A toy VPN using OpenSSL. For educational use only. Based on this tutorial by SEED labs.
- SSL certificate-based verification of server
- Username/password-based verification of clients
- All network traffic encrypted using AES and signed with SHA-256
- Clients can dynamically change session keys
- Server supports multiple concurrent clients on a single port
- Administrators can add users on the server side
- Server uses a resource-inefficient thread-per-client model. However, the non-blocking state-machine design of the client handling code makes it relatively clean to replace this with a fixed-sized thread pool that multiplexes multiple clients across a single thread.
- Users cannot be removed nor can their passwords be changed. However, the backend infrastructure easily supports this; adding this feature would be mostly a matter of front-end (CLI) development.
- Authenticated clients are trusted completely. While there are no known vulnerabilities through which a client could disrupt the operation of the server or gain access to the server or other clients, there are opportunities for denial-of-service attacks for clients with valid credentials. For example, clients can indirectly cause the server to update its routing table, and thus direct traffic away from its intended destination.
First build everything with make. You'll probably want to add minivpn/bin to your path.
Start a server
minivpn-server start <network> <netmask>
Check if the server is running
minivpn-server ping
Add users
minivpn-server user add <username>
Start a client
minivpn-client start <client-ip> <client-network> <client-netmask>
Check if the client is running
minivpn-client ping
Stop the client
minivpn-client stop
Change the session key and/or initialization vector
minivpn-client update-session --key <file> --iv <file>