vpn
Secure TCP port forwarding application; using AES session key, performing secure handshake with X.509 certificates.
Getting started
- clone with SSH:
$ git clone git@github.com:GaPhil/vpn.git
(or clone with HTTPS:$ git clone https://github.com/GaPhil/vpn.git
) $ cd vpn
Create certificates
In order for the handshake to work, three certificates are needed; one for the CA as well as one for the server and client (ca.pem
, server.pem
and client.pem
):
- create three certificates:
$ sh create_certs.sh <email>
- verify certificates:
- compile:
$ javac src/crypto_utils/verifyCertificate
- run:
$ java src/crypto_utils/verifyCertificate ca.pem server.pem
- run:
$ java src/crypto_utils/verifyCertificate ca.pem client.pem
- compile:
Start the server:
- compile:
$ javac $(find ./src/* | grep .java) && cd src
- run:
$ java ForwardServer --handshakeport=2206 --usercert=../server.pem \
--cacert=../ca.pem --key=../server-private.der
Start the client:
- compile:
$ javac $(find ./src/* | grep .java) && cd src
- run:
$ java ForwardClient --handshakehost=localhost --handshakeport=2206 \
--targethost=localhost --targetport=6789 \
--usercert=../client.pem --cacert=../ca.pem --key=../client-private.der
Handshake Protocol
- Client and server authenticate each other
- X.509 certificate exchange
- Client requests forwarding to a target server
- Server creates symmetric session key for session encryption
- Session key is securely exchanged using public-key cryptography
- Server creates server port; a new TCP endpoint to which the client connects
- Communication over this connection is encrypted using symmetric encryption
CLIENT SERVER
| |
1 | ClientHello, Certificate |
|------>----------->----------->----------->----------->----------->----|
| |
2 | ServerHello, Certificate |
|------<-----------<-----------<-----------<-----------<-----------<----|
| |
3 | Forward, TargetHost, TargetPort |
|------>----------->----------->----------->----------->----------->----|
| |
4 | Session, SessionKey, SessionIV, ServerHost, ServerPort |
|------<-----------<-----------<-----------<-----------<-----------<----|
| |
CLIENT SERVER
Demo
Key Specifications
Asymmetric Keys
- Server key pair: 2048-bit RSA key, created with openssl
- Client key pair: 2048-bit RSA key, created with openssl
- CA key pair: 2048-bit RSA key, created with openssl
Symmetric Keys
- Session key: AES 128-bit key, used in CTR mode, created with SunJCE Provider