Campagnol : distributed VPN over UDP/DTLS
Campagnol is a distributed IP-based VPN software able to open new connections through NATs or firewalls without any configuration. It uses UDP for the transport layer and utilizes tunneling and encryption (with DTLS) and the UDP hole punching NAT traversal technique. The established connections are P2P.
Campagnol VPN currently supports Linux, FreeBSD, OpenBSD, NetBSD and Cygwin on 32 bits Windows. It is licensed under the GPLv3 license.
Features
- UDP hole punching
- Campagnol makes use of the UDP hole punching technique to open new connections through NAT/firewall between two peers. You can find a complete description of this technique here.
- Peer-to-peer communications
- The communications between the peers are direct and do not pass through a central node although the VPN uses an external rendezvous server to register the clients and for the UDP hole punching.
- Transparency
- There is no need to adapt your softwares since the VPN appears like a normal network device.
- Ease of deployment
- Once the rendezvous server is running, you don't have to do additional configurations. You can easily expand your network without modifying the existing configurations.
- Security, authentication and authorization
- The use of the DTLS protocol allows to:
- automatically exchange the keys between the machines when opening a new session (using certificates)
- ensure the authenticity of the keys and thereby authorize the peers
- revoke the certificates that are not authorized anymore (using a Certificate Revocation List)
Overview
Campagnol VPN is made up of two parts:
- a client software running on every computer taking part in the VPN. It is the software that will send/receive the packets on the VPN after authentication and encryption. This program is non-interactive and can run as a daemon.
- a lightweight external server, the rendezvous server for the hole punching, which maintains the registrations of every clients and keep tracks of the connections.
When the client is launched, it starts off with registering with the rendezvous (RDV) server. It will then regularly exchange some small messages with the RDV server in order to keep the connection alive and maintain the translation tables of the NATs. Later on the RDV server is used to initiate the UDP hole punching between two clients.
The client uses the TUN kernel driver to create a virtual network interface for the VPN and then associates a route to this interface. When a packet for a unknown peer arrives on the TUN device, Campagnol asks the RDV server for a new connection. This initiate the UDP hole punching between the two peers. Once the connection is established, the two peers open a DTLS session, authenticate each other and eventually the link is ready. This is a peer to peer connection: no data will flow through the RDV server or any other node. Connections are closed when inactive.
Campagnol is written in C and currently supports Linux, FreeBSD, OpenBSD, NetBSD and Cygwin.
Campagnol uses an X.509 certificate based mutual authentication between the clients (with DTLS). Each client needs to own a valid certificate and its associated key pair. Therefore a typical usage is to have a minimum PKI to manage the VPN. You will for instance generate:
- a private key (your CA) and an associated trusted root certificate distributed to all the clients
- one private key and one signed certificate per client
- possibly a certificate revocation list to manage the old client's certificates
Current status
Campagnol is pretty usable now although some important features are still lacking.
So, what's next for Campagnol?
- Use DTLS between the rendezvous server and the peers. This one is really important and will be the next big step.
- Allow to centralize the common options (VPN subnetwork, type of ciphering, MTU...) in the rendezvous server in order to ease the deployment of a VPN.
- Try to also centralize the certificate revocation list. Maybe use OCSP.
Misc
This project started in 2006 as a student project at the french engineering school TELECOM Bretagne in relation with the work of the SID research group.
Campagnol is the French for vole, those little rodents that dig tunnels in your yard…