campagnol - Decentralized VPN over UDP tunneling
campagnol [−dDhmvV] [-p pidfile] [configuration_file]
Campagnol is a distributed IP-based VPN software able to open new connections through NATs or firewalls without any configuration. It uses UDP for the transport layer and utilizes tunneling and encryption (with DTLS).
This software is the client part of the VPN, i.e. the software that will send/receive the packets on the VPN after authentication and encryption. This program is non-interactive and can run as a daemon.
Campagnol starts off with registering with the rendezvous (RDV) server which keeps track of every clients of the VPN. It will then regularly exchange some small messages with the RDV server in order to keep the connection alive and maintain the translation tables of the NATs. Later on the RDV server is used to initiate the UDP hole punching between two clients.
Campagnol uses the TUN kernel driver to create a virtual network interface for the VPN and then associates a route to this interface. When a packet for a unknown peer arrives on the TUN device, Campagnol asks the RDV server for a new connection. This initiate the UDP hole punching between the two peers. Once the connection is established, the two peers open a DTLS session, authenticate each other and eventually the link is ready. This is a peer to peer connection: no data will flow through the RDV server or any other node. After some time of inactivity (or if one of the peer exits) the session will be closed.
−d, --debug
debug mode
−D, --daemon
start the client in background (daemonize) and create a PID file in /usr/local/var/run/campagnol.pid or in another file defined with --pidfile
−h, --help
print help, then exit
−m, --mlock
lock the process’s pages into RAM by calling the mlockall system call if available
−p, --pidfile=pidfile
write the pid into pidfile when running in background
−v, --verbose
verbose mode
−V, --version
show version information and exit
The communications between two peers are opened when needed and are fully authenticated and encrypted thanks to DTLS.
Campagnol uses an X.509 certificate based security. Each client needs to own a valid certificate and its associated key pair. Therefore a typical usage is to have a minimum PKI to manage the VPN. You will for instance generate:
• a private key (your CA) and an associated trusted root certificate distributed to all the clients
• one private key and one signed certificate per client
• possibly a certificate revocation list to manage the old client’s certificates
The cipher list used by OpenSSL can be defined in the configuration file. By default Campagnol uses OpenSSL’s default algorithms. You can use the ciphers command from OpenSSL to see the available algorithms:
$ openssl ciphers -v -tls1 DEFAULT
SIGINT, SIGQUIT and SIGTERM
Campagnol will close all connections and quit.
SIGUSR1
will cause Campagnol to close all connections, disconnect from the RDV server, reread the key, the certificates and the CRL, and restart. The configuration file is not reread.
SIGUSR2
will cause Campagnol to reread the key, the certificates and the CRL. The new files will be used for the subsequent connections. It’s especially useful to load a new CRL.
Campagnol needs a configuration file. It will use by default /usr/local/etc/campagnol.conf but you can specify another file as a command line argument.
The syntax of this file and all the available options are described in campagnol.conf(5).
You can use the sample configuration file as a basis for writing your own.
/usr/local/etc/campagnol.conf
The default configuration file used if none is given on the command line.
campagnol_rdv(8), campagnol.conf(5), openssl-ciphers(1), RFC 4347 "Datagram Transport Layer Security"
Florent Bondoux <fbondoux@users.sourceforge.net>