By Christoph Langner
Imagine you want to take control of a friend's desktop but don't know how to set up your router to handle the port forwarding required. Or maybe you want to use an encrypted connection to exchange confidential data but are worried about the complexity of setting up a VPN server. SocialVPN provides a simple approach to exchanging data via an encrypted channel across networks and through routers.
Virtual private networks, or VPNs, have proven their value as an efficient and secure means for exchanging data between computers over the Internet. The computers on a VPN act is if they are on the same local network - so you can use services such as Samba, RDP, VNC, or SSH without any danger of an intruder sniffing them. Of course, a typical VPN requires a good deal of configuration, from the server through port forwarding on the router. Because of this, products such as Hamachi [1], which supports VPN through firewalls and routers without needing complex configuration, have established themselves. Unfortunately, Hamachi is closed source software, and nobody in the Linux community can vouch for the security of the VPN.
On top of this, the company behind the software, LogMeIn, levies a license fee for commercial use, and you always need an account with LogMeIn. Worse still, the Linux variant of the software is not well maintained, and LogMeIn does not offer a GUI.
The SocialVPN project [2] offers a GPL2-licensed alternative to the commercial product with the same functionality. SocialVPN is currently available for Windows and Linux; a version for Mac OS X is currently in the alpha phase.
SocialVPN combines the work of three open source projects to set up a VPN between any number of hosts. The Brunet [3] library supports peer-to-peer networks through routers without needing to forward ports from the router to the computer behind it. IPOP [4] handles routing the packets between networks, whereas the Jabber Net XMPP [5] interface authenticates users and exchanges keys via a secure channel. Additionally, SocialVPN has an easy-to-use, web-based front end.
Because you need to authenticate via Jabber, you will need an account on a matching server to use SocialVPN. If you have a mail account with a webmail provider, such as Google Mail or GMX, you already automatically have a Jabber account.
Your Jabber address will be exactly the same as your mail address - that is, joe.public@gmail.com (joe.public@gmx.net). If you don't have a Jabber account right now, public Jabber servers are listed on the jabberes.org site [6], and you can sign up with one of them to open an account.
On Linux, you also need the Mono runtime environment. Ubuntu installs Mono out of the box, and you can use the package manager on other distributions to do so.
Installing SocialVPN is fairly easy once you have Mono. Just download the program archive [7] and unpack it, then run the setup.sh script to configure it. Next, run the script without root privileges (Listing 1) and enter your Jabber ID, a hostname, and a username in the setup dialog.
The script lets you generate individual certificates. If you want to run SocialVPN on Windows, you need to install Microsoft .NET Framework [8] first. Instead of running setup.sh, you would then execute setup.cmd by double-clicking the program icon. The first step in the script attempts to uninstall any existing SocialVPN installation (even if you don't have one) and then install the current version. The device drivers are not signed, so you will need to click to accept the warning that the installation routine shows you.
| Listing 1: Installing SocialVPN |
01 $ ./setup.sh 02 Enter userid (jabberid@host.com): joe.public@jabber.example.com 03 Enter PCID (home-pc): samplehost 04 Enter Name (Jane Doe): Joe Public 05 Creating certificate... 06 Certificate creation successful 07 Run ./socialvpn as root |
After completing the installation, you can start the VPN on Linux by running the socialvpn script (Listing 2). Note that you must be root to set up the routes and the virtual network interface. Assuming the script doesn't report any errors, you can then launch your web browser and type http://127.0.0.1:58888 in the address bar. This takes you to the SocialVPN web front end.
Launching SocialVPN on Windows is pretty much the same as on Linux. To start or stop the VPN, just run the start_socialvpn and stop_socialvpn scripts, respectively. On Windows Vista or Windows 7, you will need to right-click the script icon and Run as administrator: It is impossible to configure the virtual network interface otherwise.
| Listing 2: Running the socialvpn Script |
01 $ <B>sudo ./socialvpn<B> 02 Set 'tapipop' nonpersistent 03 Set 'tapipop' persistent and owned by uid 1000 04 Internet Systems Consortium DHCP Client V3.1.1 05 Copyright 2004-2008 Internet Systems Consortium. 06 All rights reserved. 07 For info, please visit http://www.isc.org/sw/dhcp/ 08 Listening on LPF/tapipop/0e:b0:52:6e:66:f7 09 Sending on LPF/tapipop/0e:b0:52:6e:66:f7 10 Sending on Socket/fallback 11 DHCPDISCOVER on tapipop to 255.255.255.255 port 67 interval 3 12 DHCPOFFER of 172.31.0.2 from 172.31.0.1 13 DHCPREQUEST of 172.31.0.2 on tapipop to 255.255.255.255 port 67 14 DHCPACK of 172.31.0.2 from 172.31.0.1 15 * Reloading /etc/samba/smb.conf smbd only 16 ...done. 17 bound to 172.31.0.2 -- renewal in 1294 seconds. 18 Point your browser to http://127.0.0.1:58888 |
Once you and your VPN partner have set up and started SocialVPN, you need to add contacts to SocialVPN just as you would for an instant messaging program. Make sure that you click Login to do just that at the server with the use of your Jabber ID and matching password. After logging in, you will see an [[Online]] message next to the login link.
After logging in, you can add your VPN contacts. The web front end gives you a Add Friends link for this. In the input mask, type your contact in the format Jabber ID Fingerprint (Figure 1), as in jane.public@jabber.example.com SVPN:123456789. It is not sufficient to just know a contact's Jabber ID; you additionally need the SocialVPN client's fingerprint to set up the VPN connection.
Make sure you use a secure communications channel to exchange fingerprints with your contacts; otherwise, you are inviting intruders to hijack your VPN. To communicate bi-directionally, you should also send your own Jabber ID and fingerprint to your contact so that they can add you to their contact list.
Once you and your contacts have entered the required Jabber IDs and fingerprints, your contacts will be shown as Online. At this point, your computers are networked, and you will see your contacts' IPs and hostnames in the front end (Figure 2) that you can use to communicate with them. As an initial test, you could try to ping the computer at the other end of the connection, as in ping samplehost.joe.public.jabber.example.ipop or ping 172.38.12.34. The SocialVPN web front end will give you the details you need for this.
If the ping works, you can then begin using more complex services. Note that SocialVPN only gives you a network between the remote machines; it does not provide services for forwarding desktops or files. If you need help desk-style support, VNC is probably a better choice; or you could try an SSH login. Samba or FTP let you exchange data.
In our lab, Avahi-based services turned out to be particularly effective. For example, we had no trouble using Vinagre/Vino to control the desktop on the remote host, to chat via Pidgin and Bonjour, or to transfer files and folders using Giver, without needing to set up the corresponding servers in advance.
SocialVPN is really useful for working around obstacles caused by NAT routers between two computers with an Internet connection. If you want to play a network game with friends that will only run on a LAN, but not across the web, or if you want to use VNC to troubleshoot a friend's desktop without worrying about port forwarding or SSH tunnels, SocialVPN is a very good choice. Setting up a VPN between two or more computers is a fast and easy experience.
That said, SocialVPN will not help you with more complex tasks. We were unable to use SocialVPN to set up a VPN from a network in which the firewall blocked all outgoing connections and only allowed HTTP and HTTPS via a proxy. We were also unable to run SocialVPN on top of another VPN connection. It is thus impossible to use SocialVPN in a network that only has a VPN interface.
SocialVPN is perfect for setting up a virtual private network quickly and easily on machines with different operating systems. Small businesses, or home users in particular, who use DSL to connect to the Internet will benefit from SocialVPN because it removes the need for complex network configuration. A setup program for Windows and packages for various Linux distributions, however, could simplify things even more.
| INFO |
|
[1] Hamachi: https://secure.logmein.com/products/hamachi2/
[2] SocialVPN: http://socialvpn.wordpress.com [3] Brunet: http://github.com/johnynek/brunet/tree [4] IPOP: http://www.grid-appliance.org/wiki/index.php/IPOP [5] Jabber-Net-XMPP-API: http://code.google.com/p/jabber-net/ [6] List of public Jabber servers: http://www.jabberes.org/servers/ [7] SocialVPN download: http://code.google.com/p/socialvpn/downloads/list [8] Microsoft .NET Framework 3.5: http://tinyurl.com/lu1002-dotnet |
| THE AUTHOR |
|
Christoph Langner works in test management for PTV in Karlsruhe, Germany, and has been an active member of the open source software scene for many years. You can read his GNU/Linux-related blog at http://linuxundich.de. |