extern/EtherGuard-VPN
1
0
Fork 0
mirror of https://github.com/KusakabeShi/EtherGuard-VPN.git synced 2025-08-17 20:27:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update readme.md

Browse Source
This commit is contained in:
Kusakabe Si
2021-12-12 18:05:58 +00:00
parent 3f6001dcdf
commit 350a7e43f6
12 changed files with 496 additions and 633 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
README.md
View File

@ -1,14 +1,15 @@
# Etherguard # Etherguard
[中文版README](README_zh.md) [English](#) | [中文](README_zh.md)
A Full Mesh Layer2 VPN based on wireguard-go
[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md)
A Full Mesh Layer2 VPN based on wireguard-go
OSPF can find best route based on it's cost. OSPF can find best route based on it's cost.
But sometimes the latency are different in the packet goes and back. But sometimes the latency are different in the packet goes and back.
I'm thinking, is it possible to find the best route based on the **single-way latency**? I'm thinking, is it possible to find the best route based on the **single-way latency**?
For example, I have two routes A and B at node N1, both of them can reach my node N2. A goes fast, but B backs fast. For example, I have two routes A and B at node N1, both of them can reach my node N2. A goes fast, but B backs fast.
My VPN can automatically send packet through route A at node N1, and the packet backs from route B. My VPN can automatically send packet through route A at node N1, and the packet backs from route B.
@ -22,107 +23,33 @@ Worried about the clock not match so that the measure result are not correct? It
Usage of ./etherguard-go: Usage of ./etherguard-go:
-bind string -bind string
UDP socket bind mode. [linux|std] UDP socket bind mode. [linux|std]
You may need std mode if tou want to run Etherguard under WSL. (default "linux") You may need std mode if you want to run Etherguard under WSL. (default "linux")
-cfgmode string
Running mode for generated config. [none|super|p2p]
-config string -config string
Config path. Config path for the interface.
-example -example
Print example config Print example config
-help -help
Show this help Show this help
-mode string -mode string
Running mode. [super|edge|solve] Running mode. [super|edge|solve|gencfg]
-no-uapi -no-uapi
Do not use UAPI Disable UAPI
With UAPI, you can check etherguard status by `wg` command With UAPI, you can check etherguard status by "wg" command
-version -version
Show version Show version
``` ```
## Mode ## Working Mode
1. Static Mode: Similar to original wireguard. [Introduction](example_config/static_mode/README.md). Mode | Description
2. Super Mode: Inspired by[n2n](https://github.com/ntop/n2n). [Introduction](example_config/super_mode/README.md). ------------|:-----
3. P2P Mode: Inspired by[tinc](https://github.com/gsliepen/tinc). [Introduction](example_config/p2p_mode/README.md). Static Mode | No dynamic routing, no handshake server.<br>Similar to original wireguard , all configs are static<br>[Detail](example_config/static_mode/README.md)
Static Mode | Inspired by [n2n](https://github.com/ntop/n2n). There 2 types of node: SuperNode and EdgeNode<br>EdgeNode must connect to SuperNode firstget connection info of other EdgeNode from the SuperNode<br>The SuperNode runs [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm)and distribute the result to all other EdgeNodes.<br>[Detail](example_config/super_mode/README.md)
P2P Mode | Inspired by [tinc](https://github.com/gsliepen/tinc), There are no SuperNode. All EdgeNode will exchange information each other.<br>EdgeNodes are keep trying to connect each other, and notify all other peers success or not.<br>All edges runs [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm) locally and find the best route by it self.<br>**Not recommend to use this mode in production environment, not test yet.**<br>[Detail](example_config/p2p_mode/README.md)
## Common Config Paramater ## [Quick start](example_config/super_mode/README.md)
### Edge Config
1. `interface`
1. `itype`: Interface type.
1. `dummy`: Dymmy interface, drop any packet received. You need this if you want to setup it as a relay node.
2. `stdio`: Wrtie to stdoutread from stdin.
Paramaters: `macaddrprefix`,`l2headermode`
3. `udpsock`: Read/Write the raw packet to an udp socket.
Paramaters: `recvaddr`,`sendaddr`
3. `tcpsock`: Read/Write the raw packet to a tcp socket.
Paramaters: `recvaddr`,`sendaddr`
3. `unixsock`: Read/Write the raw packet to an unix socket(SOCK_STREAM mode).
Paramaters: `recvaddr`,`sendaddr`
3. `unixgramsock`: Read/Write the raw packet to an unix socket(SOCK_DGRAM mode).
Paramaters: `recvaddr`,`sendaddr`
3. `unixpacketsock`: Read/Write the raw packet to an unix socket((SOCK_SEQPACKET mode).
Paramaters: `recvaddr`,`sendaddr`
3. `fd`: Read/Write the raw packet to specific file descriptor.
Paramaters: None. But require environment variable `EG_FD_RX` and `EG_FD_TX`
4. `vpp`: Integrate to VPP by libmemif.
Paramaters: `name`,`vppifaceid`,`vppbridgeid`,`macaddrprefix`,`mtu`
5. `tap`: Read/Write to tap device from linux.
Paramaters: `name`,`macaddrprefix`,`vppifaceid`,`mtu`
2. `name` : Device name
3. `postscript`: run script after etherguard initialized.
3. `vppifaceid`: Interface ID。Muse be unique in same VPP runtime
4. `vppbridgeid`: VPP Bridge ID. Fill 0 if you don't use it.
5. `macaddrprefix`: Mac address Prefix.
Real Mac address=[Prefix]:[NodeID].
If you fill full mac address here, NodeID will be ignored.
6. `recvaddr`: Listen address for `XXXsock` mode(server mode)
7. `sendaddr`: Packet send address for `XXXsock` mode(client mode)
8. `l2headermode`: For debug usage, for `stdio` mode only
1. `nochg`: Do not change anything.
2. `kbdbg`: Keyboard debug mode.
Let me construct Layer 2 header by ascii character only.
So that I can track the packet flow with `loglevel` option.
3. `noL2`: Remove all Layer 2 header, all boardcast
2. `nodeid`: NodeID. Must be unique in the whole Etherguard network.
3. `nodename`: Node Name.
4. `defaultttl`: Default TTL(etherguard layer. not affect ethernet layer)
5. `l2fibtimeout`: The timeout(in seconds) of the MacAddr-> NodeID lookup table
5. `privkey`: Private key. Same spec as wireguard.
5. `listenport`: UDP lesten port
6. `loglevel`: Log Level
1. `loglevel`: `debug`,`error`,`slient` for wirefuard logger.
2. `logtransit`: Log packets that neither the source or distenation is self.
3. `logcontrol`: Log for all Control Message.
4. `lognormal`: Log packets that either the source or distenation is self.
5. `logntp`: NTP related logs.
7. `dynamicroute`: Log for dynamic route.
1. `sendpinginterval`: Send `Ping` interval
2. `dupchecktimeout`: Duplication chack timeout.
1. `peeralivetimeout`: Reset the timer while received a packet. Mark the peer offlline while exceed this time.
3. `conntimeout`: The interval that check peer offline or not. If peer was marked offine, it will switch to next endpoint.
4. `savenewpeers`: Save peer info to local file.
5. `supernode`: See [Super Mode](example_config/super_mode/README.md)
6. `p2p` See [P2P Mode](example_config/p2p_mode/README.md)
7. `ntpconfig`: NTP related settings
1. `usentp`: USE NTP or not.
2. `maxserveruse`: How many NTP servers should we use at once.
First time we will measure lentancy for all NTP server, next time it will use only fastest server.
3. `synctimeinterval`: NTP sync interval.
4. `ntptimeout`: NTP timeout
5. `servers`: NTP server list
8. `nexthoptable`: Nexthop table。Only static mode use it. See [Static Mode](example_config/super_mode/README.md)
9. `resetconninterval`: Reset the endpoint for peers. You may need this if that peer use DDNS.
10. `peers`: Peer info.
1. `nodeid`: Node ID.
2. `pubkey`: Public key.
3. `pskey`: Preshared key. Not implement yet.
4. `endpoint`: Peer enddpoint. Will be overwrite if the peer roaming unless static=true.
5. `static`: Do not overwrite by roaming and reset the connection every `resetconninterval` seconds.
### Super config
See [Super Mode](example_config/super_mode/README.md).
## Build ## Build

58
README_zh.md
View File

@ -1,7 +1,6 @@
# Etherguard # Etherguard
[English](README.md) [English](README.md) | [中文](#)
[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md)
@ -43,56 +42,15 @@ Usage of ./etherguard-go-vpp:
顯示版本 顯示版本
``` ```
## Mode ## Working Mode
1. Static 模式: 類似於原本的wireguard的模式。 [詳細介紹](example_config/static_mode/README_zh.md) Mode | Description
2. Super 模式: 受到[n2n](https://github.com/ntop/n2n)的啟發寫的模式。 [詳細介紹](example_config/super_mode/README_zh.md) ------------|:-----
3. P2P 模式: 受到[tinc](https://github.com/gsliepen/tinc)的啟發寫的模式。 [詳細介紹](example_config/p2p_mode/README_zh.md) Static Mode | 沒有自動選路,沒有握手伺服器<br>類似原本的wireguard一切都要提前配置好<br>[詳細介紹](example_config/static_mode/README_zh.md)
Static Mode | 此模式是受到[n2n](https://github.com/ntop/n2n)的啟發分為SuperNode和EdgeNode兩種節點<br>EdgeNode首先和SuperNode建立連線藉由SuperNode交換其他EdgeNode的資訊<br>由SuperNode執行[Floyd-Warshall演算法](https://zh.wikipedia.org/zh-tw/Floyd-Warshall算法)並把計算結果分發給EdgeNode<br>[詳細介紹](example_config/super_mode/README_zh.md)
P2P Mode | 此模式是受到[tinc](https://github.com/gsliepen/tinc)的啟發只有EdgeNodeEdgeNode會彼交換資訊<br>EdgeNodes會嘗試互相連線並且通報其他EdgeNoses連線成功與否<br>每個Edge各自執行[Floyd-Warshall演算法](https://zh.wikipedia.org/zh-tw/Floyd-Warshall算法),若不能直達則使用最短路徑<br>**此模式尚未經過長時間測試,尚不建議生產環境使用**<br>[詳細介紹](example_config/p2p_mode/README_zh.md)
## Quick start ## [Quick start](example_config/super_mode/README_zh.md)
內建小工具可以快速生成設定檔搞定私鑰公鑰等等暫時只支援Super模式
首先按需求修改`example_config/super_mode/gensuper.yaml`
```yaml
Config output dir: /tmp/eg_gen
ConfigTemplate for super node: ""
ConfigTemplate for edge node: ""
Network name: eg_net
Super Node:
Listen port: 3456
EdgeAPI prefix: /eg_net/eg_api
Endpoint(IPv4)(optional): example.com
Endpoint(IPv6)(optional): example.com
Endpoint(EdgeAPI): http://example.com:3456/eg_net/eg_api
Edge Node:
Node IDs: "[1~10,11,19,23,29,31,55~66,88~99]"
MacAddress prefix: "" #留空隨機產生
IPv4 range: 192.168.76.0/24
IPv6 range: fd95:71cb:a3df:e586::/64
IPv6 LL range: fe80::a3df:0/112
```
順帶一提最後三個欄位IP的部分可以直接省略沒關係
這個欄位唯一的目的只是在啟動以後調用ip命令幫tap接口加個ip
和VPN本身運作完全無關
VPN起來以後自己手動加ip也行
```
$ ./etherguard-go -mode gencfg -cfgmode super -config example_config/super_mode/gensuper.yaml
```
把一個super2個edge分別搬去三台機器
或是2台機器super和edge可以是同一台
然後在Supernode執行
```
./etherguard-go -config [設定檔位置] -mode super
```
然後在EdgeNode執行
```
./etherguard-go -config [設定檔位置] -mode edge
```
## Build ## Build

50
example_config/p2p_mode/README.md
View File

@ -1,4 +1,50 @@
# Etherguard # Etherguard
[中文](README_zh.md) [English](#) | [中文](README_zh.md)
WIP ## P2P Mode
P2P Mode is inspired by [tinc](https://github.com/gsliepen/tinc), There are no SuperNode. All EdgeNode will exchange information each other.
EdgeNodes are keep trying to connect each other, and notify all other peers success or not.
All edges runs [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm) locally and find the best route by it self.
**Not recommend to use this mode in production environment, not test yet.**
## Quick Start
First, edit the `gensp2p.yaml`
```yaml
Config output dir: /tmp/eg_gen_static # Profile output location
ConfigTemplate for edge node: "" # Profile Template
Network name: "EgNet"
Edge Node:
MacAddress prefix: "" # Leave blank to generate randomly
IPv4 range: 192.168.76.0/24 # By the way, the IP part can be omitted.
IPv6 range: fd95:71cb:a3df:e586::/64 # The only purpose of this field is to call the ip command after startup to add an ip to the tap interface
IPv6 LL range: fe80::a3df:0/112 #
Edge Nodes: # Node related settings
1:
Endpoint(optional): 127.0.0.1:3001
2:
Endpoint(optional): 127.0.0.1:3002
3:
Endpoint(optional): 127.0.0.1:3003
4:
Endpoint(optional): 127.0.0.1:3004
5:
Endpoint(optional): 127.0.0.1:3005
6:
Endpoint(optional): 127.0.0.1:3006
```
Run this, it will generate the required configuration file
```
./etherguard-go -mode gencfg -cfgmode p2p -config example_config/p2p_mode/gensp2p.yaml
```
Deploy these configuration files to the corresponding nodes, and then execute
```
./etherguard-go -config [config path] -mode edge
```
you can turn off unnecessary logs to increase performance after it works.
[WIP]

15
example_config/p2p_mode/README_zh.md
View File

@ -1,16 +1,17 @@
# Etherguard # Etherguard
[English](README.md) [English](README.md) | [中文](#)
## P2P Mode ## P2P Mode
受到[tinc](https://github.com/gsliepen/tinc)的啟發 此模式是受到[tinc](https://github.com/gsliepen/tinc)的啟發只有EdgeNodeEdgeNode會彼交換資訊
EdgeNodes會嘗試互相連線並且通報其他EdgeNoses連線成功與否
和[Super模式運作](../super_mode/README_zh.md)有點相似,不過也有點修改 每個Edge各自執行[Floyd-Warshall演算法](https://zh.wikipedia.org/zh-tw/Floyd-Warshall算法),若不能直達則使用最短路徑
**此模式尚未經過長時間測試,尚不建議生產環境使用**
## Quick Start ## Quick Start
首先,按照需求修改`genstatic.yaml` 首先,按照需求修改`gensp2p.yaml`
```yaml ```yaml
Config output dir: /tmp/eg_gen_static # 設定檔輸出位置 Config output dir: /tmp/eg_gen_p2p # 設定檔輸出位置
ConfigTemplate for edge node: "" # 設定檔Template ConfigTemplate for edge node: "" # 設定檔Template
Network name: "EgNet" Network name: "EgNet"
Edge Node: Edge Node:
@ -34,7 +35,7 @@ Edge Nodes: # 所有的節點相關設定
``` ```
接著執行這個,就會生成所需設定檔了。 接著執行這個,就會生成所需設定檔了。
``` ```
./etherguard-go -mode gencfg -cfgmode static -config example_config/static_mode/genstatic.yaml ./etherguard-go -mode gencfg -cfgmode p2p -config example_config/p2p_mode/gensp2p.yaml
``` ```
把這些設定檔不捨去對應節點,然後再執行 把這些設定檔不捨去對應節點,然後再執行

22
example_config/p2p_mode/genp2p.yaml Normal file
View File

@ -0,0 +1,22 @@
Config output dir: /tmp/eg_gen_p2p
ConfigTemplate for edge node: ""
Network name: "EgNet"
Edge Node:
MacAddress prefix: ""
IPv4 range: 192.168.76.0/24
IPv6 range: fd95:71cb:a3df:e586::/64
IPv6 LL range: fe80::a3df:0/112
Edge Nodes:
1:
Endpoint(optional): 127.0.0.1:3001
2:
Endpoint(optional): 127.0.0.1:3002
3:
Endpoint(optional): 127.0.0.1:3003
4:
Endpoint(optional): 127.0.0.1:3004
5:
Endpoint(optional): 127.0.0.1:3005
6:
Endpoint(optional): 127.0.0.1:3006
Distance matrix for all nodes: ""

0
example_config/p2p_mode/genstatic.yaml → example_config/p2p_mode/genp2p_2.yaml
View File

254
example_config/static_mode/README.md
View File

@ -1,68 +1,85 @@
# Etherguard # Etherguard
[中文](README_zh.md) [English](#) | [中文](README_zh.md)
This is the documentation of the static_mode of this example_config
## Static mode ## Static mode
No dynamic routing, no handshake server. No dynamic routing, no handshake server.
Similar to original wireguard , all things must be preconfigured. Similar to original wireguard , all configs are static.
Include the route table, you have to configure it in `NextHopTable` section in the config file.
But you need to setup an additional `Next hop table`, this table are share among all nodes.
The `nexthoptable` section is for this mode, and only works in this mode.
In this mode, there are no any Control Message, no connectivity check. In this mode, there are no any Control Message, no connectivity check.
Please maintains the predefined topology, otherwise if the relay node offline, part of this network will broken, Please maintains the predefined topology, otherwise if the relay node offline, part of this network will broken,
## Quick Start
First, edit the `genstatic.yaml`
```yaml
Config output dir: /tmp/eg_gen_static # Profile output location
ConfigTemplate for edge node: "" # Profile Template
Network name: "EgNet"
Edge Node:
MacAddress prefix: "" # Leave blank to generate randomly
IPv4 range: 192.168.76.0/24 # By the way, the IP part can be omitted.
IPv6 range: fd95:71cb:a3df:e586::/64 # The only purpose of this field is to call the ip command after startup to add an ip to the tap interface
IPv6 LL range: fe80::a3df:0/112 #
Edge Nodes: # Node related settings
1:
Endpoint(optional): 127.0.0.1:3001
2:
Endpoint(optional): 127.0.0.1:3002
3:
Endpoint(optional): 127.0.0.1:3003
4:
Endpoint(optional): 127.0.0.1:3004
5:
Endpoint(optional): 127.0.0.1:3005
6:
Endpoint(optional): 127.0.0.1:3006
Distance matrix for all nodes: |- # The left is the starting point, and the upper is the ending point. Inf represents that the two nodes are not connected, and the value represents connected. The size of the value represents the cost of the route (usually latency)
X 1 2 3 4 5 6
1 0 1.0 Inf Inf Inf Inf
2 1.0 0 1.0 1.0 Inf Inf
3 Inf 1.0 0 1 1.0 Inf
4 Inf 1.0 1.0 0 Inf 1.0
5 Inf Inf 1.0 Inf 1.0 Inf
6 Inf Inf Inf 1.0 Inf 1.0
```
Run this, it will generate the required configuration file
```
./etherguard-go -mode gencfg -cfgmode static -config example_config/static_mode/genstatic.yaml
```
Deploy these configuration files to the corresponding nodes, and then execute
```
./etherguard-go -config [config path] -mode edge
```
you can turn off unnecessary logs to increase performance after it works.
## Documentation
The topology of this [example_config](./): The topology of this [example_config](./):
!["Topology"](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/static_mode/Example_static.png) !["Topology"](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/static_mode/Example_static.png)
Before sending packet, We will set the SrcID to my NodeID. And the DstID will be found from l2fib table. If lookup failed or it's a Broadcast address, It will be set to `Broadcast(65535)` Before sending packet, We will set the SrcID to my NodeID. And the DstID will be found from l2fib table. If lookup failed or it's a Broadcast address, It will be set to `Broadcast(65535)`
While received packet, if the DstID==NodeID, or DstID==65535, it will receive the packet, and send to correspond tap device. And meanwhile, add the NodeID->SrcMacAddress to l2fib. While receiving packet, if the DstID==NodeID, or DstID==65535, it will receive the packet, and send to correspond tap device. And meanwhile, add the NodeID->SrcMacAddress to l2fib.
If not, it will lookup from the `Next hop table`, to determine who will be sent of this packet. If not, it will lookup from the `Next hop table`, to determine who will be sent of this packet.
Here is an example of the `Next hop table` in this example topology. A yaml formatted nested dictionary. `NhTable[SrcID][DstID]= Next hop ID` Here is an example of the `Next hop table` in this example topology. A yaml formatted nested dictionary. `NhTable[SrcID][DstID]= Next hop ID`
```yaml ```yaml
nexthoptable: NextHopTable:
1: 1:
2: 2 2: 2
3: 2 3: 2
4: 2
5: 2
6: 2
2: 2:
1: 1 1: 1
3: 3 3: 3
4: 4
5: 3
6: 4
3: 3:
1: 2 1: 2
2: 2 2: 2
4: 4
5: 5
6: 4
4:
1: 2
2: 2
3: 3
5: 3
6: 6
5:
1: 3
2: 3
3: 3
4: 3
6: 3
6:
1: 4
2: 4
3: 4
4: 4
5: 4
``` ```
### Broadcast ### Broadcast
@ -96,110 +113,97 @@ X 1 2 3 4 5 6
`Inf` means unreachable. `Inf` means unreachable.
Then use this command to calculate it. Then use this command to calculate it.
```
./etherguard-go -config example_config/static_mode/path.txt -mode solve
NextHopTable: ### EdgeNode Config Parameter
1:
2: 2
3: 2
4: 2
5: 2
6: 2
2:
1: 1
3: 3
4: 4
5: 3
6: 4
3:
1: 2
2: 2
4: 4
5: 5
6: 4
4:
1: 2
2: 2
3: 3
5: 3
6: 6
5:
1: 3
2: 3
3: 3
4: 3
6: 3
6:
1: 4
2: 4
3: 4
4: 4
5: 4
```
There are some additional information of the calculation result. <a name="EdgeConfig"></a>EdgeConfig | Description
``` -------------- |:-----
Human readable: [Interface](#Interface)| Interface related config
src dist path NodeID | NodeID. Must be unique in the whole Etherguard network.
1 -> 2 0.500000 [1 2] NodeName | Node Name.
1 -> 3 1.000000 [1 2 3] PostScript | Script that will run after initialized
1 -> 4 1.000000 [1 2 4] DefaultTTL | TTL(etherguard layer. not affect ethernet layer)
1 -> 5 1.500000 [1 2 3 5] L2FIBTimeout | The timeout of the L2FIB table(Similar to ARP table)
1 -> 6 1.500000 [1 2 4 6] PrivKey | Private key. Same spec as wireguard.
2 -> 1 0.500000 [2 1] ListenPort | UDP lesten port
2 -> 3 0.500000 [2 3] [LogLevel](#LogLevel)| Log related settings
2 -> 4 0.500000 [2 4] [DynamicRoute](../super_mode/README.md#DynamicRoute) | Dynamic Route related settings. Not work at static mode.
2 -> 5 1.000000 [2 3 5] NextHopTable | NextHopTable, Next hop = `NhTable[start][destnation]`
2 -> 6 1.000000 [2 4 6] ResetConnInterval | Reset the endpoint for peers. You may need this if that peer use DDNS.
3 -> 1 1.000000 [3 2 1] [Peers](#Peers) | Peer info.
3 -> 2 0.500000 [3 2]
3 -> 4 0.500000 [3 4]
3 -> 5 0.500000 [3 5]
3 -> 6 1.000000 [3 4 6]
4 -> 1 1.000000 [4 2 1]
4 -> 2 0.500000 [4 2]
4 -> 3 0.500000 [4 3]
4 -> 5 1.000000 [4 3 5]
4 -> 6 0.500000 [4 6]
5 -> 1 1.500000 [5 3 2 1]
5 -> 2 1.000000 [5 3 2]
5 -> 3 0.500000 [5 3]
5 -> 4 1.000000 [5 3 4]
5 -> 6 1.500000 [5 3 4 6]
6 -> 1 1.500000 [6 4 2 1]
6 -> 2 1.000000 [6 4 2]
6 -> 3 1.000000 [6 4 3]
6 -> 4 0.500000 [6 4]
6 -> 5 1.500000 [6 4 3 5]
```
### Quick start <a name="Interface"></a>Interface | Description
---------------|:-----
[IType](#IType)| Interface type.
Name | Device name
VPPIFaceID | VPP Interface ID. Muse be unique in same VPP runtime
VPPBridgeID | VPP Bridge ID. Fill 0 if you don't use it.
MacAddrPrefix | Mac address Prefix. Real Mac address=[Prefix]:[NodeID].
IPv4CIDR | After starting, call the ip command to add an ip to the tap interface.
IPv4CIDR | After starting, call the ip command to add an ip to the tap interface.
IPv6LLPrefix | After starting, call the ip command to add an ip to the tap interface.
MTU | Interface MTUonly valid on `tap`, `vpp` mode
RecvAddr | Listen address for `*sock` mode(server mode)
SendAddr | Packet send address for `*sock` mode(client mode)
[L2HeaderMode](#L2HeaderMode) | For `stdio` mode only for debugging
<a name="IType"></a>IType | Description
-----------|:-----
dummy | Dymmy interface, drop any packet received. You need this if you want to setup it as a relay node.
stdio | Wrtie to stdoutread from stdin. <br>Required parameter: `MacAddrPrefix` && `L2HeaderMode`
udpsock | Read/Write the raw packet to an udp socket.<br>Required parameter: `RecvAddr` && `SendAddr`
tcpsock | Read/Write the raw packet to a tcp socket. <br>Required parameter: `RecvAddr` \|\| `SendAddr`
unixsock | Read/Write the raw packet to an unix socket(SOCK_STREAM mode).<br>Required parameter: `RecvAddr` \|\| `SendAddr`
udpsock | Read/Write the raw packet to an unix socket(SOCK_DGRAM mode)<br>Required parameter: `RecvAddr` \|\| `SendAddr`
udpsock | Read/Write the raw packet to an unix socket(SOCK_SEQPACKET mode).<br>Required parameter: `RecvAddr` \|\| `SendAddr`
fd | Read/Write the raw packet to specific file descriptor.<br>Required parameter: None. But require environment variable `EG_FD_RX` && `EG_FD_TX`
vpp | Integrate to VPP by libmemif. <br>Required parameter: `Name` && `VPPIFaceID` && `VPPBridgeID` && `MacAddrPrefix` && `MTU`
tap | Read/Write to tap device from linux.<br>Required parameter: `Name` && `MacAddrPrefix` && `MTU`<br>Optional Parameter:`IPv4CIDR` , `IPv6CIDR` , `IPv6LLPrefix`
<a name="L2HeaderMode"></a>L2HeaderMode | Description
---------------|:-----
nochg | Do not change anything.
kbdbg | The first 12 bytes will be used for routing selection.<br>But in stdio mode, it is not convenient to use the keyboard to input an Ethernet frame.<br>This mode allows me to quickly generate an Ethernet frame, and debug is more convenient.<br>`b` is converted to ` FF:FF:FF:FF:FF:FF`<br>`2` is converted to `AA:BB:CC:DD:EE:02`<br>Enter `b2aaaaa` and it will become `b"0xffffffffffffaabbccddee02aaaaa"`
noL2 | Remove Ethernet frame while reading<br>Use `FF:FF:FF:FF:FF:FF` while writing
<a name="LogLevel"></a>LogLevel | Description
------------|:-----
LogLevel | `debug`,`error`,`slient` for wirefuard logger.
LogTransit | Log packets that neither the source or destination is self.
LogNormal | Log packets that either the source or destination is self.
LogControl | Log for all Control Message.
LogInternal | Log for some internal event
LogNTP | NTP related logs.
<a name="Peers"></a>Peers | Description
--------------------|:-----
NodeID | Node ID.
PubKey | Public key.
PSKey | Pre shared key.
EndPoint | Peer EndPoint.
PersistentKeepalive | PersistentKeepalive, same as wireguard
Static | Do not overwrite by roaming and reset the connection every `ResetConnInterval` seconds.
#### Run example config #### Run example config
Execute following command in **Different Terminal** Execute following command in **Different Terminal**
``` ```
./etherguard-go -config example_config/super_mode/n1.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge1.yaml -mode edge
./etherguard-go -config example_config/super_mode/n2.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge2.yaml -mode edge
./etherguard-go -config example_config/super_mode/n3.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge3.yaml -mode edge
./etherguard-go -config example_config/super_mode/n4.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge4.yaml -mode edge
./etherguard-go -config example_config/super_mode/n5.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge5.yaml -mode edge
./etherguard-go -config example_config/super_mode/n6.yaml -mode edge ./etherguard-go -config example_config/super_mode/EgNet_edge6.yaml -mode edge
``` ```
The iface type of this example config is `stdio` (keyboard debug), so it will read data from stdin. The IType of this example config is `stdio` (keyboard debug), so it will read data from stdin.
Then input following text in the terminal Then input following text in the terminal
``` ```
b1message b1message
``` ```
The `l2headermode` is `kbdbg`, means `Keyboard debug`. So that the first two byte will be convert to `FF:FF:FF:FF:FF:FF` and `AA:BB:CC:DD:EE:01`. And the `message` is the real payload. The `L2HeaderMode` is `kbdbg`, means `Keyboard debug`. So that the first two byte will be convert to `FF:FF:FF:FF:FF:FF` and `AA:BB:CC:DD:EE:01`. And the `message` is the real payload.
With other debug message, you should be able to see the message in other terminal. With other debug message, you should be able to see the message in other terminal.
#### Use it in real world
Please modify the `itype` to `tap`, and modify the pubkey and privkey, close unnecessary logging , and deploy to all nodes.
## Next: [Super Mode](../super_mode/README.md) ## Next: [Super Mode](../super_mode/README.md)

12
example_config/static_mode/README_zh.md
View File

@ -5,7 +5,7 @@
沒有自動選路,沒有握手伺服器 沒有自動選路,沒有握手伺服器
類似原本的wireguard一切都要提前配置好 類似原本的wireguard一切都要提前配置好
設定檔裡面的`NextHopTable`部分,只有此模式會生效 路由表也是如此。您需要手動配置設定檔裡面的`NextHopTable`部分
這個模式下不存在任何的Control Message斷線偵測什麼的也不會有 這個模式下不存在任何的Control Message斷線偵測什麼的也不會有
請務必保持提前定義好的拓樸。不然如果存在中轉,中轉節點斷了,部分連線就會中斷 請務必保持提前定義好的拓樸。不然如果存在中轉,中轉節點斷了,部分連線就會中斷
@ -49,7 +49,7 @@ Distance matrix for all nodes: |- # 左邊是起點上面是終點In
./etherguard-go -mode gencfg -cfgmode static -config example_config/static_mode/genstatic.yaml ./etherguard-go -mode gencfg -cfgmode static -config example_config/static_mode/genstatic.yaml
``` ```
把這些設定檔不捨去對應節點,然後再執行 把這些設定檔部署去對應節點,然後再執行
``` ```
./etherguard-go -config [設定檔位置] -mode edge ./etherguard-go -config [設定檔位置] -mode edge
``` ```
@ -127,7 +127,7 @@ X 1 2 3 4 5 6
### EdgeNode Config Parameter ### EdgeNode Config Parameter
Key | Description <a name="EdgeConfig"></a>EdgeConfig | Description
-------------- |:----- -------------- |:-----
[Interface](#Interface)| 接口相關設定。VPN有兩端一端是VPN網路另一端則是本地接口 [Interface](#Interface)| 接口相關設定。VPN有兩端一端是VPN網路另一端則是本地接口
NodeID | 節點ID。節點之間辨識身分用的同一網路內節點ID不能重複 NodeID | 節點ID。節點之間辨識身分用的同一網路內節點ID不能重複
@ -138,10 +138,10 @@ L2FIBTimeout | MacAddr-> NodeID 查找表的 timeout(秒) 類似ARP tabl
PrivKey | 私鑰和wireguard規格一樣 PrivKey | 私鑰和wireguard規格一樣
ListenPort | 監聽的udp埠 ListenPort | 監聽的udp埠
[LogLevel](#LogLevel)| 紀錄log [LogLevel](#LogLevel)| 紀錄log
[DynamicRoute](../super_mode/README_zh.md#DynamicRoute) | 動態路由相關設定Static模式用不到 [DynamicRoute](../super_mode/README_zh.md#DynamicRoute) | 動態路由相關設定<br>StaticMode用不到
NextHopTable | 轉發表, 下一跳 = `NhTable[起點][終點]` NextHopTable | 轉發表, 下一跳 = `NhTable[起點][終點]`<br>SuperMode以及P2PMode用不到
ResetConnInterval | 如果對方是動態ip就要用這個。每隔一段時間就會重置連線重新解析域名 ResetConnInterval | 如果對方是動態ip就要用這個。每隔一段時間就會重置連線重新解析域名
[Peers](#Peers) | 鄰居節點和wireguard相同 [Peers](#Peers) | 鄰居節點<br>SuperMode用不到從SuperNode接收
<a name="Interface"></a>Interface | Description <a name="Interface"></a>Interface | Description
---------------|:----- ---------------|:-----

2
example_config/super_mode/EgNet_edge001.yaml
View File

@ -19,7 +19,7 @@ L2FIBTimeout: 3600
PrivKey: 12CRJpzWOTRQDOdtROtwwWb68B4HHjSbrS1WySAkWYI= PrivKey: 12CRJpzWOTRQDOdtROtwwWb68B4HHjSbrS1WySAkWYI=
ListenPort: 0 ListenPort: 0
LogLevel: LogLevel:
LogLevel: verbose LogLevel: error
LogTransit: true LogTransit: true
LogNormal: true LogNormal: true
LogControl: true LogControl: true

2
example_config/super_mode/EgNet_super.yaml
View File

@ -12,7 +12,7 @@ PeerAliveTimeout: 70
SendPingInterval: 15 SendPingInterval: 15
DampingResistance: 0.9 DampingResistance: 0.9
LogLevel: LogLevel:
LogLevel: verbose LogLevel: error
LogTransit: false LogTransit: false
LogNormal: false LogNormal: false
LogControl: true LogControl: true

568
example_config/super_mode/README.md
View File

@ -1,22 +1,55 @@
# Etherguard # Etherguard
[中文](README_zh.md) [English](#) | [中文](README_zh.md)
## Super mode
This mode is inspired by [n2n](https://github.com/ntop/n2n). There 2 types of node: SuperNode and EdgeNode
EdgeNode must connect to SuperNode firstget connection info of other EdgeNode from the SuperNode
The SuperNode runs [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm)and distribute the result to all other EdgeNodes.
## Quick start
首先按需求修改`gensuper.yaml`
```yaml
Config output dir: /tmp/eg_gen
ConfigTemplate for super node: ""
ConfigTemplate for edge node: ""
Network name: eg_net
Super Node:
Listen port: 3456
EdgeAPI prefix: /eg_net/eg_api
Endpoint(IPv4)(optional): example.com
Endpoint(IPv6)(optional): example.com
Endpoint(EdgeAPI): http://example.com:3456/eg_net/eg_api
Edge Node:
Node IDs: "[1~10,11,19,23,29,31,55~66,88~99]"
MacAddress prefix: "" # Leave blank to generate randomly
IPv4 range: 192.168.76.0/24 # The IP part can be omitted
IPv6 range: fd95:71cb:a3df:e586::/64 #
IPv6 LL range: fe80::a3df:0/112 #
```
Then run this, and the required configuration file will be generated.
```
$ ./etherguard-go -mode gencfg -cfgmode super -config example_config/super_mode/gensuper.yaml
```
Run this in SuperNode
```
./etherguard-go -config [config path] -mode super
```
Run this in EdgeNode
```
./etherguard-go -config [config path] -mode edge
```
## Documentation
This is the documentation of the super_mode of this example_config This is the documentation of the super_mode of this example_config
Before reading this, I'd like to suggest you read the [static mode](../static_mode/README.md) first. Before reading this, I'd like to suggest you read the [static mode](../static_mode/README.md) first.
## Super mode In the super mode of the edge node, the `NextHopTable` and `Peers` section are useless. All infos are download from super node.
Meanwhile, super node will generate pre shared key for inter-edge communication(if `UsePSKForInterEdge` enabled).
Super mode are inspired by [n2n](https://github.com/ntop/n2n)
We have two types of node, we called it super node and edge node.
All edge nodes have to connect to super node, exchange data and UDP hole punch each other by super node.
The super node runs the [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm) and distribute the result to all edge node.
In the super mode of the edge node, the `nexthoptable` and `peers` section are useless. All infos are download from super node.
Meanwhile, super node will generate pre shared key for inter-edge communication(if `usepskforinteredge` enabled).
```golang
psk = shs256("PubkeyPeerA" + "PubkeyPeerB" + "Chef Special and Featured in the season see salt")[:32]
```
### SuperMsg ### SuperMsg
There are new type of DstID called `SuperMsg`(65534). All packets sends to and receive from super node are using this packet type. There are new type of DstID called `SuperMsg`(65534). All packets sends to and receive from super node are using this packet type.
@ -30,46 +63,80 @@ We list all the control message we use in the super mode below.
This control message works like this picture: This control message works like this picture:
![Workflow of Register](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS01.png) ![Workflow of Register](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS01.png)
1. edge node send Register to the super node 1. EdgeNode send Register to the super node
2. Supernode knows it's external IP and port number 2. SuperNode knows it's external IP and port number
3. Update it to database and distribute `UpdatePeerMsg` to all edges 3. Update it to database and distribute `UpdatePeerMsg` to all edges
4. Other edges get the notification, download the updated peer infos from supernode via HTTP API 4. Other EdgeNodes get the notification, download the updated peer infos from SuperNode via HTTP API
### Ping/Pong ### Ping/Pong
While edges get the peer infos, edges will start trying to talk each other directly like this picture: While EdgeNodes get their peer info, they will trying to talk each other directly like this picture:
![Workflow of Ping/Pong](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS02.png) ![Workflow of Ping/Pong](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS02.png)
1. Send `Ping` to all other edges with local time with TTL=0 1. Send `Ping` to all other edges with local time with TTL=0
2. Received a `Ping`, Subtract the peer time from local time, we get a single way latency. 2. Receive a `Ping`, Subtract the peer time from local time, we get a single way latency.
3. Send a `Pong` to supernode, let supernode calculate the NextHopTable 3. Send a `Pong` to SuperNode with single way latency, let SuperNode calculate the NextHopTable
4. Wait the supernode push `UpdateNhTable` message and download it. 4. Wait the SuperNode push `UpdateNhTable` message and download it.
### <a name="AdditionalCost"></a>AdditionalCost
While we have all latency data of all nodes, `AdditionalCost` will be applied before `Floyd-Warshall` calculated.
Take the situation of this picture as an example:
![EGS08](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS08.png)
Path | Latency |Cost|Win
--------|:--------|:---|:--
A->B->C | 3ms | 3 |
A->C | 4ms | 4 | O
In this situation, the difference between 3ms and 4ms is only 1ms
Its not worth to save this 1ms, and the forwarding itself takes time
With the `AdditionalCost` parameter, each node can set the additional cost of forwarding through this node
If ABC is all set to `AdditionalCost=10`
Path | Latency |AdditionalCost|Cost|Win
--------|:--------|:-------------|:---|:--
A->B->C | 3ms | 20 | 23 |
A->C | 4ms | 10 | 14 | O
A->C will use direct connection instead of forward via `B` in order to save 1ms
Here `AdditionalCost=10` can be interpreted as: It have to save 10ms to transfer by this Node.
### UpdateNhTable ### UpdateNhTable
While supernode get a `Pong` message, it will run the [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm) to calculate the NextHopTable While supernode get a `Pong` message, it will update the `Distance matrix` and run the [Floyd-Warshall Algorithm](https://en.wikipedia.org/wiki/FloydWarshall_algorithm) to calculate the NextHopTable.
![image](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS03.png) ![image](https://raw.githubusercontent.com/KusakabeSi/EtherGuard-VPN/master/example_config/super_mode/EGS03.png)
If there are any changes of this table, it will distribute `UpdateNhTable` to all edges to till then download the latest NextHopTable via HTTP API as soon as possible. If there are any changes of this table, it will distribute `UpdateNhTable` to all edges to till then download the latest NextHopTable via HTTP API as soon as possible.
### UpdateError ### ServerUpdate
Notify edges that an error has occurred, and close the edge Send message to EdgeMode from SuperNode
It occurs when the version number is not match with supernode, or the NodeID of the edge is configured incorrectly, or the edge is deleted. 1. Turn off EdgeNode
* Version Not match
* Wrong NodeID
* Deleted by SuperNode
2. Notify EdgeNode there are something new
* UpdateNhTable
* UpdatePeer
* UpdateSuperParams
### HTTP API ## HTTP EdgeAPI
Why we use HTTP API instead of pack all information in the `UpdateXXX`? Why we use HTTP API instead of pack all information in the `UpdateXXX`?
Because UDP is an unreliable protocol, there is an limit on the amount of content that can be carried. Because UDP is an unreliable protocol, there is an limit on the amount of content that can be carried.
But the peer list contains all the peer information, the length is not fixed, it may exceed But the peer list contains all the peer information, the length is not fixed, it may exceed
So we use `UpdateXXX` to tell we have a update, please download the latest information from supernode via HTTP API as soon as possible. So we use `UpdateXXX` to tell we have a update, please download the latest information from SuperNode via HTTP API as soon as possible.
And `UpdateXXX` itself is not reliable, maybe it didn't reach the edge node at all. And `UpdateXXX` itself is not reliable, maybe it didn't reach the edge node at all.
So the information of `UpdateXXX` carries the `state hash`. Bring it when with HTTP API. When the super node receives the HTTP API and sees the `state hash`, it knows that the edge node has received the `UpdateXXX`. So the information of `UpdateXXX` carries the `state hash`. Bring it when with HTTP API. When the super node receives the HTTP API and sees the `state hash`, it knows that the edge node has received the `UpdateXXX`.
Otherwise, it will send `UpdateXXX` to the node again after few seconds. Otherwise, it will send `UpdateXXX` to the node again after few seconds.
## HTTP Guest API The default configuration is to use HTTP. **But for the sake of your security, it is recommended to use an reverse-proxy ot convert it into https**
I have thought about the development of SuperNode to natively support https, but the dynamic update of the certificate costs me too much time.
## HTTP Manage API
HTTP also has some APIs for the front-end to help manage the entire network HTTP also has some APIs for the front-end to help manage the entire network
### peerstate ### super/state
```bash ```bash
curl "http://127.0.0.1:3000/api/peerstate?Password=passwd" curl "http://127.0.0.1:3456/eg_net/eg_api/manage/super/state?Password=passwd_showstate"
``` ```
It can show some information such as single way latency or last seen time. It can show some information such as single way latency or last seen time.
We can visualize it by Force-directed graph drawing. We can visualize it by Force-directed graph drawing.
@ -82,187 +149,47 @@ Example return value:
{ {
"PeerInfo": { "PeerInfo": {
"1": { "1": {
"Name": "hk", "Name": "Node_01",
"LastSeen": "2021-09-29 11:23:22.854700559 +0000 UTC m=+28740.116476977" "LastSeen": "2021-12-05 21:21:56.039750832 +0000 UTC m=+23.401193649"
}, },
"1001": { "2": {
"Name": "relay_kr", "Name": "Node_02",
"LastSeen": "2021-09-29 11:23:21.277417897 +0000 UTC m=+28738.539194315" "LastSeen": "2021-12-05 21:21:57.711616169 +0000 UTC m=+25.073058986"
},
"121": {
"Name": "za_north",
"LastSeen": "0001-01-01 00:00:00 +0000 UTC"
},
"33": {
"Name": "us_west",
"LastSeen": "2021-09-29 11:23:13.257033252 +0000 UTC m=+28730.518809670"
},
"49": {
"Name": "us_east",
"LastSeen": "2021-09-29 11:23:16.606165241 +0000 UTC m=+28733.867941659"
},
"51": {
"Name": "ca_central",
"LastSeen": "0001-01-01 00:00:00 +0000 UTC"
},
"65": {
"Name": "fr",
"LastSeen": "2021-09-29 11:23:19.4084596 +0000 UTC m=+28736.670236018"
},
"81": {
"Name": "au_central",
"LastSeen": "0001-01-01 00:00:00 +0000 UTC"
},
"89": {
"Name": "uae_north",
"LastSeen": "0001-01-01 00:00:00 +0000 UTC"
},
"9": {
"Name": "jp_east",
"LastSeen": "2021-09-29 11:23:16.669505147 +0000 UTC m=+28733.931281565"
},
"97": {
"Name": "br_south",
"LastSeen": "0001-01-01 00:00:00 +0000 UTC"
} }
}, },
"Infinity": 99999, "Infinity": 99999,
"Edges": { "Edges": {
"1": { "1": {
"1001": 0.033121187, "2": 0.002179297
"33": 0.075653164,
"49": 0.100471502,
"65": 0.065714769,
"9": 0.022864241
}, },
"1001": { "2": {
"1": 0.018561948, "1": -0.00030252
"33": 0.064077348, }
"49": 0.094459818, },
"65": 0.079481599, "Edges_Nh": {
"9": 0.011163433 "1": {
"2": 0.012179297
}, },
"33": { "2": {
"1": 0.075263428, "1": 0.00969748
"1001": 0.070029457,
"49": 0.032631349,
"65": 0.045575061,
"9": 0.050444255
},
"49": {
"1": 0.100271358,
"1001": 0.100182834,
"33": 0.034563118,
"65": 0.017950046,
"9": 0.07510982
},
"65": {
"1": 0.114219741,
"1001": 0.132759205,
"33": 0.095265063,
"49": 0.067413235,
"9": 0.127562362
},
"9": {
"1": 0.026909699,
"1001": 0.022555855,
"33": 0.056469043,
"49": 0.090400723,
"65": 0.08525314
} }
}, },
"NhTable": { "NhTable": {
"1": { "1": {
"1001": 1001, "2": 2
"33": 33,
"49": 49,
"65": 65,
"9": 9
}, },
"1001": { "2": {
"1": 1, "1": 1
"33": 33,
"49": 49,
"65": 65,
"9": 9
},
"33": {
"1": 1,
"1001": 1001,
"49": 49,
"65": 65,
"9": 9
},
"49": {
"1": 1,
"1001": 9,
"33": 33,
"65": 65,
"9": 9
},
"65": {
"1": 1,
"1001": 1001,
"33": 33,
"49": 49,
"9": 9
},
"9": {
"1": 1,
"1001": 1001,
"33": 33,
"49": 33,
"65": 65
} }
}, },
"Dist": { "Dist": {
"1": { "1": {
"1": 0, "1": 0,
"1001": 0.033121187, "2": 0.012179297
"33": 0.075119328,
"49": 0.102236885,
"65": 0.074688856,
"9": 0.022473723
}, },
"1001": { "2": {
"1": 0.018561948, "1": 0.00969748,
"1001": 0, "2": 0
"33": 0.064077348,
"49": 0.094459818,
"65": 0.079481599,
"9": 0.011163433
},
"33": {
"1": 0.075263428,
"1001": 0.070029457,
"33": 0,
"49": 0.032631349,
"65": 0.045575061,
"9": 0.050444255
},
"49": {
"1": 0.100271358,
"1001": 0.097665675,
"33": 0.034563118,
"49": 0,
"65": 0.017950046,
"9": 0.07510982
},
"65": {
"1": 0.114219741,
"1001": 0.132759205,
"33": 0.095265063,
"49": 0.067413235,
"65": 0,
"9": 0.127562362
},
"9": {
"1": 0.026909699,
"1001": 0.022555855,
"33": 0.056469043,
"49": 0.089100392,
"65": 0.08525314,
"9": 0
} }
} }
} }
@ -270,27 +197,30 @@ Example return value:
Section meaning: Section meaning:
1. PeerInfo: NodeIDNameLastSeen 1. PeerInfo: NodeIDNameLastSeen
2. Edges: The **Single way latency**9999 or missing means unreachable(UDP hole punching failed) 2. Edges: The **Single way latency**99999 or missing means unreachable(UDP hole punching failed)
3. Edges_Nh: Edges with AdditionalCost
3. NhTable: Calculate result. 3. NhTable: Calculate result.
4. Dist: The latency of **packet through Etherguard** 4. Dist: The latency of **packet through Etherguard**
### peeradd ### peer/add
We can add new edges with this API without restart the supernode We can add new edges with this API without restart the SuperNode
Exanple: Exanple:
``` ```bash
curl -X POST "http://127.0.0.1:3000/api/peer/add?Password=passwd_addpeer" \ curl -X POST "http://127.0.0.1:3456/eg_net/eg_api/manage/peer/add?Password=passwd_addpeer" \
-H "Content-Type: application/x-www-form-urlencoded" \ -H "Content-Type: application/x-www-form-urlencoded" \
-d "nodeid=100&name=Node_100&additionalcost=1000&pubkey=6SuqwPH9pxGigtZDNp3PABZYfSEzDaBSwuThsUUAcyM=" -d "NodeID=100&Name=Node_100&PubKey=DG%2FLq1bFpE%2F6109emAoO3iaC%2BshgWtdRaGBhW3soiSI%3D&AdditionalCost=1000&PSKey=w5t64vFEoyNk%2FiKJP3oeSi9eiGEiPteZmf2o0oI2q2U%3D&SkipLocalIP=false"
``` ```
Parameter: Parameter:
1. URL query: Password: Password. Configured in the config file. 1. URL query: Password: Password. Configured in the config file.
1. Post body: 1. Post body:
1. nodeid: Node ID 1. NodeID: Node ID
1. pubkey: Public Key 1. Name: Name
1. pskey: Pre shared Key 1. PubKey: Public Key
1. additionalcost: Additional cost for packet transfer. Unit: ms 1. PSKey: Pre shared Key
1. AdditionalCost: Additional cost for packet transfer. Unit: ms
1. SkipLocalIP: Skip local IP reported by the node
1. nexthoptable: If the `graphrecalculatesetting` of your super node is in static mode, you need to provide a new `NextHopTable` in json format in this parameter. 1. nexthoptable: If the `graphrecalculatesetting` of your super node is in static mode, you need to provide a new `NextHopTable` in json format in this parameter.
Return value: Return value:
@ -299,92 +229,20 @@ Return value:
* generate by contents in `edgetemplate` with custom data (nodeid/name/pubkey) * generate by contents in `edgetemplate` with custom data (nodeid/name/pubkey)
* Convenient for users to copy and paste * Convenient for users to copy and paste
```yaml ### peer/del
interface:
itype: stdio
name: tap1
vppifaceid: 1
vppbridgeid: 4242
macaddrprefix: AA:BB:CC:DD
mtu: 1404
recvaddr: 127.0.0.1:4001
sendaddr: 127.0.0.1:5001
l2headermode: kbdbg
nodeid: 100
nodename: Node_100
defaultttl: 200
privkey: Your_Private_Key
listenport: 3001
loglevel:
loglevel: normal
logtransit: true
logcontrol: true
lognormal: true
logntp: true
dynamicroute:
sendpinginterval: 16
peeralivetimeout: 30
dupchecktimeout: 40
conntimeout: 30
connnexttry: 5
savenewpeers: true
supernode:
usesupernode: true
pskey: ""
connurlv4: 127.0.0.1:3000
pubkeyv4: LJ8KKacUcIoACTGB/9Ed9w0osrJ3WWeelzpL2u4oUic=
connurlv6: ""
pubkeyv6: HCfL6YJtpJEGHTlJ2LgVXIWKB/K95P57LHTJ42ZG8VI=
apiurl: http://127.0.0.1:3000/api
supernodeinfotimeout: 50
p2p:
usep2p: false
sendpeerinterval: 20
graphrecalculatesetting:
jittertolerance: 20
jittertolerancemultiplier: 1.1
nodereporttimeout: 40
recalculatecooldown: 5
ntpconfig:
usentp: true
maxserveruse: 8
synctimeinterval: 3600
ntptimeout: 3
servers:
- time.google.com
- time1.google.com
- time2.google.com
- time3.google.com
- time4.google.com
- time1.facebook.com
- time2.facebook.com
- time3.facebook.com
- time4.facebook.com
- time5.facebook.com
- time.cloudflare.com
- time.apple.com
- time.asia.apple.com
- time.euro.apple.com
- time.windows.com
nexthoptable: {}
resetconninterval: 86400
peers: []
```
### peerdel
Delete peer Delete peer
There are two deletion modes, namely password deletion and private key deletion. There are two deletion modes, namely password deletion and private key deletion.
Designed to be used by administrators, or for people who join the network and want to leave the network. Designed to be used by administrators, or for people who join the network and want to leave the network.
Use Password to delete any node. Take the newly added node above as an example, use this API to delete the node Use Password to delete any node. Take the newly added node above as an example, use this API to delete the node
``` ```bash
curl "http://127.0.0.1:3000/api/peer/del?Password=passwd_delpeer&nodeid=100" curl "http://127.0.0.1:3456/eg_net/eg_api/manage/peer/del?Password=passwd_delpeer&NodeID=100"
``` ```
We can also use privkey to delete, the same as above, but use privkey parameter only. We can also use privkey to delete, the same as above, but use privkey parameter only.
``` ```bash
curl "http://127.0.0.1:3000/api/peer/del?privkey=IJtpnkm9ytbuCukx4VBMENJKuLngo9KSsS1D60BqonQ=" curl "http://127.0.0.1:3456/eg_net/eg_api/manage/peer/del?PrivKey=iquaLyD%2BYLzW3zvI0JGSed9GfDqHYMh%2FvUaU0PYVAbQ%3D"
``` ```
Parameter: Parameter:
@ -397,48 +255,112 @@ Return value:
1. http code != 200: Error reason 1. http code != 200: Error reason
2. http code == 200: Success message 2. http code == 200: Success message
## Config Parameters ### peer/update
### Super mode of edge node ```bash
1. `usesupernode`: Whether to enable Super mode curl -X POST "http://127.0.0.1:3456/eg_net/eg_api/manage/peer/update?Password=passwd_updatepeer&NodeID=1" \
1. `pskey`: Pre shared Key used to establish connection with supernode -H "Content-Type: application/x-www-form-urlencoded" \
1. `connurlv4`: IPv4 connection address of the Super node -d "AdditionalCost=10&SkipLocalIP=false"
1. `pubkeyv4`: IPv4 key of Super node ```
1. `connurlv6`: IPv6 connection address of the Super node
1. `pubkeyv6`: IPv6 key of Super node
1. `apiurl`: HTTP(S) API connection address of Super node
1. `supernodeinfotimeout`: Supernode Timeout
### Super node it self ### super/update
```bash
curl -X POST "http://127.0.0.1:3456/eg_net/eg_api/manage/super/update?Password=passwd_updatesuper" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "SendPingInterval=15&HttpPostInterval=60&PeerAliveTimeout=70&DampingResistance=0.9"
```
### SuperNode Config Parameter
Key | Description
--------------------|:-----
NodeName | node name
PostScript | Running script after initialized
PrivKeyV4 | Private key for IPv4 session
PrivKeyV6 | Private key for IPv6 session
ListenPort | UDP listen port
ListenPort_EdgeAPI | HTTP EdgeAPI listen port
ListenPort_ManageAPI| HTTP ManageAPI listen port
API_Prefix | HTTP API prefix
RePushConfigInterval| The interval of push`UpdateXXX`
HttpPostInterval | The interval of report by HTTP Edge API
PeerAliveTimeout | The time of inactive which marks peer offline
SendPingInterval | The interval that send pings/pongs between EdgeNodes
[LogLevel](../static_mode/README.md#LogLevel)| Log related settings
[Passwords](#Passwords) | Password for HTTP ManageAPI, 5 API passwords are independent
[GraphRecalculateSetting](#GraphRecalculateSetting) | Some parameters related to [Floyd-Warshall algorithm](https://zh.wikipedia.org/zh-tw/Floyd-Warshall algorithm)
[NextHopTable](../static_mode/README.md#NextHopTable) | `NextHopTable` used by StaticMode
EdgeTemplate | for HTTP ManageAPI `peer/add`. Refer to this configuration file and show a sample configuration file of the edge to the user
UsePSKForInterEdge | Whether to enable pre-share key communication between edges.<br>If enabled, SuperNode will generate PSK for edges automatically
[Peers](#EdgeNodes) | EdgeNode information
<a name="Passwords"></a>Passwords | Description
--------------------|:-----
ShowState | HTTP ManageAPI Password for `super/state`
AddPeer | HTTP ManageAPI Password for `peer/add`
DelPeer | HTTP ManageAPI Password for `peer/del`
UpdatePeer | HTTP ManageAPI Password for `peer/update`
UpdateSuper | HTTP ManageAPI Password for `super/update`
<a name="GraphRecalculateSetting"></a>GraphRecalculateSetting | Description
--------------------|:-----
StaticMode | Disable `Floyd-Warshall`, use `NextHopTable`in the configuration instead.<br>SuperNode for udp hole punching only.
ManualLatency | Set latency manually, ignore Edge reported latency.
JitterTolerance | Jitter tolerance, after receiving Pong, one 37ms and one 39ms will not trigger recalculation<br>Compared to last calculation
JitterToleranceMultiplier | high ping allows more errors<br>https://www.desmos.com/calculator/raoti16r5n
DampingResistance | Damping resistance<br>`latency = latency_old * resistance + latency_in * (1-resistance)`
TimeoutCheckInterval | The interval to check if there any `Pong` packet timed out, and recalculate the NhTable
RecalculateCoolDown | Floyd-Warshal is an O(n^3)time complexity algorithm<br>This option set a cooldown, and prevent it cost too many CPU<br>Connect/Disconnect event ignores this cooldown.
<a name="EdgeNodes"></a>Peers | Description
--------------------|:-----
NodeID | Peer's node ID
PubKey | Peer's public key
PSKey | Pre shared key
[AdditionalCost](#AdditionalCost) | AdditionalCost(unit:ms)<br> `-1` means uses client's self configuration.
SkipLocalIP | Ignore Edge reported local IP, use public IP only while udp-hole-punching
### EdgeNode Config Parameter
#### [EdgeConfig Root](../static_mode/README.md#EdgeConfig)
<a name="DynamicRoute"></a>DynamicRoute | Description
--------------------|:-----
SendPingInterval | The interval that send pings/pongs between EdgeNodes(sec)
PeerAliveTimeout | The time of inactive which marks peer offline(sec)
TimeoutCheckInterval | The interval of check PeerAliveTimeout(sec)
ConnNextTry | After marked offline, the interval of switching Endpoint(sec)
DupCheckTimeout | Duplication chack timeout.(sec)
[AdditionalCost](#AdditionalCost) | AdditionalCost(unit:ms)
SaveNewPeers | Save peer info to local file.
[SuperNode](#SuperNode) | SuperNode related configs
[P2P](../p2p_mode/README.md#P2P) | P2P related configs
[NTPConfig](#NTPConfig) | NTP related configs
<a name="SuperNode"></a>SuperNode | Description
---------------------|:-----
UseSuperNode | Enable SuperMode
PSKey | PreShared Key to communicate to SuperNode
EndpointV4 | IPv4 Endpoint of the SuperNode
PubKeyV4 | Public Key for IPv4 session to SuperNode
EndpointV6 | IPv6 Endpoint of the SuperNode
PubKeyV6 | Public Key for IPv6 session to SuperNode
EndpointEdgeAPIUrl | The EdgeAPI of the SuperNode
SkipLocalIP | Do not report local IP to SuperNode.
SuperNodeInfoTimeout | Experimental option, SuperNode offline timeout, switch to P2P mode<br>P2P mode needs to be enabled first<br>This option is useless while `UseP2P=false`<br>P2P mode has not been tested, stability is unknown, it is not recommended for production use
<a name="NTPConfig"></a>NTPConfig | Description
--------------------|:-----
UseNTP | Sync time at startup
MaxServerUse | Use how many server to sync time
SyncTimeInterval | The interval of syncing time
NTPTimeout | NTP server connection Timeout
Servers | NTP server list
1. nodename: node name
1. privkeyv4: private key for ipv4
1. privkeyv6: private key for ipv6
1. listenport: listen udp port number
1. loglevel: Refer to [README.md](../README.md)
1. repushconfiginterval: re-push interval of `UpdateXXX` messages
1. passwords: HTTP API password
1. showstate: node information
1. addpeer: add peer
1. delpeer: delete peer
1. graphrecalculatesetting: Some parameters related to [Floyd-Warshall algorithm](https://zh.wikipedia.org/zh-tw/Floyd-Warshall algorithm)
1. staticmode: Disable the Floyd-Warshall algorithm and only use the nexthoptable loaded at the beginning.
Supernode is only used to assist hole punching
1. recalculatecooldown: Floyd-Warshal is O(n^3) time complexity algorithm, which cannot be calculated too often. Set a cooling time
1. jittertolerance: jitter tolerance, after receiving Pong, one 37ms and one 39ms will not trigger recalculation
1. jittertolerancemultiplier: the same is the jitter tolerance, but high ping allows more errors
https://www.desmos.com/calculator/raoti16r5n
1. nodereporttimeout: The timeout of the received `Pong` packet. Change back to Infinity after timeout.
1. timeoutcheckinterval: The interval to check if there any `Pong` packet timeouted, and recalculate the NhTable
1. nexthoptable: only works in `staticmode==true`, set nexthoptable manually
1. edgetemplate: for `addpeer` API. Refer to this configuration file and show a sample configuration file of the edge to the user
1. usepskforinteredge: Whether to enable pre-share key communication between edges. If enabled, supernode will generate PSKs for edges automatically
1. peers: Peer list, refer to [README.md](../README.md)
1. nodeid: Peer's node ID
1. name: Peer name (displayed on the front end)
1. pubkey: peer public key
1. pskey: preshared key The PSK that this peer connects to this Supernode
1. additionalcost: Additional cost for packet transfer. Unit: ms
## V4 V6 Two Keys ## V4 V6 Two Keys
Why we split IPv4 and IPv6 into two session? Why we split IPv4 and IPv6 into two session?
@ -476,9 +398,9 @@ To avoid this issue, please use the external IP of the supernode in the edge con
## Quick start ## Quick start
Run this example_config (please open three terminals): Run this example_config (please open three terminals):
```bash ```bash
./etherguard-go -config example_config/super_mode/s1.yaml -mode super ./etherguard-go -config example_config/super_mode/Node_super.yaml -mode super
./etherguard-go -config example_config/super_mode/n1.yaml -mode edge ./etherguard-go -config example_config/super_mode/Node_edge001.yaml -mode edge
./etherguard-go -config example_config/super_mode/n2.yaml -mode edge ./etherguard-go -config example_config/super_mode/Node_edge002.yaml -mode edge
``` ```
Because it is in `stdio` mode, stdin will be read into the VPN network Because it is in `stdio` mode, stdin will be read into the VPN network
Please type in one of the edge windows Please type in one of the edge windows

37
example_config/super_mode/README_zh.md
View File

@ -3,12 +3,9 @@
## Super Mode ## Super Mode
Super Mode是受到[n2n](https://github.com/ntop/n2n)的啟發 此模式是受到[n2n](https://github.com/ntop/n2n)的啟發分為SuperNode和EdgeNode兩種節點
分為SuperNodeEdgeNode兩種節點 EdgeNode首先和SuperNode建立連線藉由SuperNode交換其他EdgeNode的資訊
由SuperNode執行[Floyd-Warshall演算法](https://zh.wikipedia.org/zh-tw/Floyd-Warshall算法)並把計算結果分發給EdgeNode
全部節點都會和SuperNode建立連線
藉由SuperNode交換其他節點的資訊以及udp打洞
由SuperNode執行[Floyd-Warshall演算法](https://zh.wikipedia.org/zh-tw/Floyd-Warshall算法)並把計算結果分發給全部edge node
## Quick start ## Quick start
@ -238,7 +235,7 @@ curl -X POST "http://127.0.0.1:3456/eg_net/eg_api/manage/peer/add?Password=passw
1. NodeID: Node ID 1. NodeID: Node ID
1. Name: 節點名稱 1. Name: 節點名稱
1. PubKey: Public Key 1. PubKey: Public Key
1. PSKey: Preshared Key 1. PSKey: Pre shared Key
1. AdditionalCost: 此節點進行封包轉發的額外成本。單位: 毫秒 1. AdditionalCost: 此節點進行封包轉發的額外成本。單位: 毫秒
1. SkipLocalIP: 是否使該節點不使用Local IP 1. SkipLocalIP: 是否使該節點不使用Local IP
1. nexthoptable: 如果你的super node的`graphrecalculatesetting`是static mode那麼你需要在這提供一張新的`NextHopTable`json格式 1. nexthoptable: 如果你的super node的`graphrecalculatesetting`是static mode那麼你需要在這提供一張新的`NextHopTable`json格式
@ -291,9 +288,9 @@ curl -X POST "http://127.0.0.1:3456/eg_net/eg_api/manage/super/update?Password=p
### SuperNode Config Parameter ### SuperNode Config Parameter
Key | Description Key | Description
-------------- |:----- --------------------|:-----
NodeName| 節點名稱 NodeName | 節點名稱
PostScript | 初始化完畢之後要跑的腳本 PostScript | 初始化完畢之後要跑的腳本
PrivKeyV4 | IPv4通訊使用的私鑰 PrivKeyV4 | IPv4通訊使用的私鑰
PrivKeyV6 | IPv6通訊使用的私鑰 PrivKeyV6 | IPv6通訊使用的私鑰
@ -327,7 +324,7 @@ StaticMode | 關閉`Floyd-Warshall`演算法,只使用設定
ManualLatency | 手動設定延遲不採用EdgeNode回報的延遲(單位: 毫秒) ManualLatency | 手動設定延遲不採用EdgeNode回報的延遲(單位: 毫秒)
JitterTolerance | 抖動容許誤差收到Pong以後一個37ms一個39ms不會觸發重新計算<br>比較對象是上次更新使用的值。如果37 37 41 43 .. 100 ,每次變動一點點,總變動量超過域值還是會更新 JitterTolerance | 抖動容許誤差收到Pong以後一個37ms一個39ms不會觸發重新計算<br>比較對象是上次更新使用的值。如果37 37 41 43 .. 100 ,每次變動一點點,總變動量超過域值還是會更新
JitterToleranceMultiplier | 抖動容許誤差的放大係數高ping的話允許更多誤差<br>https://www.desmos.com/calculator/raoti16r5n JitterToleranceMultiplier | 抖動容許誤差的放大係數高ping的話允許更多誤差<br>https://www.desmos.com/calculator/raoti16r5n
DampingResistance | 防抖阻尼系數`latency = latency_old * resistance + latency_in * (1-resistance)` DampingResistance | 防抖阻尼系數<br>`latency = latency_old * resistance + latency_in * (1-resistance)`
TimeoutCheckInterval | 週期性檢查節點的連線狀況,是否斷線需要重新規劃線路 TimeoutCheckInterval | 週期性檢查節點的連線狀況,是否斷線需要重新規劃線路
RecalculateCoolDown | Floyd-Warshal是O(n^3)時間複雜度,不能太常算。<br>設個冷卻時間<br>有節點加入/斷線觸發的重新計算無視這個CoolDown RecalculateCoolDown | Floyd-Warshal是O(n^3)時間複雜度,不能太常算。<br>設個冷卻時間<br>有節點加入/斷線觸發的重新計算無視這個CoolDown
@ -341,21 +338,7 @@ SkipLocalIP | 打洞時不使用EdgeNode回報的本地IP僅使用
### EdgeNode Config Parameter ### EdgeNode Config Parameter
Key | Description #### [EdgeConfig Root](../static_mode/README_zh.md#EdgeConfig)
-------------- |:-----
[Interface](../static_mode/README_zh.md#Interface)| 接口相關設定。VPN有兩端一端是VPN網路另一端則是本地接口
NodeID | 節點ID。節點之間辨識身分用的同一網路內節點ID不能重複
NodeName | 節點名稱
PostScript | 初始化完畢之後要跑的腳本
DefaultTTL | TTLetherguard層使用和乙太層不共通
L2FIBTimeout | MacAddr-> NodeID 查找表的 timeout(秒) 類似ARP table
PrivKey | 私鑰和wireguard規格一樣
ListenPort | 監聽的udp埠
[LogLevel](../static_mode/README_zh.md#LogLevel)| 紀錄log
[DynamicRoute](#DynamicRoute) | 動態路由相關設定
NextHopTable | 轉發表, SuperMode由SuperNode計算EdgeNode用不到
ResetConnInterval | 如果對方是動態ip就要用這個。每隔一段時間就會重置連線重新解析域名
[Peers](#Peers) | 鄰居節點SuperMode從SuperNode計算EdgeNode用不到
<a name="DynamicRoute"></a>DynamicRoute | Description <a name="DynamicRoute"></a>DynamicRoute | Description
--------------------|:----- --------------------|:-----
@ -390,7 +373,7 @@ MaxServerUse | 向多少NTP伺服器發送請求
SyncTimeInterval | 多久同步一次時間 SyncTimeInterval | 多久同步一次時間
NTPTimeout | NTP伺服器連線Timeout NTPTimeout | NTP伺服器連線Timeout
Servers | NTP伺服器列表 Servers | NTP伺服器列表
## V4 V6 兩個公鑰 ## V4 V6 兩個公鑰
為什麼要分開IPv4和IPv6呢? 為什麼要分開IPv4和IPv6呢?
因為有這種情況: 因為有這種情況: