Skip to content

A host-to-host VPN implementation in Go based on IPsec's ESP protocol.

License

Notifications You must be signed in to change notification settings

BogdanIonesq/goipsec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

84 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GoIPsec

GoIPsec represents my bachelor's thesis submitted to the Faculty of Mathematics and Computer Science — University of Bucharest.

GoIPsec is a VPN application implemented in the Go programming language, featuring IPsec ESP encapsulation of network packets. Therefore, GoIPsec is able to maintain a bidirectional secure tunnel between two devices, which could be used to bypass traffic monitoring techniques, IP address-based geo-blocking and many more.

Sounds cool! Where do I find stuff?

The actual thesis paper (along with its LaTeX template) can be found in the docs directory. It takes a deep dive into the risks of using public networks (such as the Internet) and how VPNs might help us mitigate them, while also analyzing IPsec, a very complex and flexible network protocol suite meant to address a plethora of security needs over networks.

Most of the code is located in the pkg directory. The gateway package does the most heavy lifting, while csum and glog provide checksum calculations and logging.

The Docker setup, including Docker Compose platforms and container dockerfiles, is available in deployments.

Setup

To test GoIPsec, simply clone this repository in your $GOPATH's src directory, or just run

$ go get github.com/BogdanIonesq/goipsec

After this, assuming you already have Docker and Docker Compose installed, run one of the YAML configuration files available in deployments:

$ cd $GOPATH/src/github.com/BogdanIonesq/goipsec/deployments
$ docker-compose -f goipsec-udp.yml up --abort-on-container-exit

The goipsec-udp.yml platform sends an UDP message from the client to simple netcat UDP server, while the goipsec-tcp.yml example completes a TCP handshake with an nginx instance, followed by a GET request and termination of the connection.

To make sure that GoIPsec actually secures (with regard to confidentiality and integrity) the data between the two VPN gateways, the network traffic for each container is written to logs/udp or logs/tcp, respectively.

Details

A GoIPsec VPN gateway relies on libpcap bindings through the gopacket library to capture the client's network packets (IPv4 or IPv6 datagrams) directly from the kernel.

Once such a packet is received, ESP encapsulation is applied, with encryption and integrity provided by AES-256 in CBC mode and HMAC-SHA512/256, respectively. Further UDP encapsulation is implemented for NAT traversal.

The server-side GoIPsec gateway is responsible with checking the integrity, decrypting packets, changing the IP source address and forwarding the packets to their actual destination.

About

A host-to-host VPN implementation in Go based on IPsec's ESP protocol.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages