Add fastd, a very small VPN daemon

Skeen · Jun 12, 2014 · 605d088 · 605d088
1 parent eeb7ac0
commit 605d088
Show file tree

Hide file tree

Showing 5 changed files with 809 additions and 0 deletions.
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
@@ -0,0 +1,82 @@
+menu "Configuration"
+	depends on PACKAGE_fastd
+
+config FASTD_ENABLE_METHOD_CIPHER_TEST
+	bool "Enable cipher-test method provider"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_ENABLE_METHOD_COMPOSED_GMAC
+	bool "Enable composed-gmac method provider"
+	depends on PACKAGE_fastd
+	default y
+
+config FASTD_ENABLE_METHOD_GENERIC_GMAC
+	bool "Enable generic-gmac method provider"
+	depends on PACKAGE_fastd
+	default y
+
+config FASTD_ENABLE_METHOD_GENERIC_POLY1305
+	bool "Enable generic-poly1305 method provider"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_ENABLE_METHOD_NULL
+	bool "Enable null method"
+	depends on PACKAGE_fastd
+	default y
+
+config FASTD_ENABLE_METHOD_XSALSA20_POLY1305
+	bool "Enable xsalsa20-poly1305 method"
+	depends on PACKAGE_fastd
+	default n
+
+
+config FASTD_ENABLE_CIPHER_AES128_CTR
+	bool "Enable the AES128-CTR cipher"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_ENABLE_CIPHER_NULL
+	bool "Enable the null cipher"
+	depends on PACKAGE_fastd
+	default y
+
+config FASTD_ENABLE_CIPHER_SALSA20
+	bool "Enable the Salsa20 cipher"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_ENABLE_CIPHER_SALSA2012
+	bool "Enable the Salsa20/12 cipher"
+	depends on PACKAGE_fastd
+	default y
+
+
+config FASTD_ENABLE_MAC_GHASH
+	bool "Enable the GHASH message authentication code"
+	depends on PACKAGE_fastd
+	default y
+
+
+config FASTD_WITH_CMDLINE_USER
+	bool "Include support for setting user/group related options on the command line"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_WITH_CMDLINE_LOGGING
+	bool "Include support for setting logging related options on the command line"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_WITH_CMDLINE_OPERATION
+	bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line"
+	depends on PACKAGE_fastd
+	default n
+
+config FASTD_WITH_CMDLINE_COMMANDS
+	bool "Include support for setting handler scripts (e.g. --on-up) on the command line"
+	depends on PACKAGE_fastd
+	default n
+
+endmenu
diff --git a/net/fastd/Makefile b/net/fastd/Makefile
@@ -0,0 +1,163 @@
+#
+# Copyright (C) 2012-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fastd
+PKG_VERSION:=12
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=Matthias Schiffer <[email protected]>
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://projects.universe-factory.net/attachments/download/73
+PKG_MD5SUM:=1dadc61f4d712a10844afcb9b9f49a41
+
+PKG_CONFIG_DEPENDS:=\
+	CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \
+	CONFIG_FASTD_ENABLE_METHOD_COMPOSED_GMAC \
+	CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC \
+	CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \
+	CONFIG_FASTD_ENABLE_METHOD_NULL \
+	CONFIG_FASTD_ENABLE_METHOD_XSALSA20_POLY1305 \
+	CONFIG_FASTD_ENABLE_CIPHER_AES128_CTR \
+	CONFIG_FASTD_ENABLE_CIPHER_NULL \
+	CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \
+	CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \
+	CONFIG_FASTD_ENABLE_MAC_GHASH \
+	CONFIG_FASTD_WITH_CMDLINE_USER \
+	CONFIG_FASTD_WITH_CMDLINE_LOGGING \
+	CONFIG_FASTD_WITH_CMDLINE_OPERATION \
+	CONFIG_FASTD_WITH_CMDLINE_COMMANDS
+
+
+PKG_BUILD_DEPENDS:=nacl libuecc
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/fastd
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+kmod-tun +librt +libpthread
+  TITLE:=Fast and Secure Tunneling Daemon
+  URL:=https://projects.universe-factory.net/projects/fastd
+  SUBMENU:=VPN
+endef
+
+define Package/fastd/config
+  source "$(SOURCE)/Config.in"
+endef
+
+TARGET_CFLAGS += -ffunction-sections -fdata-sections
+TARGET_LDFLAGS += -Wl,--gc-sections
+
+CMAKE_OPTIONS += \
+	-DCMAKE_BUILD_TYPE:STRING=MINSIZEREL \
+	-DWITH_METHOD_CIPHER_TEST:BOOL=FALSE \
+	-DWITH_METHOD_COMPOSED_GMAC:BOOL=FALSE \
+	-DWITH_METHOD_GENERIC_GMAC:BOOL=FALSE \
+	-DWITH_METHOD_GENERIC_POLY1305:BOOL=FALSE \
+	-DWITH_METHOD_NULL:BOOL=FALSE \
+	-DWITH_METHOD_XSALSA20_POLY1305:BOOL=FALSE \
+	-DWITH_CIPHER_AES128_CTR:BOOL=FALSE \
+	-DWITH_CIPHER_NULL:BOOL=FALSE \
+	-DWITH_CIPHER_SALSA20:BOOL=FALSE \
+	-DWITH_CIPHER_SALSA2012:BOOL=FALSE \
+	-DWITH_MAC_GHASH:BOOL=FALSE \
+	-DWITH_CMDLINE_USER:BOOL=FALSE \
+	-DWITH_CMDLINE_LOGGING:BOOL=FALSE \
+	-DWITH_CMDLINE_OPERATION:BOOL=FALSE \
+	-DWITH_CMDLINE_COMMANDS:BOOL=FALSE \
+	-DWITH_CAPABILITIES:BOOL=FALSE
+
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST),y)
+CMAKE_OPTIONS += -DWITH_METHOD_CIPHER_TEST:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_COMPOSED_GMAC),y)
+CMAKE_OPTIONS += -DWITH_METHOD_COMPOSED_GMAC:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC),y)
+CMAKE_OPTIONS += -DWITH_METHOD_GENERIC_GMAC:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305),y)
+CMAKE_OPTIONS += -DWITH_METHOD_GENERIC_POLY1305:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_NULL),y)
+CMAKE_OPTIONS += -DWITH_METHOD_NULL:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_METHOD_XSALSA20_POLY1305),y)
+CMAKE_OPTIONS += -DWITH_METHOD_XSALSA20_POLY1305:BOOL=TRUE
+endif
+
+
+ifeq ($(CONFIG_FASTD_ENABLE_CIPHER_AES128_CTR),y)
+CMAKE_OPTIONS += -DWITH_CIPHER_AES128_CTR:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_CIPHER_NULL),y)
+CMAKE_OPTIONS += -DWITH_CIPHER_NULL:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_CIPHER_SALSA20),y)
+CMAKE_OPTIONS += -DWITH_CIPHER_SALSA20:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_ENABLE_CIPHER_SALSA2012),y)
+CMAKE_OPTIONS += -DWITH_CIPHER_SALSA2012:BOOL=TRUE
+endif
+
+
+ifeq ($(CONFIG_FASTD_ENABLE_MAC_GHASH),y)
+CMAKE_OPTIONS += -DWITH_MAC_GHASH:BOOL=TRUE
+endif
+
+
+ifeq ($(CONFIG_FASTD_WITH_CMDLINE_USER),y)
+CMAKE_OPTIONS += -DWITH_CMDLINE_USER:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_WITH_CMDLINE_LOGGING),y)
+CMAKE_OPTIONS += -DWITH_CMDLINE_LOGGING:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_WITH_CMDLINE_OPERATION),y)
+CMAKE_OPTIONS += -DWITH_CMDLINE_OPERATION:BOOL=TRUE
+endif
+
+ifeq ($(CONFIG_FASTD_WITH_CMDLINE_COMMANDS),y)
+CMAKE_OPTIONS += -DWITH_CMDLINE_COMMANDS:BOOL=TRUE
+endif
+
+
+define Package/fastd/description
+ Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
+endef
+
+define Package/fastd/conffiles
+/etc/config/fastd
+endef
+
+define Package/fastd/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/fastd $(1)/usr/bin/
+
+	$(INSTALL_DIR) $(1)/etc/init.d/
+	$(INSTALL_BIN) files/fastd.init $(1)/etc/init.d/fastd
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) files/fastd.config $(1)/etc/config/fastd
+	$(INSTALL_DIR) $(1)/etc/fastd
+	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+	$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
+endef
+
+$(eval $(call BuildPackage,fastd))
diff --git a/net/fastd/files/fastd.config b/net/fastd/files/fastd.config
@@ -0,0 +1,143 @@
+package fastd
+
+config fastd sample_config
+
+	# Set to 1 to enable this instance:
+	option enabled 0
+
+	# Sets a static config file, optional
+	# Options set via UCI have higher priority that statically configured ones
+#	list config '/etc/fastd/sample_config/fastd.conf'
+
+	# Configures a single static peer from a configuration file
+#	list config_peer '/etc/fastd/sample_config/sample_peer.conf'
+
+	# Sets an additional directory from which peers configurations are read
+	# The peer list can be reloaded without restarting fastd
+	# Peer can either be configured via UCI (see examples below) or via peer dirs
+	# Can't be used in tun mode
+#	list config_peer_dir '/etc/fastd/sample_config/peers'
+
+	# Sets the log level
+	# Possible values: error, warn, info, verbose, debug
+	# Default: info
+	option syslog_level 'info'
+
+	# IP address and port of the local end, optional
+	# 'any' can be used to bind to both IPv4 and IPv6
+	# If no port is given fastd will bind to a random port
+#	list bind 'any:1337'
+#	list bind '0.0.0.0:1337'
+#	list bind '[::]:1337'
+
+	# "method null" uses no encryption or MAC
+	# "method xsalsa20-poly1305" uses the XSalsa20 encryption ad the Poly1305 MAC
+	list method 'xsalsa20-poly1305'
+
+	# "mode tap" will create an ethernet tunnel (tap device),
+	# "mode tun" will create an IP tunnel (tun device).
+	option mode 'tap'
+
+	# Set the name of the tunnel interface to use
+	option interface 'tap0'
+#	option interface 'tun0'
+#	option interface 'fastd0'
+
+	# Sets the MTU of the tunnel interface, default is 1500
+	# 1426 is a good value that avoids fragmentation for the xsalsa20-poly1305 method
+	# when the tunnel uses an IPv4 connection on a line with an MTU of 1492 or higher
+	option mtu 1426
+
+	# Enables direct forwaring of packets between peers
+	# WARNING: Only enable this if you know what you are doing, as this can lead to forwarding loops!
+	option forward 0
+
+	# Disable for compatiblity with fastd v10 and older
+	option secure_handshakes 1
+
+	# Set a packet mark to filter for with iptables or ip rules
+#	option packet_mark 42
+
+	# Limits the maximum number of connections, optional
+#	option peer_limit 5
+
+	# The secret key
+	# A keypair can be generated with `fastd --generate-key`
+	# When the corresponding public key is lost it can be recovered with `/etc/init.d/fastd show-key <config name>`
+#	option secret '0000000000000000000000000000000000000000000000000000000000000000'
+
+	# Sets the user to run fastd as. Defaults to root
+#	option user 'daemon'
+
+	# Sets the group to run fastd as. Defaults to the user's primary group
+#	option group 'daemon'
+
+	# If set to 1, the logs won't contain peers' IP addresses
+#	option hide_ip_addresses '0'
+
+	# If set to 1, the logs won't contain peers' MAC addresses
+#	option hide_mac_addresses '0'
+
+	# Read the documentation about this one. Only ever useful in severly broken networks.
+#	option pmtu ''
+
+	# command to configure IP addresses etc. after the tunnel interface is up; $1 will be the interface name (optional)
+#	option up ''
+
+	# command to execute before the tunnel interface is set down; $1 will be the interface name (optional)
+#	option down ''
+
+
+config peer sample_peer
+
+	# Set to 1 to enable this peer
+	# In tap mode peers can be reloaded dynamically
+	option enabled 0
+
+	# Controls which instance this peer is associated with
+	option net 'sample_config'
+
+	# Controls which peer group this peer belongs to, optional
+	# For most use cases peer groups aren't necessary
+#	option group 'sample_group'
+
+	# The peer's public key
+	option key '0000000000000000000000000000000000000000000000000000000000000000'
+
+	# A remote specification consists of an address or a hostname, and a port
+	# When a hostname is given, it is recommended to specify the address family to use
+	# It is possible to specify no, one or multiple remotes
+	# (but all entries must designate the same host as the public key must be unique)
+#	list remote '192.0.2.1:1337'
+#	list remote '[2001:db8::1]:1337'
+#	list remote '"example.com" port 1337'
+#	list remote 'ipv4 "example.com" port 1337'
+#	list remote 'ipv6 "example.com" port 1337'
+
+	# Setting float to 1 allow incoming connections with this key from other addresses/hostnames/ports than the specified remotes
+#	option float 0
+
+
+config peer_group sample_group
+
+	# Set to 1 to enable this peer group
+	option enabled 0
+
+	# Controls which instance this peer group is associated with
+	# Peer groups can't be used in tun mode
+	option net 'sample_config'
+
+	# Allows configuring nested groups
+#	option parent 'other_group'
+
+	# Includes another config file inside the peer group definition
+#	list config '/etc/fastd/sample_config/sample_group.conf'
+
+	# Configures a single static peer from a configuration file
+#	list config_peer '/etc/fastd/sample_config/sample_peer.conf'
+
+	# Configures an additional peer directory for this group
+#	list config_peer_dir '/etc/fastd/sample_config/peers2'
+
+	# Limits the maximum number of connections to peers in this group (optional)
+#	option peer_limit 5