search

SenseUnit / dtlspipe

Generic DTLS wrapper for UDP sessions
MIT License
132 stars 11 forks source link

How to run the service? #4

Closed liuxyon closed 1 year ago

liuxyon commented 1 year ago

i want to try run it in ubuntu 23.04 and pfsense.

how i do run it with service?

Snawoot commented 1 year ago

Hello, @liuxyon!

Deploying on Ubuntu and other Linux distros with systemd

1. Install the binary

Put compiled dtlspipe binary to /usr/local/bin/dtlspipe

2. Create systemd unit

Put file with following contents into /etc/systemd/system/dtlspipe-server.service:

[Unit]
Description=dtlspipe server
Documentation=https://github.com/Snawoot/dtlspipe/
After=network.target network-online.target
Requires=network-online.target

[Service]
EnvironmentFile=/etc/default/dtlspipe-server
DynamicUser=yes
StateDirectory=dtlspipe
Environment=HOME=%S/dtlspipe
ExecStart=/usr/local/bin/dtlspipe $OPTIONS
TimeoutStopSec=5s
PrivateTmp=true
ProtectSystem=full

[Install]
WantedBy=default.target

3. Create configuration

Put file with following contents into /etc/default/dtlspipe-server:

OPTIONS=server 0.0.0.0:2815 127.0.0.1:56218
DTLSPIPE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

where OPTIONS are corresponding command line arguments and DTLSPIPE_PSK is PSK. We pass it as an env variable to hide it from process command line in the process list like ps -ef.

Set actual listen address instead of 0.0.0.0:2815.

Set actual destination UDP endpoint instead of 127.0.0.1:56218.

4. Enable and start the service

Execute following commands as root:

systemctl daemon-reload
systemctl enable --now dtlspipe-server

Deploying on pfSense

You'll need to put binary somewhere as well, e. g. to /usr/local/bin/dtlspipe.

Then you should auto start it with arguments as you need. Here is pfSense documentation how to do it: https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html

liuxyon commented 1 year ago

this tool is use DTLS1.3 version?

Snawoot commented 1 year ago

this tool is use DTLS1.3 version?

No, it operates DTLS1.2 only

liuxyon commented 1 year ago

then this option is this config in file? skip-hello-verify=true

liuxyon commented 1 year ago

Can you clarify how the various run option parameters are written in the configuration file?

Snawoot commented 1 year ago

Can you clarify how the various run option parameters are written in the configuration file?

Note that dtlspipe itself has no configuration files, it accepts only command line arguments. All files above are actually SystemD files: unit file and env file with options. Please refer to systemd documentation for further reference.

In systemd case above words from OPTIONS go as is to command line arguments of startup command /usr/local/bin/dtlspipe $OPTIONS. That means, in that example actual command line will be run is: /usr/local/bin/dtlspipe server 0.0.0.0:2815 127.0.0.1:56218, which corresponds to command line for server operation.

If you need to add option -skip-hello-verify, then your /etc/default/dtlspipe-server will look like this:

OPTIONS= -skip-hello-verify server 0.0.0.0:2815 127.0.0.1:56218
DTLSPIPE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
liuxyon commented 1 year ago

ok. then pfsense freebsd system put file in /root/dtlspipe/dtlspipe.freebsd-amd64 and file dtlspipe-client, and add nohup /root/dtlspipe/dtlspipe.freebsd-amd64 -c /root/dtlspipe/dtlspipe-client > /dev/null 2>&1 & in pfsense shellcmd it is right?

Snawoot commented 1 year ago

@liuxyon not sure if nohup is needed at all, maybe you can even get away with just /root/dtlspipe/dtlspipe.freebsd-amd64 client ... ... > /dev/null 2>&1. But yes, you got the idea. It may take a bit of experimentation, though.

Snawoot commented 1 year ago

And once again, it does not support config files, only command line arguments. See Usage and Synopsis section of documentation.

liuxyon commented 1 year ago

thanks! The connection is successful using ipv4, is it possible to connect using ipv6? server [::]:2815 [::1]:56218 it is right?

In addition, I would like to know how many additional data headers MTU will be added using DTLS?

Snawoot commented 1 year ago

thanks! The connection is successful using ipv4, is it possible to connect using ipv6? server [::]:2815 [::1]:56218 it is right?

Yes, you may use any combination between endpoints. E.g. [::]:2815 127.0.0.1:56218 will work as well.

In addition, I would like to know how many additional data headers MTU will be added using DTLS?

It might be dependent on negotiated ciphersuite, but last time I checked I think it was between 29 and 81 bytes. So, I guess, subtract 100 from MTU for a good measure. Or check exact numbers with tcpdump/wireshark.

liuxyon commented 1 year ago

how i get list of DTLS1.2 ciphers ? What is used by default ciphers value? When can I upgrade to DTLS1.3? now i am using WG MTU 1390 for test.

Options: -ciphers value

I saw some articles writing that DTLS1.3 has better performance https://www.wolfssl.com/whats-new-dtls-1-3/ https://inria.hal.science/hal-03035402/document

liuxyon commented 1 year ago

thanks! The connection is successful using ipv4, is it possible to connect using ipv6? server [::]:2815 [::1]:56218 it is right?

Yes, you may use any combination between endpoints. E.g. [::]:2815 127.0.0.1:56218 will work as well.

In addition, I would like to know how many additional data headers MTU will be added using DTLS?

It might be dependent on negotiated ciphersuite, but last time I checked I think it was between 29 and 81 bytes. So, I guess, subtract 100 from MTU for a good measure. Or check exact numbers with tcpdump/wireshark.

client side use ipv6 show wrong: /root/dtlspipe/dtlspipe: No match. it is can't run. use remote ipv4 is normal.

Snawoot commented 1 year ago

how i get list of DTLS1.2 ciphers ?

With dtlspipe ciphers command. It's mentioned in help.

What is used by default ciphers value?

By default ciphers list from dtlspipe ciphers subcommand are used. Client and server negotiate first common cipher from their lists (which can be set with -ciphers option).

When can I upgrade to DTLS1.3? now i am using WG MTU 1390 for test.

Options: -ciphers value

I saw some articles writing that DTLS1.3 has better performance https://www.wolfssl.com/whats-new-dtls-1-3/ https://inria.hal.science/hal-03035402/document

DTLS 1.3 will be available as soon as pion/dtls library will support it.

Snawoot commented 1 year ago

client side use ipv6 show wrong: /root/dtlspipe/dtlspipe: No match. it is can't run. use remote ipv4 is normal.

I tested, works for me.

liuxyon commented 1 year ago

i tested on pfsense show: nohup /root/dtlspipe/dtlspipe -timeout 60s -psk 7fd671ac4699ad3c859907163f30d921 client 10.50.1.254:62116 [2a0d:2408:515::1]:39880 /root/dtlspipe/dtlspipe: No match.

liuxyon commented 1 year ago

Under what circumstances will No match occur?

Snawoot commented 1 year ago

@liuxyon can't tell for sure. Looks like this error comes not from dtlspipe, but from shell even before program is being run. Can you please try to put IPv6 address argument into single quotes like this:

nohup /root/dtlspipe/dtlspipe -timeout 60s -psk 7fd671ac4699ad3c859907163f30d921 client 10.50.1.254:62116 '[2a0d:2408:515::1]:39880'

liuxyon commented 1 year ago

use ' ' it is running. but handshake with remote server failed

DTLSPIPE: 2023/09/29 18:50:27.713577 client.go:108: DTL handshake with remote server failed: handshake error: context deadline exceeded DTLSPIPE: 2023/09/29 18:50:27.713669 client.go:109: [-] conn 10.50.1.254:62116 <=> 10.50.1.254:51821 DTLSPIPE: 2023/09/29 18:50:28.393000 client.go:93: [+] conn 10.50.1.254:62116 <=> 10.50.1.254:51821

liuxyon commented 1 year ago

systemctl status dtlspipe-server ● dtlspipe-server.service - dtlspipe server Loaded: loaded (/etc/systemd/system/dtlspipe-server.service; enabled; preset: enabled) Active: active (running) since Fri 2023-09-29 18:49:09 HKT; 6min ago Docs: https://github.com/Snawoot/dtlspipe/ Main PID: 24645 (dtlspipe) Tasks: 5 (limit: 2182) Memory: 2.5M CPU: 14ms CGroup: /system.slice/dtlspipe-server.service └─24645 /usr/local/bin/dtlspipe -skip-hello-verify -timeout 60s -ciphers TLS_PSK_WITH_AES_128_GCM_SHA256 server "[::]:39880" "[::]:39780"

Sep 29 18:49:09 uk.xiaoyu.net systemd[1]: Started dtlspipe-server.service - dtlspipe server. Sep 29 18:49:09 uk.xiaoyu.net dtlspipe[24645]: DTLSPIPE: 2023/09/29 18:49:09.985154 main.go:137: starting dtlspipe server: [::]:39880 =[unwrap from DTLS]=> [::]:39780

systemctl status dtlspipe-server ● dtlspipe-server.service - dtlspipe server Loaded: loaded (/etc/systemd/system/dtlspipe-server.service; enabled; preset: enabled) Active: active (running) since Fri 2023-09-29 18:40:43 HKT; 4min 56s ago Docs: https://github.com/Snawoot/dtlspipe/ Main PID: 24499 (dtlspipe) Tasks: 5 (limit: 2182) Memory: 2.5M CPU: 10ms CGroup: /system.slice/dtlspipe-server.service └─24499 /usr/local/bin/dtlspipe -skip-hello-verify -timeout 60s -ciphers TLS_PSK_WITH_AES_128_GCM_SHA256 server "[::]:39880" 127.0.0.1:39780

liuxyon commented 1 year ago

use this server "[::]:39880" "[2a0d:2408:515::1]:39780" and pfsense system restart, then it is work.

Snawoot commented 1 year ago
  1. Check if PSK key on server and client are the same.
  2. Check if server is reachable via IPv6 at all:
    1. Check if firewall doesn't prevent access on this port
    2. Check if IPv6 address is added on interface of your server machine. It may happen that IPv6 is enabled in the hosting panel, but still not enabled on machine itself.

You may also try to check IPv6 both on client and server machine with following command: curl https://api6.ipify.org. It should output public IPv6 address.

liuxyon commented 1 year ago

Here it shows that PSK is weak. Is it considered more secure? https://ciphersuite.info/cs/TLS_PSK_WITH_AES_128_GCM_SHA256/ Weak TLS_PSK_WITH_AES_128_GCM_SHA25

liuxyon commented 1 year ago

In addition, how to deploy services on windows 11 ,windows server 2022 and andriod system?

Snawoot commented 1 year ago

Here it shows that PSK is weak. Is it considered more secure?

It lacks perfect forward secrecy, but still good. Or, If you really need that property, use TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256.

In addition, how to deploy services on windows 11 ,windows server 2022 and andriod system?

Deploying on Windows as a background service

Method 1

Use task scheduler to run command in background: https://pureinfotech.com/prevent-command-window-appearing-scheduled-tasks-windows-10/

Method 2

Use simple VBS wrapper to run a program without window: https://superuser.com/questions/1168587/how-to-run-an-exe-application-as-a-background-task-on-startup/1619817#1619817

Method 3 (best option)

Use NSSM to run any command as a service: https://nssm.cc/usage

Method 4

Use srvstart to run any command as a service: https://github.com/rozanski/srvstart

Deploying on Android

Just use some terminal emulator to run a command. One convenient option is Qute, which has shortcuts and autostart, as far as I remember.

liuxyon commented 1 year ago

Does it support multiple configurations running simultaneously? For example OPTIONS= -skip-hello-verify -timeout 60s -ciphers TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 server 0.0.0.0:39883 127.0.0.1:39781 DTLSPIPE_PSK= OPTIONS= -skip-hello-verify -timeout 60s -ciphers TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 server 0.0.0.0:39885 127.0.0.1:39782 DTLSPIPE_PSK=

Snawoot commented 1 year ago

Just run multiple instances of application.

Snawoot commented 1 year ago

https://fedoramagazine.org/systemd-template-unit-files/

liuxyon commented 1 year ago

what's i do change the dtlspipe-server.service?

Snawoot commented 1 year ago

what's i do change the dtlspipe-server.service?

1. Cleanup old unit

systemctl disable --now dtlspipe-server

2. Rename file /etc/systemd/system/dtlspipe-server.service to /etc/systemd/system/dtlspipe-server@.service

3. Make its content look like this:

[Unit]
Description=dtlspipe server
Documentation=https://github.com/Snawoot/dtlspipe/
After=network.target network-online.target
Requires=network-online.target

[Service]
EnvironmentFile=/etc/default/dtlspipe-server-%i
DynamicUser=yes
StateDirectory=dtlspipe
Environment=HOME=%S/dtlspipe
ExecStart=/usr/local/bin/dtlspipe $OPTIONS
TimeoutStopSec=5s
PrivateTmp=true
ProtectSystem=full

[Install]
WantedBy=default.target

Note that EnvironmentFile is now parametrized by name of instance of dtlspipe.

4. Apply systemd configuration

systemctl daemon-reload

5. Create environment files (configs) for each instance

For example, let's say we need two dtlspipe instances for Alice and Bob. Then we need to create following files:

/etc/default/dtlspipe-server-alice:

OPTIONS= -skip-hello-verify -timeout 60s -ciphers TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 server 0.0.0.0:39883 127.0.0.1:39781
DTLSPIPE_PSK=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

/etc/default/dtlspipe-server-bob:

OPTIONS= -skip-hello-verify -timeout 60s -ciphers TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 server 0.0.0.0:39885 127.0.0.1:39782
DTLSPIPE_PSK=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

6. Enable and start Alice and Bob instances

systemctl enable --now dtlspipe-server@alice
systemctl enable --now dtlspipe-server@bob
liuxyon commented 1 year ago

Ha ha. . Thank you. You are so patient... I feel like I have too many ideas...

liuxyon commented 1 year ago

i think should creat telegram group.

Snawoot commented 1 year ago

good idea!

Snawoot commented 1 year ago

made a typo: it's %i instead of $i. I updated the comment.

liuxyon commented 1 year ago

you creat it and i will join tg.

Snawoot commented 1 year ago

https://t.me/dtlspipe