
SigmaVPN: Stateless OpenVPN Replacement Using NaCl Encryption Library - zx2c4
http://frozenriver.net/SigmaVPN
======
tptacek
This code is as simple as the project owners say it is, but a couple things
about it that I wish were different:

* The "nacltai" protocol driver uses C VLAs to store attacker-controlled numbers of bytes; a VLA is morally the same as an "alloca" call. I have no clue if this is exploitable but reading it gives me a painful burning itching sensation.

* I sort of wish the authors didn't parse strings to recover crypto parameters from the packets, but instead just used a straightforward binary encoding that would require less use of C's terrible string functions.

I'm still a lot more comfortable with this codebase than with OpenVPN. :)

~~~
xiaomai
Have you expounded on your feelings about OpenVPN anywhere? It's my go-to vpn
solution so I would love to hear about what I should be using instead (I don't
think this is an option since it's only for connecting 2 computers (afaict)).

~~~
teacup50
I'm not sure where grandparent's OpenVPN concern is coming from; OpenVPN has
had good security track record:

[http://www.cvedetails.com/vulnerability-
list/vendor_id-3278/...](http://www.cvedetails.com/vulnerability-
list/vendor_id-3278/Openvpn.html)

~~~
shiven
The source for concern may have started here:

[https://news.ycombinator.com/item?id=7598616](https://news.ycombinator.com/item?id=7598616)

------
alrs
I'm glad someone is coming at this problem from a different angle.

Maybe the subtext to this submission is "OpenSSL totally sucks so bad you need
to evacuate NOW NOW NOW!!!!" If so, I'd point out that now is the time to
upgrade OpenSSL, ditch all of your old keys, and keep an eye on the future.

Today is not the day to forklift in a whole new chunk of infrastructure.

Instead, set up a lab, play with it, get a feeling for it.

------
doe88
Maybe someone can help me, it is said _It has a time-based nonce, which
provides built-in resistance against replay attacks_ , I'm looking where in
the code the time-based nonce is verified/handled on the receiver, but I can't
find it.

What I see: when a packet is decrypted the time-based nonce is unpacked here
[1] and this function seems to be called from here [2] but nowhere I can't
find where this nonce is verified not to be too old, what am I missing?

[1]
[https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22b...](https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22badae819fa965bc657286983c391/proto/proto_nacltai.c#L247)

[2]
[https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22b...](https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22badae819fa965bc657286983c391/main.c#L423)

~~~
nodata
[https://news.ycombinator.com/item?id=7599941](https://news.ycombinator.com/item?id=7599941)

------
borski
FWIW, we built an incredibly easy single click OpenVPN setup tool for
DigitalOcean and Rackspace during Sochi:
[http://www.tinfoilsecurity.com/vpn](http://www.tinfoilsecurity.com/vpn) Enter
API key creds, it makes the box for you, sets it up, and hands you a config
you can use for your client of choice. (The script is open source for those of
you that don't want to enter creds - we don't store them, and actually remove
access whenever we can; for example, we delete our own SSH key from DO because
they let us).

It's still OpenVPN but might be useful to those that care about this story
too.

~~~
mrfusion
This is such a nice product, I'm thinking you should be charging for it! I
can't quite so who the market would be though. I guess there's not an easy way
to target it to the enterprise market.

~~~
jrvarela56
I've been thinking of how to market this but the only step missing is setting
up the client. Bear in mind that this should be fool proof (typed up the
instructions for a friend and still ended up with 8-10 steps). Tunnelblick for
OSX is straightforward to setup with the provided .ovpn file but takes too
many steps.

------
barnslig
There's another tunnel implementation that's based on NaCl called fastd. It
seems to be production ready, however some thousands of Freifunk participants
use it to connect their Access Points.

[https://projects.universe-
factory.net/projects/fastd/wiki](https://projects.universe-
factory.net/projects/fastd/wiki)

~~~
stormbrew
This looks promising, but I don't feel good about the fact their SSL cert
isn't valid. :/

~~~
homulilly
It's from CA Cert, which isn't trusted in most browsers but I'd consider it
valid for this case.

~~~
stormbrew
Fair enough.

------
api
This is stateless, nearly zero-configuration, and P2P, among other things. It
also uses the same cryptographic primitives and composition as NaCl (purely
coincidentally). It supports Mac, Windows, and Linux, and has a GUI control
panel for Mac and Windows. There's a clean installer with baked-in auto-update
functionality.

[https://github.com/zerotier/ZeroTierOne](https://github.com/zerotier/ZeroTierOne)

/full disclosure: I wrote this.

~~~
tinco
Could you add some example networks on your frontpage? Preferably with nice
network diagrams. It could help sell your product if people know what kind of
business cases it helps for (my business is looking for a good solution).

Also, please use something like twitter's bootstrap and buy a nice theme, your
site and logo currently look like very untrustworthy. I couldn't get my boss
to sign off buying something from a website that looks like that.

~~~
api
I completely agree on the design. I'm working on a big web design rev right
now that looks _much_ better.

I'm not sure what you mean by diagrams though. This doesn't work that way. It
creates virtual networks that look completely flat, as if you and every other
peer were plugged into the same Ethernet switch.

One of my difficulties has been getting this across... you don't have to think
about topology. It's easier than that. It's a virtual switch. Install, join
network, done. Everything is automatic.

You can peek at the new design here (but don't try to use it):
[https://test.zerotier.com/](https://test.zerotier.com/)

~~~
tinco
That design is a lot better. But I'd still recommend you look a little more at
some professional themes. Also the logo could use some typographic love :)

But a network in which every peer is connected to the same ethernet switch
isn't flat, it's a star. But a star network doesn't scale as well as you
claim.

Behind the scenes to make it scalable perhaps you build p2p connections, this
would make the diagram be more like a complete graph, which it has its own
scaling problems.

To solve it, perhaps you have stateless or on-demand connections, so the
actual number of connections is lower than the worst case. Or perhaps you
promote peers to super-peers and build a stars of stars network.

A couple of simple diagrams answer these questions and quickly let me decide
whether your solution is suitable.

~~~
api
It's all three of the things you mention: peer to peer, stateless, and on-
demand. It also uses UDP, so it's not opening huge numbers of TCP connections.
The only time it uses TCP is if you can't use UDP -- as a fallback mode.

I'm not sure why that wouldn't scale. Even if you had millions of users on a
network you'd only be connecting to those with whom you're communicating.

It is also as you mention a star of stars network. The supernodes are at very
high bandwidth sites and their number and size can be increased on short
order. They only relay data if P2P/NAT-t fails, which only happens for about
1-2% of users. Otherwise they just shepherd NAT-t. They're geographically
distributed for high performance: Singapore, Tokyo, San Francisco, New York,
Amsterdam, and (soon) Sydney. If a supernode fails it takes 10-30 seconds to
fail over.

I have plans to further decentralize and add automatic promotion of nodes at
some point in the future, but that's a hard problem that requires more study.

Edit: this isn't just another VPN. This is the result of over four years of
work, including a huge amount of research into networks and cryptography. It's
a completely new system.

~~~
uuid_to_string
"It doesn't scale!"

Who said it needed to scale?

How many Facebook friends does the average user have?

Do these these networks need to be larger than that?

If users want larger networks they can bridge their VLAN's.

"I don't like your logo!"

I'm using a text-only browser so I really don't care what your logo looks
like.

Keep up the good work and ignore the critics.

Suggestion: Make the crypto fungible, so if a user wants to use a different
library, e.g., NaCl, they can.

~~~
api
Heh.

Actually, thank you to the previous poster. I didn't mind the criticism. His
point -- "your existing site doesn't look good enough to convince my boss" \--
is very valid. The new site looks a lot better and it's not done yet.

It does in fact scale pretty darn well, mostly due to the fact that it's
connectionless, stateless, and opportunistic. If you're on a network with ten
million people but are only talking to ten, you'll only be sending packets
to/from ten.

The supernodes have to know about all ten million, but last I checked that
wasn't very much memory... maybe a few gigs tops? So that's what,
$20-$30/month per node? Or I could add the ability to put a real database
under it and use SSD cloud nodes and handle billions of users with sub-10-ms
lookup latency.

Of course if I get that many users that'll all be in the good problem to have
category and I'll have plenty of money to scale out and if necessary improve
the protocol/architecture. There are many directions I could explore: M:N
supernodes with load balancing, various other sharding techniques, moving to
beefier cloud providers, further decentralization in the protocol, all of the
above, etc. I could set up big labs, run simulations, do all sorts of cool
stuff. I've done enough so far to convince me that the problem of monstrously
scaling this thing is very solvable. Just have to do the work.

I'm not making the crypto fungible. The protocol does have flags that could be
used to indicate new algorithms if upgrading the crypto becomes necessary, but
I have been an absolute simplicity nazi with this thing so far and will
continue to be.

~~~
e12e
Interesting projects. What role does the website/service play wrt to the
clients? Is it possible to run fully separate networks with just the client?

Any thoughts of how it compares with i2p?
([http://geti2p.net/en/](http://geti2p.net/en/))

~~~
api
You could technically set up your own completely separate network --
everything you need is there. You'd just have to fork it. It'd be kind of like
forking Bitcoin to make Dogecoin or JuggaloCoin or whatever. But in this case
I wouldn't see the point. You wouldn't be able to join networks on the "real"
network, etc.

Compared to I2P and Tor: it's neither of those. This is about network
virtualization and making it easy to set up ad-hoc networks across physical
boundaries. It's not a privacy tool per se, though it is end-to-end encrypted
so the content of your data is hidden. My goal isn't to duplicate the work of
Tor or I2P-- if you want strong anonymity, use those. (You could use ZeroTier
One through Tor, though it would be slow.)

There is an incomplete beginning to a technical FAQ here that answers some of
these questions in more detail:

[https://github.com/zerotier/ZeroTierOne/wiki/Technical-
FAQ](https://github.com/zerotier/ZeroTierOne/wiki/Technical-FAQ)

------
dagi3d
the source code is about two years old. does that mean that the code is so
stable that there is no need for patches/improvements? or has the project been
discontinued?

~~~
jedisct1
Quicktun is still maintained:
[https://github.com/UCIS/QuickTun](https://github.com/UCIS/QuickTun)

~~~
aryastark
Quicktun used to use C's rand() to generate keypairs (see keypair.c). They
still include a blurb about /dev/urandom being insecure and apparently
requiring the user to manually input random data. The nacl0 protocol is
inherently insecure (null nonce, vulnerable to replay), not sure why they even
include that. IIRC, you also pass the private key via environment variable.
Lots of horrible flaws for such a small code base.

------
darklajid
I'm still searching for something a la tinc, but with a decent crypto story
(tinc goes out of its way to say that it probably isn't safe).

SigmaVPN would look awesome, but lacks Windows support. I'd give ZeroTierOne a
shot, but that lacks Android support. Any other solutions for a "VPN Of
Things" if you will?

------
archivator
What's the recommended non-serious-personal-use VPN these days?

PPTP is completely broken (MS-CHAPv2 especially), OpenVPN is hard to setup and
maintain.

I've been using ssh as an impromptu VPN-like thing but I'd really, really like
an actual VPN solution.

~~~
stormbrew
I use n2n for things that don't really matter, it's quite nice and simple, but
has some pretty glaring potential if not real security flaws in its design
(and the v2 that was supposed to fix some of them seems to be in some kind of
deep technical debt hole and tends to crash).

After this thread I'll be looking at fastd and zerotierone, though.

~~~
uuid_to_string
What do you use for things that matter?

Do you have something else to create L2 overlays that is more secure?

~~~
stormbrew
Unfortunately, openvpn. :/

~~~
uuid_to_string
As you know, OpenVPN cannot do what n2n can do.

Someone has to run an OpenVPN server. Everyone on the network has to trust
that server.

And connections between network participants are not peer to peer.

With OpenVPN and most other VPN's, if I'm not mistaken, each person's traffic
passes through a central point: some VPN server/appliance.

This is a major difference and has its own set of security implications.

------
zx2c4
Anybody familiar with this project? Does it successfully and securely achieve
what it claims to achieve? What's its status currently?

------
uuid_to_string
[http://curveprotect.org/howto-vpn.html](http://curveprotect.org/howto-
vpn.html)

------
dmourati
Link bait title with reference to OpenVPN but not mentioned anywhere on the
page.

------
zobzu
isnt openvpn stateless if you disable the ping restarts anyway?

------
alexnewman
LOL for anyone who uses this.

------
_mikz
Replacement? Does it talk OpenVPN protocol? No. It is not a replacement.

~~~
StavrosK
It's not a _clone_. It's a replacement. It does the same job, like the car is
a replacement for the horse-drawn carriage, but it doesn't run on hay.

~~~
_mikz
It is a VPN software. Calling it OpenVPN replacement is just for getting votes
because of current events.

~~~
antihero
Virtual Private Network isn't restricted to OpenVPN nor has it been at any
point...

