Skip to content

Instantly share code, notes, and snippets.

@ql-owo-lp

ql-owo-lp/CIS644-Lab8-MiniVPN.c

Last active October 31, 2017 23:07
Show Gist options
  • Save ql-owo-lp/5334398 to your computer and use it in GitHub Desktop.
Save ql-owo-lp/5334398 to your computer and use it in GitHub Desktop.
Download ZIP
for CIS 644 Lab 8 VPN
Raw
README
This project is for course work of CIS 644 - Spring 13
The password for all certs will be '123456' (without quote mark)
Just for simplicity.
If the certificate expires, you may want to generate your own with 'gen_certs.sh'.
You should set the password of client.key/server.key to '123456', or just change the code of MiniVPN.c
When you want to run this program, on you need to run the *.run.sh first, then run *.config.sh.
- Kevin Wang April 27, 2013
ACCACHMENT - NETWORK MAP
HOST A: 10.0.10.100/24 GATEWAY 10.0.10.1
HOST B: 10.0.20.100/24 GATEWAY 10.0.20.1
GATEWAY A (VPN Server):
LAN: 10.0.10.1/24
INTER-CONN: 192.168.0.1/30 (connected with GATEWAY B)
NAT: DHCP / for the Internet Access
GATEWAY B (VPN Client):
LAN: 10.0.20.1/24
INTER-CONN: 192.168.0.2/30 (connected with GATEWAY A)
NAT: DHCP / for the Internet Access
NOTICE:
You MUST send packet from client to server first to start the conversation. Otherwise the server will get a sendto() error as it does not know client's address and port.
Raw
ca.crt
-----BEGIN CERTIFICATE-----
MIIDsjCCAxugAwIBAgIJAMcpteZkRuJHMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCFN5cmFjdXNlMRww
GgYDVQQKExNTeXJhY3VzZSBVbml2ZXJzaXR5MQ8wDQYDVQQLEwZDSVM2NDQxEzAR
BgNVBAMTCktldmluIFdhbmcxHzAdBgkqhkiG9w0BCQEWEHh3YW5nMTY2QHN5ci5l
ZHUwHhcNMTMwNDIxMDgxMjIyWhcNMTMwNTIxMDgxMjIyWjCBmDELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhTeXJhY3VzZTEcMBoGA1UE
ChMTU3lyYWN1c2UgVW5pdmVyc2l0eTEPMA0GA1UECxMGQ0lTNjQ0MRMwEQYDVQQD
EwpLZXZpbiBXYW5nMR8wHQYJKoZIhvcNAQkBFhB4d2FuZzE2NkBzeXIuZWR1MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz0xFsRcR7LKN0/po7+4xVGF1VYHsT
ybj8G3gVbn+kYZjhW5Csq4ezAU9pA+fI3fUAbvI4RWX6BmmhhMaIrTravkSxwmH7
oA3G9N8DO6B5NfjNTZN2nBbXW8ox5o46Gyz8dEeccs8aOH5UzNGULqwoGiib4hT0
ZfLNin4xiVWJawIDAQABo4IBADCB/TAdBgNVHQ4EFgQUgf5MFeioer2NduvHk5/v
nH3HpDQwgc0GA1UdIwSBxTCBwoAUgf5MFeioer2NduvHk5/vnH3HpDShgZ6kgZsw
gZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UEBxMIU3ly
YWN1c2UxHDAaBgNVBAoTE1N5cmFjdXNlIFVuaXZlcnNpdHkxDzANBgNVBAsTBkNJ
UzY0NDETMBEGA1UEAxMKS2V2aW4gV2FuZzEfMB0GCSqGSIb3DQEJARYQeHdhbmcx
NjZAc3lyLmVkdYIJAMcpteZkRuJHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAUmyCVM/2ostuimM9XRq8Mit09wx1X0hLSZiW+IQRjzBbn/xpDid6CjaQ
Ydv+XkKkwFGqRHjlmBK5u+kUuZC+B+63A/gddFo8lfMIg41F5dCdbasOJZ8DyZWe
UfVwnlCYOdxJeK3RlpUnLHu/bf2CYVbDxFpkgmcqkNx16UnSEiY=
-----END CERTIFICATE-----
Raw
ca.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,43CEAA937F6DF2BC
SPdWsDqJB6GQRm6bS/Q1uBA3OzGivNxL/MWoMQrlbEhrt4gKwj1GRGG6baYx4v28
1OE/ZhpnrgJd28agxHCEizI1TvVk9LfFTZUi9DmvjvSbes5SlathbALdm/sfTamD
SVn6eXYU7r7DiWo3YWitjek3rexIOFftSOOh0RHB3WmRIAT/DmvFq29I26+cE5wt
e5A2Nx4sKKVRqHvirm6Dk6ksr/tWGQe6QUQenooKkKqnezRCMKsSnXJ+cODoHhyq
jZgZG0EncNSzxuZavsI1db+VtWi325Yds7FtVXslkS2t4KFLvDBtt4V+tvEDR2rV
vKHqJaTPwZaa70bPkdE9mrvM30AkgQmdQLWP2IrIFGPgjQBgzdlp+VW/qwoKxSgc
XFKIDzWCyheQnupkcBq4arYY0Xs0cMZrEac3vSwFcyxZF9fwi6dwyGIri+AnoLNK
PPPxbRc7vDoHiIhlATo+/oN420lFKJbA4D1nWihFUpKwSXQmFzRaLVWArfCg/Wix
B6bf+LSs3H1XhEtHhhaxpU6cXr3IPLQ00qWdZUTG5vhzwM0xmKMx9gbJbDEugO2g
iM8fwQyEu44kLillNWi3Fo/WCch9+A1oUlwEKmAOH3iQjZJV2V5kSJtbhTjZ53iO
bS+vycwPpb0dgWiPklyRcOqsUccO0bxvUOCL7yJSmBy7z4HYgy4xgE6K3zjfRj8X
dJtwGS4NpiDNoZoiS543xhMXKFvcQ4z0cS0IfFFU7Hs4taXXNg/I5WQmGA+RJKo6
BpEM7r1IyBbMDhcfKfACtqWulEJW8B3Zd3bj9geOX0spDBxekhWZDg==
-----END RSA PRIVATE KEY-----
Raw
CIS644-Lab8-MiniVPN.c
/*
* MiniVPN.c - a simple VPN implemention with PKI
*
* Copyright (C) 2013 Kevin Wang <[email protected]>
*
* Based on codes created by:
* Copyright (C) 2003 Philippe Biondi <[email protected]>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <errno.h>
#include <memory.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <linux/if_tun.h>
#include <getopt.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <openssl/evp.h>
#include <openssl/rsa.h> /* SSLeay stuff */
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
// toggle controling whether to show debug information
#define DEBUG 1
#define PERROR(x) { perror(x); exit(1); }
#define ERROR(x, args ...) { fprintf(stderr,"ERROR:" x, ## args); exit(1); }
// define length of hmac
#define HMAC_LEN 16
// buffer size of one packet
#define BUFF_SIZE 51200
#define KEY_IV_SIZE 16
#define CHK_NULL(x) if ((x)==NULL) { printf("NULL!!\n"); exit(1); }
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
/* Make these what you want for cert & key files */
static char SER_CERTF[] = "server.crt";
static char SER_KEYF[] = "server.key";
static char CLI_CERTF[] = "client.crt";
static char CLI_KEYF[] = "client.key";
static char CACERT[] = "ca.crt";
// certificate for server / client side
static char SER_CERT_PASS[] = "123456";
static char CLI_CERT_PASS[] = "123456";
// common names
static char SER_CERT_CN[] = "server.minivpn.syr.edu";
static char CLI_CERT_CN[] = "client.minivpn.syr.edu";
unsigned char KEY[KEY_IV_SIZE], IV[KEY_IV_SIZE];
// generate random key
void genKey(unsigned char* key) {
int i;
srand(time(NULL));
for (i=0; i<KEY_IV_SIZE; i++)
key[i] = 65 + (rand()%26);
}
// generate random iv
void genIV(unsigned char* iv) {
int i;
srand(time(NULL));
for (i=0; i<KEY_IV_SIZE; i++)
iv[i] = 48 + (rand()%10);
}
void showKeyOrIV(unsigned char* chrs) {
int i;
for (i=0; i<KEY_IV_SIZE; i++)
printf("%c", chrs[i]);
}
// get hash value of one message
void getHash(char * msg, int len, char * digt) {
EVP_MD_CTX *mdctx;
const EVP_MD *md;
size_t md_len, i;
unsigned char md_value[EVP_MAX_MD_SIZE];
char hashname[] = "md5"; // I am just gonna use md5 here
OpenSSL_add_all_digests();
md = EVP_get_digestbyname(hashname);
if(!md) {
printf("Unknown message digest %s\n", hashname);
exit(1);
}
mdctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(mdctx, md, NULL);
EVP_DigestUpdate(mdctx, msg, len);
EVP_DigestFinal_ex(mdctx, md_value, &md_len);
EVP_MD_CTX_destroy(mdctx);
// md_len == HMAC_LEN == 16 at this stage
memcpy(digt, md_value, HMAC_LEN);
}
// verify the hmac, truncate the buff (by decrease the len) when verification is done
// NOTE: return 0 when matches
int checkHMAC(char * payload, int * l) {
char digt1[HMAC_LEN], digt2[HMAC_LEN], buff[BUFF_SIZE]; // digt1 is for the HMAC from buff, digt2 is calculated HMAC
int i, len = *l;
// I will change the len here
len -= HMAC_LEN;
if (len <=0) return 1;
memcpy(digt1, payload + len, HMAC_LEN);
memcpy(buff, payload, len);
getHash(buff, len, digt2);
if (DEBUG) {
printf("checking HMAC: ");
for(i = 0; i < HMAC_LEN; i++) printf("%02x", digt1[i]);
printf(" / ");
for(i = 0; i < HMAC_LEN; i++) printf("%02x", digt2[i]);
printf("\n");
}
*l = len;
return strncmp(digt1, digt2, HMAC_LEN);
}
// append HMAC to the end of buff
void appendHMAC(char * payload, int * l) {
char digt[HMAC_LEN], buff[BUFF_SIZE];
int i, len = *l;
memcpy(buff, payload, len);
getHash(buff, len, digt);
for (i=0;i<HMAC_LEN;i++)
*(payload + len + i) = digt[i];
len += HMAC_LEN;
if (DEBUG) {
printf("\nappend HMAC: ");
for(i = len-HMAC_LEN; i < len; i++) printf("%02x", *(payload+i));
printf("\n");
}
*l = len;
}
// decrypt / encrypt packet
int do_crypt(unsigned char *key, unsigned char * iv, char * packet, int *l, int do_encrypt) {
unsigned char outbuf[BUFF_SIZE + EVP_MAX_BLOCK_LENGTH];
int inlen = *l, outlen, tmplen, i;
unsigned char input[BUFF_SIZE];
// convert text
memcpy(input, packet, inlen);
if (DEBUG) {
printf("\n(before crypted) payload: ");
for(i = 0; i < inlen; i++) printf("%02x", *(input+i));
printf("\n");
}
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv, do_encrypt);
if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, input, inlen)) {
/* Error */
EVP_CIPHER_CTX_cleanup(&ctx);
return 0;
}
if(!EVP_CipherFinal_ex(&ctx, outbuf + outlen, &tmplen)) {
/* Error */
EVP_CIPHER_CTX_cleanup(&ctx);
return 0;
}
outlen += tmplen;
if (DEBUG) {
printf("\n(crypted) payload: ");
for(i = 0; i < outlen; i++) printf("%02x", *(outbuf+i));
printf("\n");
}
memcpy(packet, outbuf, outlen); // update packet
*l = outlen;
EVP_CIPHER_CTX_cleanup(&ctx);
return 1; // return as successful
}
// display usage information
void usage() {
fprintf(stderr, "Usage: MiniVPN [-s port|-c targetip:port]\n");
exit(0);
}
// set up key exchange context
void keyXchange_setupCTX(char* certf, char* keyf, SSL_METHOD* meth, SSL_CTX** ctx, char* pass) {
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
(*ctx) = SSL_CTX_new(meth);
if (!(*ctx)) {
printf("CTX is null!");
ERR_print_errors_fp(stderr);
exit(2);
}
SSL_CTX_set_default_passwd_cb_userdata((*ctx), pass);
SSL_CTX_set_verify((*ctx), SSL_VERIFY_PEER, NULL);
SSL_CTX_load_verify_locations((*ctx), CACERT, NULL);
if (SSL_CTX_use_certificate_file((*ctx), certf, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file((*ctx), keyf, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key((*ctx))) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(5);
}
}
// check peer's certificate
void keyXchange_chk_peer_cert(SSL* ssl, char* commonName) {
X509* peer_cert;
char* str;
char peer_CN[256];
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
if (SSL_get_verify_result(ssl)!=X509_V_OK)
PERROR("Certificate doesn't verify.\n");
peer_cert = SSL_get_peer_certificate (ssl);
if (peer_cert != NULL) {
// check common name here
X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), NID_commonName, peer_CN, 256);
if(strcasecmp(peer_CN, commonName)) {
printf("peer common name: %s, local request: %s\n", peer_CN, commonName);
PERROR("Common name doesn't match host name\n");
}
else {
printf("Common Names are the same: %s \n", commonName);
}
X509_free (peer_cert);
} else
PERROR ("Peer does not have certificate.\n");
}
// send key to remote
void keyXchange_sendKey(SSL* ssl, unsigned char* key) {
int i;
char buf[4096];
buf[0] = 'k'; // mark as key
for (i=0; i<KEY_IV_SIZE; i++)
buf[i+1] = key[i];
i = SSL_write(ssl, buf, KEY_IV_SIZE+1);
CHK_SSL(i);
// read echo
i = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(i);
buf[i] = '\0';
if (buf[0]=='l') {
printf("Key confirmed by remote peer: ");
showKeyOrIV(key);
printf("\n");
}
else
PERROR("Key exchange fail!\n");
}
// send iv to remote
void keyXchange_sendIV(SSL* ssl, unsigned char* iv) {
int i;
char buf[4096];
buf[0] = 'i'; // mark as iv
for (i=0; i<KEY_IV_SIZE; i++)
buf[i+1] = iv[i];
i = SSL_write(ssl, buf, KEY_IV_SIZE+1);
CHK_SSL(i);
// read echo
i = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(i);
buf[i] = '\0';
if (buf[0]=='j') {
printf("IV confirmed by remote peer: ");
showKeyOrIV(iv);
printf("\n");
}
else
PERROR("IV exchange fail!\n");
}
int keyXchange_receiveKey(SSL* ssl, char* buf, size_t len, unsigned char* key) {
int i;
if (len!=KEY_IV_SIZE+1 || buf[0]!='k') return 0;
for (i=1; i<len; i++)
key[i-1] = buf[i];
i = SSL_write(ssl, "l", 1);
CHK_SSL(i);
printf("KEY received: ");
showKeyOrIV(key);
printf("\n");
return 1;
}
int keyXchange_receiveIV(SSL* ssl, char* buf, size_t len, unsigned char* iv) {
int i;
if (len!=KEY_IV_SIZE+1 || buf[0]!='i') return 0;
for (i=1; i<len; i++)
iv[i-1] = buf[i];
i = SSL_write(ssl, "j", 1);
CHK_SSL(i);
printf("IV received: ");
showKeyOrIV(iv);
printf("\n");
return 1;
}
// key exchange part for server
void keyXchange_server(int listen_port, char* commonName, unsigned char* key, unsigned char* iv, int pipefd, int pid) {
int err, listen_sd, sd, i;
int _keyReady = 0, _ivReady = 0;
struct sockaddr_in sa_serv, sa_cli;
size_t client_len;
SSL_CTX* ctx;
SSL* ssl;
char buf[4096];
keyXchange_setupCTX(SER_CERTF, SER_KEYF, SSLv23_server_method(), &ctx, SER_CERT_PASS);
// listen
listen_sd = socket(AF_INET, SOCK_STREAM, 0);
CHK_ERR(listen_sd, "socket");
memset(&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = htonl(INADDR_ANY);
sa_serv.sin_port = htons(listen_port); /* Server Port number */
err = bind(listen_sd, (struct sockaddr*) &sa_serv, sizeof (sa_serv));
CHK_ERR(err, "bind");
/* Receive a TCP connection. */
err = listen (listen_sd, 5);
CHK_ERR(err, "listen");
client_len = sizeof(sa_cli);
sd = accept(listen_sd, (struct sockaddr*) &sa_cli, &client_len);
CHK_ERR(sd, "accept");
close(listen_sd);
printf("Connection from %s:%i\n", inet_ntoa(sa_cli.sin_addr), ntohs(sa_cli.sin_port));
/* ----------------------------------------------- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd(ssl, sd);
err = SSL_accept(ssl);
CHK_SSL(err);
keyXchange_chk_peer_cert(ssl, commonName);
while (1) {
_keyReady = 0;
_ivReady = 0;
// read key and iv from client
while (!_keyReady || !_ivReady) {
err = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(err);
buf[err] = '\0';
_keyReady = _keyReady || keyXchange_receiveKey(ssl, buf, err, KEY);
_ivReady = _ivReady || keyXchange_receiveIV(ssl, buf, err, IV);
}
// notify the child process
buf[0] = 'k';
// send key and iv to children
for (i=0; i<KEY_IV_SIZE; i++) {
buf[i+1] = KEY[i];
buf[i+KEY_IV_SIZE+1] = IV[i];
}
buf[KEY_IV_SIZE*2+1] = '\0';
// check if this is a disconnect signal
_keyReady = 0;
_ivReady = 0;
for (i=0; i<KEY_IV_SIZE; i++) {
_keyReady = _keyReady || (int)KEY[i];
_ivReady = _ivReady || (int)IV[i];
}
if (!_keyReady && !_ivReady) {
printf("Disconnect signal from client received!\n");
kill(pid, SIGTERM);
wait();
break;
}
write(pipefd, buf, KEY_IV_SIZE*2+2);
}
close(sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
// key exchange on client side
int keyXchange_client(char* ip, int remote_port, char* commonName, unsigned char* key, unsigned char* iv, int pipefd, int pid) {
int err, sd, i;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
char buf[4096];
// do setup
keyXchange_setupCTX(CLI_CERTF, CLI_KEYF, SSLv23_client_method(), &ctx, CLI_CERT_PASS);
// connect to server
sd = socket (AF_INET, SOCK_STREAM, 0);
CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(ip); /* Server IP */
sa.sin_port = htons(remote_port); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
//SSL negotiation.
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect(ssl);
CHK_SSL(err);
// check peer's cert
keyXchange_chk_peer_cert(ssl, commonName);
while (1) {
printf("Please input some instructions ('q' for abort, 'k' for changing key, or 'c' for continue):\n");
// ask for user input here
scanf("%s", buf);
if (strlen(buf) == 1) {
if (buf[0]=='q') { // abort
kill(pid, SIGTERM);
wait();
break;
}
else if (buf[0]=='k') {
printf("Please input a 16-byte long KEY. Inputing 'c' will make program generating one for you. The program will either truncate or pad your input if the length is not 16-byte.\n");
scanf("%s", buf);
if (buf[0]=='c') {
genKey(KEY);
}
else {
for (i=0; i<strlen(buf) && i<KEY_IV_SIZE; i++)
KEY[i] = buf[i];
if (i<KEY_IV_SIZE) genKey((unsigned char*)buf);
for (; i<KEY_IV_SIZE; i++)
KEY[i] = buf[i];
}
printf("Please input a 16-byte long IV. Inputing 'c' will make program generating one for you. The program will either truncate or pad your input if the length is not 16-byte.\n");
scanf("%s", buf);
if (buf[0]=='c') {
genIV(IV);
}
else {
for (i=0; i<strlen(buf) && i<KEY_IV_SIZE; i++)
IV[i] = buf[i];
if (i<KEY_IV_SIZE) genIV((unsigned char*)buf);
for (; i<KEY_IV_SIZE; i++)
IV[i] = buf[i];
}
}
}
else if (strlen(buf) > 0 && buf[0]!='c') {
printf("Invalid input. Try again.\n");
continue;
}
// exchange key and iv
keyXchange_sendKey(ssl, key);
keyXchange_sendIV(ssl, iv);
// notify the child process
buf[0] = 'k';
// send key and iv to children
for (i=0; i<KEY_IV_SIZE; i++) {
buf[i+1] = KEY[i];
buf[i+KEY_IV_SIZE+1] = IV[i];
}
buf[KEY_IV_SIZE*2+1] = '\0';
write(pipefd, buf, KEY_IV_SIZE*2+2);
}
// send signal to notify server to disconnect by sending NULL key & IV
for (i=0; i<KEY_IV_SIZE; i++) {
KEY[i] = 0;
IV[i] = 0;
}
keyXchange_sendKey(ssl, key);
keyXchange_sendIV(ssl, iv);
SSL_shutdown(ssl); /* send SSL/TLS close_notify */
close(sd);
SSL_free(ssl);
SSL_CTX_free(ctx);
}
// start running VPN
void startVPN(int MODE, int listen_port, char *ip, int remote_port, int pipefd) {
struct sockaddr_in sin, sout;
struct ifreq ifr;
socklen_t soutlen;
int fd, s, l, i, keyXchange_count = 0;
fd_set fdset;
char buf[BUFF_SIZE], digt[HMAC_LEN];
// open tunnel
if ((fd = open("/dev/net/tun", O_RDWR)) < 0) PERROR("open");
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_flags = IFF_TUN; // always use tun here
strncpy(ifr.ifr_name, "toto%d", IFNAMSIZ);
if (ioctl(fd, TUNSETIFF, (void *)&ifr) < 0) PERROR("ioctl");
printf("Allocated interface %s. Configure and use it\n", ifr.ifr_name);
s = socket(PF_INET, SOCK_DGRAM, 0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons(listen_port);
if (bind(s,(struct sockaddr *)&sin, sizeof(sin)) < 0) PERROR("bind");
soutlen = sizeof(sout);
if (MODE == 2) { // for client
sout.sin_family = AF_INET;
sout.sin_port = htons(remote_port);
inet_aton(ip, &sout.sin_addr);
}
// the real VPN part
while (1) {
l = read(pipefd, buf, sizeof(buf));
if (l > 0) { // if we get some command from parent process
if (l == 1 && buf[0]=='q') {
// just quit
_exit(0);
}
else if (buf[0]=='k') {
for (i=0; i<KEY_IV_SIZE; i++) {
KEY[i] = buf[i+1];
IV[i] = buf[i+KEY_IV_SIZE+1];
}
keyXchange_count++; // now we can start
}
printf("Child process >> KEY: ");
showKeyOrIV(KEY);
printf(" IV: ");
showKeyOrIV(IV);
printf("\n");
}
if (!keyXchange_count) {
sleep(1);
continue;
}
FD_ZERO(&fdset);
FD_SET(fd, &fdset);
FD_SET(s, &fdset);
if (select(fd+s+1, &fdset,NULL,NULL,NULL) < 0) PERROR("select");
if (FD_ISSET(fd, &fdset)) {
if (DEBUG) printf("\n SENT >> ");
l = read(fd, buf, BUFF_SIZE);
if (l < 0) PERROR("read");
if (DEBUG) {
printf("\n(plain) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
// encrypt here
if (do_crypt(KEY, IV, buf, &l, 1)) {
if (DEBUG) {
printf("\n(encrypted) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
appendHMAC(buf, &l); // append HMAC here
if (DEBUG) {
printf("\n(final) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
if (sendto(s, buf, l, 0, (struct sockaddr *)&sout, soutlen) < 0) PERROR("sendto");
}
else {
printf("Encryption fail. Drop packet.\n");
}
}
else {
if (DEBUG) printf("\n RECEIVED << ");
l = recvfrom(s, buf, BUFF_SIZE, 0, (struct sockaddr *)&sout, &soutlen);
if (DEBUG) {
printf("\n(encrypted) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
if (checkHMAC(buf, &l)) { // check HMAC here
printf("HMAC mismatch. Drop packet.\n");
}
else {
if (DEBUG) {
printf("\n(hmac checked) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
// decrypt here
if (do_crypt(KEY, IV, buf, &l, 0)) {
if (DEBUG) {
printf("\n(final plain) payload: ");
for(i = 0; i < l; i++) printf("%02x", *(buf+i));
printf("\n");
}
if (write(fd, buf, l) < 0) PERROR("write");
}
else {
printf("Decryption fail. Drop packet.\n");
}
}
}
}
}
int main(int argc, char *argv[]) {
int remote_port, listen_port;
char c, *p, *ip;
int fd[2];
pid_t pid;
char buf[1024];
int MODE = 0, i = 0;
// read parameters here
while ((c = getopt(argc, argv, "s:c:h")) != -1) {
switch (c) {
case 's': // server mode
MODE = 1;
listen_port = atoi(optarg);
break;
case 'c': // client mode
MODE = 2;
p = (char *)memchr(optarg,':',16);
if (!p) ERROR("invalid argument : [%s]\n", optarg);
*p = 0;
ip = optarg;
remote_port = atoi(p+1);
listen_port = 0;
break;
case 'h': // by default show usage
default:
usage();
}
}
if (!MODE) usage();
// fork the program
pipe(fd);
fcntl(fd[0], F_SETFL, O_NONBLOCK);
if((pid = fork()) < 0) {
PERROR("fork");
}
else if (pid > 0) { // parent process, for PKI
close(fd[0]);
// KEY exchange, process will be blocked if no key is received
switch (MODE) {
case 1: // server
keyXchange_server(listen_port, CLI_CERT_CN, KEY, IV, fd[1], pid);
break;
case 2: // client
// get random key and iv initially
genKey(KEY);
genIV(IV);
keyXchange_client(ip, remote_port, SER_CERT_CN, KEY, IV, fd[1], pid);
break;
}
printf("Parent process quit!\n");
}
else { // child process, for VPN
close(fd[1]);
startVPN(MODE, listen_port, ip, remote_port, fd[0]);
printf("Child process quit!\n");
}
}
Raw
client.config.sh
#!/bin/bash
TUN_NAME=toto0
TUN_ADDR=10.0.5.1/24
TUN_REMOTE_NET=10.0.4.0/24
REMOTE_NET=10.0.10.0/24
ifconfig $TUN_NAME $TUN_ADDR up
ip route add $TUN_REMOTE_NET dev $TUN_NAME
ip route add $REMOTE_NET dev $TUN_NAME
echo 'Setup finished!'
Raw
client.crt
-----BEGIN CERTIFICATE-----
MIIDHTCCAoagAwIBAgICEAEwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UEBxMIU3lyYWN1c2UxHDAaBgNVBAoT
E1N5cmFjdXNlIFVuaXZlcnNpdHkxDzANBgNVBAsTBkNJUzY0NDETMBEGA1UEAxMK
S2V2aW4gV2FuZzEfMB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTAeFw0x
MzA0MjEwODE0NTRaFw0xNDA0MjEwODE0NTRaMIGRMQswCQYDVQQGEwJVUzERMA8G
A1UECBMITmV3IFlvcmsxHDAaBgNVBAoTE1N5cmFjdXNlIFVuaXZlcnNpdHkxDzAN
BgNVBAsTBkNJUzY0NDEfMB0GA1UEAxMWY2xpZW50Lm1pbml2cG4uc3lyLmVkdTEf
MB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA0AG8yuhHr7OWUAWHooDqNbybBX9hmLn+2JwOKyLEmIkfhIlU
Bw/S8jJv8my/O8vOm0TuDLrpTXeBTqGuLDTl8+yk5KZAxH3CDBJxbqvrDMU159L0
mERq9yrlSU2YOKWvCQWIgvr8J8YiqVZiDF0v4bDuSXCZoYURDXEyqw/tnY0CAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEy76H8Z4OLcVzz/FOlyBivTuPlQMB8G
A1UdIwQYMBaAFIH+TBXoqHq9jXbrx5Of75x9x6Q0MA0GCSqGSIb3DQEBBQUAA4GB
ADCcs7qgv/b2dJt1H81vDK6xSJ97S5fIPvrFcyMQuiJ2HQ6/3ZzM4yQtd0ttb8f/
5AbQ6MPhuMOsf0u5ztDSkTSIiHcMp4oGVM8vyWNOrwIELYSnYx9bG/8BAO0UxZN/
1NZwKNY0JhkTYn4+Sl7iyXxcECo3BW1CRhT7ikyLBl43
-----END CERTIFICATE-----
Raw
client.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB5TCCAU4CAQAwgaQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazER
MA8GA1UEBxMIU3lyYWN1c2UxHDAaBgNVBAoTE1N5cmFjdXNlIFVuaXZlcnNpdHkx
DzANBgNVBAsTBkNJUzY0NDEfMB0GA1UEAxMWY2xpZW50Lm1pbml2cG4uc3lyLmVk
dTEfMB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA0AG8yuhHr7OWUAWHooDqNbybBX9hmLn+2JwOKyLEmIkf
hIlUBw/S8jJv8my/O8vOm0TuDLrpTXeBTqGuLDTl8+yk5KZAxH3CDBJxbqvrDMU1
59L0mERq9yrlSU2YOKWvCQWIgvr8J8YiqVZiDF0v4bDuSXCZoYURDXEyqw/tnY0C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAC/3bqxmA/rsUAC3a7oJ7IyqP8joDg8j
olbKl4CVGYLpt7zMx68cgZXQzVzQvAWM+GzWmreKAZb3iRzPNw5V6iAzqFlBb+Zl
TaLrE6USPZzole8Y51ey6gpeVamqUqR6c+nUHmx6NwR96G3p/860yJocCVqiTr9H
tU698p24h4gP
-----END CERTIFICATE REQUEST-----
Raw
client.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FC84A1B5AFA8AEBC
216UkBX2gt0omcJoDhbt6phWCavR+Stv+WAfMx666CkngejyhVzNzA78Pm0kzwUU
uejBjUlGkILnI80rnNzHI5qcKDVmwwfxpBIsPySiwOAU7+TYSFmKDDsktGRZqRVL
tfTenoQ/vhz0/KXGSP+aNSWhcr1WiEGBiBqJoE0uvfK3FFzaqq+QcqflFbEKJ3bR
4mwwcKXPyUI6av1ufuwn//7uc1RaBgO+xcTtdggS99QaFe3RhSYeP75Qa87EJsSK
O95pXINLeOx8Pksn18uFlif03MDWpqxBlZqC2XD7g7l7XAmZ8iCz2DbE2qn+//Lz
tY7ApO0FWoy0fpIsoEGPzXfwNh465QXSQxBt4Y35Hh760MszCVtRZMaHi5/k124W
UWAcu2C+XmDGiY1I4wSzkS4bmhfLxzT4q5IXDd6LKgGlGIk5WOF8rn0z6NQpb5tG
GxNhMOydLy30BrKG46VRJLgVhCmmfBq08AuBAu7bBU1MotHULiQt7Bukz6crKPT+
QQAzJUHAburw7fTNRpmWFMpyFTibUc1VeMO5LJw9wZNqUZct1SAllRQ8gPTRIGK7
YZOzjWQGYrbwXxpEfUGy+yMT6OGUpRjTC8+dX7CzOIR6NkH+qfha8CcS4sXenarf
F6Yxhxl7xXmMIKeG1zQiyhaRCAZhcMYyja8x3n0XaPFj6IGOsYuNGHmTzfR0A5Sm
mhSsRxKupcv05ohe34jCKJrtqXOb0buYwrY3/uHg+xto/5Gn4SUawUAtt6WOW9Lz
/BiGBvFJvZOaxnSfJwaDpZ91s1d6UcFOHETDp7LhXsg=
-----END RSA PRIVATE KEY-----
Raw
client.run.sh
#!/bin/bash
REMOTE_ADDR=192.168.0.1
PORT=55555
echo 'Building MiniVPN..'
killall MiniVPN
#make
echo 'Starting tunnel..'
./MiniVPN -c $REMOTE_ADDR:$PORT
Raw
gen_certs.sh
#!/bin/bash
cp /usr/lib/ssl/openssl.cnf .
chmod 755 ./openssl.cnf
dir="./demoCA"
certs=$dir/certs # Where the issued certs are kept
crl_dir=$dir/crl # Where the issued crl are kept
new_certs_dir=$dir/newcerts # default place for new certs.
database=$dir/index.txt # database index file.
serial=$dir/serial # The current serial number
mkdir -p $certs
mkdir -p $crl_dir
mkdir -p $new_certs_dir
touch $database
echo 1000 > $serial
echo "Now generating CA certificate.."
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
echo "Now generating CSR.."
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr -config openssl.cnf
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
echo "Now sign the certificate..."
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Raw
Makefile
INC=/usr/local/ssl/include/
LIB=/usr/local/ssl/lib/
all:
g++ -I$(INC) -L$(LIB) -o MiniVPN CIS644-Lab8-MiniVPN.c -lssl -lcrypto -ldl
clean:
rm -rf *~ MiniVPN
Raw
openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Raw
server.config.sh
#!/bin/bash
TUN_NAME=toto0
TUN_ADDR=10.0.4.1/24
TUN_REMOTE_NET=10.0.5.0/24
REMOTE_NET=10.0.20.0/24
echo 'Starting tunnel..'
ifconfig $TUN_NAME $TUN_ADDR up
ip route add $TUN_REMOTE_NET dev $TUN_NAME
ip route add $REMOTE_NET dev $TUN_NAME
echo 'Setup finished!'
Raw
server.crt
-----BEGIN CERTIFICATE-----
MIIDHTCCAoagAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UEBxMIU3lyYWN1c2UxHDAaBgNVBAoT
E1N5cmFjdXNlIFVuaXZlcnNpdHkxDzANBgNVBAsTBkNJUzY0NDETMBEGA1UEAxMK
S2V2aW4gV2FuZzEfMB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTAeFw0x
MzA0MjEwODE0NDhaFw0xNDA0MjEwODE0NDhaMIGRMQswCQYDVQQGEwJVUzERMA8G
A1UECBMITmV3IFlvcmsxHDAaBgNVBAoTE1N5cmFjdXNlIFVuaXZlcnNpdHkxDzAN
BgNVBAsTBkNJUzY0NDEfMB0GA1UEAxMWc2VydmVyLm1pbml2cG4uc3lyLmVkdTEf
MB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA1jggbQZuiMBcEjhXhBIlj02WNt+mNi/C/eL7X6D2PegN/lwN
DO1xnlhAO3EcdeXWJrrYr7qELJRilK+oTW2TrlFvBIkyg/AXgq394hqdbHAGdxfP
zwLLpZ6rB9zVBR8A71MuWJHQ5TwV6P8qayD3FGM2RfoRbaayDv8S+a5Rq38CAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFie/dN8qFTp7oYvSaXie69XHgrfMB8G
A1UdIwQYMBaAFIH+TBXoqHq9jXbrx5Of75x9x6Q0MA0GCSqGSIb3DQEBBQUAA4GB
AJ8HU8FK9prhdJ0gQ/4KaITjM9yjWQUEG0qwhuc8DyuUBd6YY3R2oXSVZue2tWFi
/gjbBL1YQnTpAiH96BGtDWfSF/lfhaPaXk33RIciz7NbSD5lnGszRO1y12aFRuQw
ZbZ23rQbSxgpnuH94WQvFU6AilLjcyBmBp/QkzMxaTl/
-----END CERTIFICATE-----
Raw
server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB5TCCAU4CAQAwgaQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazER
MA8GA1UEBxMIU3lyYWN1c2UxHDAaBgNVBAoTE1N5cmFjdXNlIFVuaXZlcnNpdHkx
DzANBgNVBAsTBkNJUzY0NDEfMB0GA1UEAxMWc2VydmVyLm1pbml2cG4uc3lyLmVk
dTEfMB0GCSqGSIb3DQEJARYQeHdhbmcxNjZAc3lyLmVkdTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA1jggbQZuiMBcEjhXhBIlj02WNt+mNi/C/eL7X6D2PegN
/lwNDO1xnlhAO3EcdeXWJrrYr7qELJRilK+oTW2TrlFvBIkyg/AXgq394hqdbHAG
dxfPzwLLpZ6rB9zVBR8A71MuWJHQ5TwV6P8qayD3FGM2RfoRbaayDv8S+a5Rq38C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAAtF0pW2xL+0dfEpMRdULrNj7tLqKrwj
iOySRBL6zoj1/FE90P2zhu9ByGVnk270eUoWgqzN/mAF9+tDKWdlAFjhb73elxJ1
DRWrzmQGI3RMcHXt10VJW+n+6hxrSaJsm5jwi+MDqBZ+pV3NBFpE/DZOpc1ichQs
vVR8d0a7iJxt
-----END CERTIFICATE REQUEST-----
Raw
server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DA22CE5F5408E512
XaFPc7CJ7vh/4Ia6HfHpPPc0ALB0TiJGX1y2kV7RiwX9gTA4USxQ3+JELqk5do2V
u7OgEhwUxQ2o3M7AUegjAWGZyiw8MUrgTfWYPWKyae907YqzrUgT44PHIg4Vwqqx
spc46A7TNX7sEf6DG/jhjlfRRxK0+wDuyjFyN/URgarktY6cwm4eDI8x8YNyJ2qY
KNmcob8vh5aprNINNZft20V9ZYdHriWJaiteg8VKEZXtnvbAh8ZtZAauDJA+K7Ss
U2piTldXje9wj0MaYiur2oYqctt4U8jMSf7Cz9SfU9Df+7hcqE35XGUe2hkhGVMD
X4u3Bqi5OSH3NwK++VtEutInGQzukd4pvoQ7zUjuVrsPEFeaUtwyf3thHpCFEpc2
V1thTDb6t0Tg64B1UCP7QcSYgM2O27VGsOX65fmtRyvUOeR2rf1I+mq0PgCrS8PM
kac9QeZ7MY+Y/SoR+J9VNBFDhG4RYXhsjJXmsNUpeK4dejKz11k+XcxdnF7C+evr
stqejjr4R/eHH2HK38iGW3Fu/s/dlwHrNf8vA1gZmbPH4P5edwSXD/KtPvqyue3u
Kv2Y3oTOMOLglB/NFlMgct+Qos4kWXp1tyyGn6QKAbaDedf3FIMwGW5362WfDtLj
T546Jv1AdTdmLHJJa8yWdJCYj9usB9+5ppyCG/k7MlLXU/5YpHOeOS3GA6l/qbga
U9zP5NuRPZHZSoECWsvJQiN5JqTNye1qZx30OV19owhrmuGwKnTtEElDy+co9Zw3
BT6g4zmpTolcUd/C9kOMeK2rT9yy8eYsJXJ3ZiVLf74=
-----END RSA PRIVATE KEY-----
Raw
server.run.sh
#!/bin/bash
PORT=55555
echo 'Building MiniVPN..'
killall MiniVPN
#make
echo 'Starting tunnel..'
echo "Listening to $PORT.."
./MiniVPN -s $PORT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment