SigmaVPN: Stateless OpenVPN Replacement Using NaCl Encryption Library

by zx2c4 on 4/16/2014, 5:19 PM with 66 comments
  • by tptacek on 4/16/2014, 6:30 PM

    This code is as simple as the project owners say it is, but a couple things about it that I wish were different:

    * The "nacltai" protocol driver uses C VLAs to store attacker-controlled numbers of bytes; a VLA is morally the same as an "alloca" call. I have no clue if this is exploitable but reading it gives me a painful burning itching sensation.

    * I sort of wish the authors didn't parse strings to recover crypto parameters from the packets, but instead just used a straightforward binary encoding that would require less use of C's terrible string functions.

    I'm still a lot more comfortable with this codebase than with OpenVPN. :)

  • by alrs on 4/16/2014, 5:57 PM

    I'm glad someone is coming at this problem from a different angle.

    Maybe the subtext to this submission is "OpenSSL totally sucks so bad you need to evacuate NOW NOW NOW!!!!" If so, I'd point out that now is the time to upgrade OpenSSL, ditch all of your old keys, and keep an eye on the future.

    Today is not the day to forklift in a whole new chunk of infrastructure.

    Instead, set up a lab, play with it, get a feeling for it.

  • by doe88 on 4/16/2014, 7:39 PM

    Maybe someone can help me, it is said It has a time-based nonce, which provides built-in resistance against replay attacks, I'm looking where in the code the time-based nonce is verified/handled on the receiver, but I can't find it.

    What I see: when a packet is decrypted the time-based nonce is unpacked here [1] and this function seems to be called from here [2] but nowhere I can't find where this nonce is verified not to be too old, what am I missing?

    [1] https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22b...

    [2] https://github.com/neilalexander/sigmavpn/blob/c7f60ecfdb22b...

  • by on 4/16/2014, 6:03 PM

    undefined

  • by borski on 4/16/2014, 6:04 PM

    FWIW, we built an incredibly easy single click OpenVPN setup tool for DigitalOcean and Rackspace during Sochi: http://www.tinfoilsecurity.com/vpn Enter API key creds, it makes the box for you, sets it up, and hands you a config you can use for your client of choice. (The script is open source for those of you that don't want to enter creds - we don't store them, and actually remove access whenever we can; for example, we delete our own SSH key from DO because they let us).

    It's still OpenVPN but might be useful to those that care about this story too.

  • by barnslig on 4/16/2014, 6:30 PM

    There's another tunnel implementation that's based on NaCl called fastd. It seems to be production ready, however some thousands of Freifunk participants use it to connect their Access Points.

    https://projects.universe-factory.net/projects/fastd/wiki

  • by api on 4/16/2014, 9:23 PM

    This is stateless, nearly zero-configuration, and P2P, among other things. It also uses the same cryptographic primitives and composition as NaCl (purely coincidentally). It supports Mac, Windows, and Linux, and has a GUI control panel for Mac and Windows. There's a clean installer with baked-in auto-update functionality.

    https://github.com/zerotier/ZeroTierOne

    /full disclosure: I wrote this.

  • by dagi3d on 4/16/2014, 5:52 PM

    the source code is about two years old. does that mean that the code is so stable that there is no need for patches/improvements? or has the project been discontinued?

  • by darklajid on 4/17/2014, 7:56 AM

    I'm still searching for something a la tinc, but with a decent crypto story (tinc goes out of its way to say that it probably isn't safe).

    SigmaVPN would look awesome, but lacks Windows support. I'd give ZeroTierOne a shot, but that lacks Android support. Any other solutions for a "VPN Of Things" if you will?

  • by archivator on 4/17/2014, 12:16 AM

    What's the recommended non-serious-personal-use VPN these days?

    PPTP is completely broken (MS-CHAPv2 especially), OpenVPN is hard to setup and maintain.

    I've been using ssh as an impromptu VPN-like thing but I'd really, really like an actual VPN solution.

  • by zx2c4 on 4/16/2014, 5:54 PM

    Anybody familiar with this project? Does it successfully and securely achieve what it claims to achieve? What's its status currently?

  • by uuid_to_string on 4/17/2014, 4:23 AM
  • by dmourati on 4/17/2014, 6:31 AM

    Link bait title with reference to OpenVPN but not mentioned anywhere on the page.

  • by zobzu on 4/16/2014, 8:51 PM

    isnt openvpn stateless if you disable the ping restarts anyway?

  • by pelasaco on 4/17/2014, 1:46 PM

    kind of interesting the build system

    https://github.com/neilalexander/sigmavpn/blob/master/build....

    and

    https://github.com/neilalexander/sigmavpn/blob/master/instal....

    no make, cmake or scons.. im wondering how they are dealing with different platform and requirements checking...

  • by alexnewman on 4/16/2014, 11:01 PM

    LOL for anyone who uses this.

  • by _mikz on 4/16/2014, 6:30 PM

    Replacement? Does it talk OpenVPN protocol? No. It is not a replacement.