|Last modified: Tue Mar 26 23:50:24 CET 2002||Index|
This is the homepage of taptunnel, a TCP/IP-application, which allows to create ethernet-tunnels over the Internet or any other TCP/IP-net. It uses the new ethertap-device of the Linux kernel 2.2 and above. (I believe some 2.1-Kernels have it too.) It is not much more than a quick hack, so don't expect too much of it.
It is a single-threaded program, which can be client, stand-alone server and INETD-based-server. There is not much difference between taptunnel acting as server and as client. The connection is encrypted with the routines of the cryptography-library mcrypt-nm of Nikos Mavroyanopoulos. Both hosts need to authenticate itself to the other. This is why two passwords are needed for TapTunnel's work.
Usage Usage example for server (host: tapserver.bogus.edu):
ifconfig tap0 192.168.88.88 up
taptunnel -vs -p 1980 -d /dev/tap0 -e 2 -l secret#1 -r secret#2
This means that verbosity is turned on (-v), this instance shall work as server (-s), port 1980 shall be used (-p), ethertap device '/dev/tap0' shall be used, encryption is done with TripleDES and the two secrets 'secret#1' (local, -l) and 'secret#2' (remote, -r) are used for encryption. After starting this instance, TapTunnel listens on port 1980 for inbound connections.
Usage example for corresponding client:
ifconfig tap0 192.168.88.89 up
taptunnel -vc -p 1980 -d /dev/tap0 -e 2 -l secret#2 -r secret#1 -m tapserver.bogus.edu
This means mostly the same as above, but new is the switch for configuring taptunnel als client (-c) and the switch for defining the hostname of the server to connect to (-m). After starting this instance of TapTunnel, the link should work. If the ping succeeded, everything went ok.
Usage example for configuration with INETD: Add the following to your /etc/inetd.conf:
time stream tcp nowait root.root /usr/sbin/taptunnel /usr/sbin/taptunnel -i -l secret1 -r secret2 -e 2 -d /dev/tap0
The switch -i is used for activating INETD-support. Problem: Because the BSD-INETD has no support for limiting the number of paralell instances, the tap-device may be opened by two client at the same time. None of them will work with no error. I suggest using XINETD instead of INETD.
Usage example for configuration with XINETD. Add the following to your /etc/xinetd.conf:
type = UNLISTED
port = 1980
user = root
group = root
socket_type = stream
protocol = tcp
wait = no
server = /usr/sbin/taptunnel
server_args = -i -l secret1 -r secret2 -e 2 -d /dev/tap0
instances = 1
The switch -i is used for activating XINETD-support. Important: Only one connection can be made with /dev/tap0, this is why the "instances = 1" is important.
Installation To run the taptunnel, you need Linux Kernel 2.2.x with compiled in ethertap-device and netlink-device-emulation. If you compile both as module you may activate autoload of the modules by adding
alias tap0 ethertap
alias char-major-36 netlink_dev
to your /etc/conf.modules or /etc/modules.conf.
Encryption The following encryption-algorithms are supported: Blowfish (0, 31.1ms), DES (1, 32.5ms), TripleDES (2, 46.2ms), 3-WAY (3, 32.2ms), GOST (4, 41.5ms), SAFER64 (6, 31.5ms), SAFER128 (7, 31.7ms), CAST128 (8, 30.8ms), TEAN (9, 32.1ms), TwoFISH (10, 31.6ms). The numbers in brackets are the encryption-ID used for the '-e'-switch. The time in 'ms' is the roundtrip-time for a ICMP-ECHO-packet (ping) over a TapTunnel-tunnel. These times where measured over a 100Mbps-Ethernet, with a Cyrix 6x86MX-233 as first host and a P133 as second host. Both running Linux 2.2.4. The Roundtrip-time without tunneling is 0.2ms. I suggest to use Blowfish-encryption, but you may choose what you want.
I don't know why, but the encryption has been broken on some way, it is now incredibly slow. Someone should fix this!
Pros and cons Advantages over other solutions like PPP over Telnet, PPTP are:
Disadvantages over other solutions:
Download Get the newest source-codes: taptunnel-0.31-source.tar.gz.
Get older source-codes: taptunnel-0.3-source.tar.gz, taptunnel-0.23-source.tar.gz, taptunnel-0.22-source.tar.gz, taptunnel-0.211-source.tar.gz, taptunnel-0.21-source.tar.gz, taptunnel-0.2-source.tar.gz, taptunnel-0.1-source.tar.gz.
Get the mcrypt-nm-library: http://mcrypt.hellug.gr/lib/.
8/31/00 Release 0.31: Taptunnel was not compilable.
8/29/00 Release 0.3: Some patches from Markus Westergren for disabling encryption.
8/16/00 Release 0.23: Compatibility with libmcrypt-nm 0.1.0.
12/29/99 Release 0.22: Makefile and compatibility for new mcrypt. Updated documentation.
6/19/99 Release 0.211: Some fixes.
3/29/99 Release 0.21: Fix for INETD-support.
3/28/99 Release 0.2: Complete Rewrite; Support for INETD; Strong encryption; Moved from C to C++.
2/6/99 Release 0.1: Initial release.
Compilation Just do a "make" and everything should be compiled.
Notice You must be root to access the tap-device. (The permissions of the tap-devices are ignored.)
Development was done on Intel with RedHat 5.1 and rechecked on Debian Slink and Potato. Some work was done to make the network-protocol system-independent, but I did never execute the program on non-Intel-machines.
|© 2000-2002 by Lennart Poettering||mzgncghaary (at) 0pointer (at) de|