Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Onion routing wireguard #7

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Conversation

JeWe37
Copy link
Contributor

@JeWe37 JeWe37 commented Aug 24, 2022

One of the things that are made especially easy by using namespaces is to layer multiple wireguard connections inside of one another. Normally stacking VPN connections like this is done through things like having multiple separate VPN gateways that are each using each other, but namespaces make this far simpler and eliminate the need for having multiple VMs or the like.

Stacking VPN connections like this allows for potentially enhanced security, as there are now additional points of failure.

This PR adds this functionality to the services. It can be used by simply adding further wireguard connection information to the first 5 keys in the config file, each being separated by a space.

Submitting this as WIP as I have yet to fix up the documentation, but as my bash is... lacking to say the least I'd appreciate some comments wrt any potential issues that might arise from this implementation.

My branch also includes the deactivation of the tunnel from your other branch, as that would be handy for my usecase. If there is any reason you do not want to merge that alongside this functionality already I can rebase everything. Same applies if you require a cleaner commit history.

Performance is not horrible with good VPN providers actually. 250Mb/s+ are possible(My home connection is 1Gb/s). It could be better and I do think some tuning to the MTUs could further improve what I'm seeing but it's certainly far better than the likes of TOR even when also using 3 layers.

@chrisbouchard chrisbouchard self-assigned this Aug 28, 2022
@JeWe37
Copy link
Contributor Author

JeWe37 commented Aug 31, 2022

Previously the speeds were rather bad as a result of incorrectly set MTUs, that has now been resolved. Everything is handled automatically and you can set the top level MTU in the config file. This way I am seeing a very reasonable amount of overhead, around 10% per additional VPN layer, on my connection something like 600Mbps for 3 layers.

@JeWe37 JeWe37 marked this pull request as ready for review August 31, 2022 14:53
@chrisbouchard
Copy link
Owner

Finally getting a chance to look this over. Thanks for the contribution and for being patient. 👍

Copy link
Owner

@chrisbouchard chrisbouchard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've looked over the code changes, and they seem reasonable. Just a couple small comments.

One higher-level thought: Do we need to solve the onion routing configuration with shell script, or could we solve it more generally by making the systemd config more generic. E.g., if we turned the service into a template service, could we create a set-up where each layer depends on the netns created by the previous layer.

If we could solve the problem that way, I feel like it would be nicer. That would give each layer its own config, rather than having to line up values by index.

bin/namespaced-wireguard-vpn-interface Outdated Show resolved Hide resolved
bin/namespaced-wireguard-vpn-tunnel Outdated Show resolved Hide resolved
conf/namespaced-wireguard-vpn.conf Show resolved Hide resolved
@JeWe37
Copy link
Contributor Author

JeWe37 commented Sep 2, 2022

I think an architecture relying more heavily on systemd is definitely possible... I suppose you could have the part that creates subsequent namespaces be executed inside of the previously created namespaces. Main issue I can think of is that the MTUs couldn't be set automatically as they are currently, but that would be a rather minor drawback. Perhaps this is an idea for the future, but I think I'll fix up this version here first of all.

@chrisbouchard
Copy link
Owner

chrisbouchard commented Sep 2, 2022

Would you be willing to make a merge request with just the MTU changes for a one-layer VPN? I'd be very willing to merge that, and I think it will be necessary with any approach. I'll also merge my open pull request to disable the tunnel. I'd like to think a little more before committing to a path with onion-layering.

@chrisbouchard
Copy link
Owner

Thanks for splitting that off. I'll try to wrap my head around onion routing.

@JeWe37
Copy link
Contributor Author

JeWe37 commented Sep 9, 2022

Now testing with actual VPNs I've noticed a few issues still. I've got it fixed and will see about cleaning up the fixes and committing them.

I've looked over the code changes, and they seem reasonable. Just a couple small comments.

One higher-level thought: Do we need to solve the onion routing configuration with shell script, or could we solve it more generally by making the systemd config more generic. E.g., if we turned the service into a template service, could we create a set-up where each layer depends on the netns created by the previous layer.

If we could solve the problem that way, I feel like it would be nicer. That would give each layer its own config, rather than having to line up values by index.

This is somewhat complicated by #9, because we cannot use the namespace joining anymore, after all many VPN providers give domain name end points. Therefore I'm not fully sure that solution is all that viable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants