.

------
spindritf
After skimming the website and the FAQ[1] it seems to be a safer tinc[2]. It's
a very cool piece of software and I always wanted to set something like that
up between my servers and routers but never found a need convincing enough to
go through the trouble.

[1] [http://www.freelan.org/page/faq](http://www.freelan.org/page/faq)

[2] [http://www.tinc-vpn.org/](http://www.tinc-vpn.org/)

~~~
makefu
The points why freelan is better regarding security are no real issues, but
tradeoffs in terms of performance which just copy-pasted from the tinc-vpn
security faq[1].

I have been using tinc for quite a long time and it feels pretty stable, but
the configuration of new nodes is quite a PITA. For that reason a lot of
bootstrapping scripts have been built around this [2]. Also, i love the
possibility to easily dump the whole (known) network graph and create great
graphs from this info [3].

I am using it mostly for reaching hosts behind NAT and creating a secure
environment for these hosts.I never have tried the 'connect whole network'
feature.

[1] [http://www.tinc-vpn.org/security/](http://www.tinc-vpn.org/security/)

[2]
[https://github.com/krebscode/painload/blob/master/retiolum/s...](https://github.com/krebscode/painload/blob/master/retiolum/scripts/tinc_setup/new_install.sh)

[3]
[http://euer.krebsco.de/graphs/retiolum/retiolum_1.svg](http://euer.krebsco.de/graphs/retiolum/retiolum_1.svg)

~~~
bincat
Tinc's problematic protocol (security wise) killed it for me before. For
example, it didn't have pfs.

It seems that with 1.1pre3 or 4 they have gotten a new, experimental protocol.
Hopefully it is an improvement.

------
Nanzikambe
A little pet peeve, why do people always overlook the most ubiquitous VPN
solution of them all?

OpenSSH

Can create a full spectrum VPN & supports a stronger and a broader range of
ciphers than virtually all competing software, is entirely open source, runs
on every platform I can think of, the list goes on. Heck via pointopoint it
can even mimic freelan and be peer to peer :)

~~~
gaadd33
Its not trivial (afaik) to route all traffic over an OpenSSH connection on
most platforms is it? I mean you can have it act as a SOCKS proxy without much
trouble but there's no easy way to route DNS lookups over it is there?

~~~
Nanzikambe
It is trivial, I use this simple script to open an SSH tunnel to a remote
host, assign me and the remote host private IP on tunnel interfaces
(/dev/tun0), setup a pointopoint route between them, nuke my regular routing
table & and fix it so my default route points down the newly created tunnel.

[http://pastebin.com/CxaH6z49](http://pastebin.com/CxaH6z49)

~~~
gaadd33
I wouldn't really call that trivial compared to enabling a VPN connection in
most operating systems (i.e. clicking on the vpn icon and saying enable).

Also it appears to require root access on the remote machine which would make
it difficult to securely let a few people use it. Definitely a useful script
for a quick linux to linux tunnel.

------
icebraining
When comparing with OpenVPN, they say the latter "does not allow direct
client-to-client communication." Can anyone explain it? I thought point-to-
point mode was not only supported, but the default.

~~~
Shish2k
I think the key word there is "direct" \-- AFAIK FreeLAN is P2P, where OpenVPN
is "client -> server -> other client"

~~~
JulianMorrison
OpenVPN is client/server in cert authenticated mode and P2P in symmetric mode.
What it doesn't do is routing, so for creation of darknets you need a proper
routing daemon, and non colliding IPs. Nor does it tunnel NAT (but it can
connect from in NAT to outside, so a group in NAT can be bridged by a hub node
on the internet).

------
devx
Could this take advantage of Google's new QUIC protocol, or get any benefits
from it?

[http://en.wikipedia.org/wiki/QUIC](http://en.wikipedia.org/wiki/QUIC)

~~~
kolev
Pretty good idea, indeed!

------
fabware
I'm sure there are major typos in the configuration wiki(
[https://github.com/freelan-developers/freelan-
all/wiki/Two-h...](https://github.com/freelan-developers/freelan-all/wiki/Two-
hosts-configuration-sample) ), which prevent me setup two nodes within the
same LAN.

------
autodidakto
So this can be an open-source replacement for Himachi/Log-me-in?

~~~
gooderlooking
It's similar in that it's peer-to-peer, but doesn't require an auth/directory
server to establish connections. If any known peer is accessible, the two can
authenticate directly.

~~~
kika
To successfully traverse many NATs you need a third party, which is already
accessible from two parties trying to handshake.

~~~
gooderlooking
Yep, that's what I meant by "accessible" too. But with Hamachi, there's a
central service for client authentication. With freelan, peers authenticate
directly via signed crts.

~~~
XorNot
I looked into this heavily over the past few days. The punchline is this
_needs_ support for NAT traversal and some type of out-of-band way for clients
to find each other.

NAT traversal is an implementation thing, and I favor Jabber as the out-of-
band these days since _everyone_ can get at least a GTalk account.

Though we now have libjingle, which basically merges both of these things and
would probably elegantly solve the problem. But p2p vpn's aren't much use if
you have to control the NAT router you're attached to.

~~~
pyre
> I favor Jabber as the out-of-band these days since everyone can get at least
> a GTalk account.

Isn't that deprecated in favour of Google Hangouts?

~~~
XorNot
Whatever they're calling it, you can still get free XMPP accounts easily.

~~~
rurounijones
If it has been tied to hangouts then it has been tied to g+ and their
ridiculous policies, I hardly class it as a good alternative.

~~~
XorNot
Doesn't seem to be a problem with connecting with Pidgin, and I had it working
with Wippien (sadly Wippien doesn't really work great with Win 7 or Linux).

~~~
pyre
Google has stopped federating with other Jabber services. They have replaced
the GTalk Android app with the Google Hangouts app. They have started pushing
people (forcibly) towards Google Hangouts instead of Google Talk. How long
before XMPP support is dropped? I don't think we can claim that Google will
keep it around for certain.

------
Nesim
anyone tried to install on windows 2003 server? no service creates on
installation. Also I tried to install service manually "freelan --install" but
getting an error. Error: An invalid argument was supplied.

Any idea how to run on Windows 2003 32bit server.

~~~
scott_karana
I'm not sure you'll get an answer here. :-) These are a better bet:
[http://www.freelan.org/page/contact](http://www.freelan.org/page/contact)

------
AtlasLion
How does this compare to Openswan for building multi lan tunnels?

