From owner-freebsd-net@freebsd.org Mon Jun 8 00:22:02 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C288B33C198 for ; Mon, 8 Jun 2020 00:22:02 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gDTP5Lv9z3xBk; Mon, 8 Jun 2020 00:22:01 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0580Lq4P035666 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 7 Jun 2020 17:21:52 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0580LpKN035665; Sun, 7 Jun 2020 17:21:51 -0700 (PDT) (envelope-from jmg) Date: Sun, 7 Jun 2020 17:21:51 -0700 From: John-Mark Gurney To: Tom Marcoen Cc: Julian Elischer , freebsd-net@freebsd.org, eugen@grosbein.net Subject: Re: On Netgraph Message-ID: <20200608002151.GN4213@funkthat.com> Mail-Followup-To: Tom Marcoen , Julian Elischer , freebsd-net@freebsd.org, eugen@grosbein.net References: <4e1a0775-be6f-d1e7-4b10-33df717ba0bf@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 07 Jun 2020 17:21:52 -0700 (PDT) X-Rspamd-Queue-Id: 49gDTP5Lv9z3xBk X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [2.03 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.11)[-0.111]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.48)[0.475]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.46)[0.465]; R_SPF_NA(0.00)[no SPF record]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2020 00:22:02 -0000 Tom Marcoen wrote this message on Fri, Jun 05, 2020 at 22:07 +0200: > I'm sure I can come up with those ten-or-so lines myself. I was just hoping > I could use a Netgraph node which performs the encryption before sending it > through the ksocket node. Perhaps I should write such a node then. There are LOTS of things you have to be careful about when writing code to do this.. Key renegotiation after period of time, replay preventation, authentication, etc... It's not an easy task... Using IPSEC would make a lot more sense... > On Fri, 5 Jun 2020 at 22:04, Julian Elischer wrote: > > > On 6/5/20 12:13 PM, Tom Marcoen wrote: > > > Hey Eugen, > > > > > > For some reason I did not receive your email. But I found your reply in > > the > > > archives. > > > > > > Anyway, the goal is to have two computers, each with a Netgraph bridge > > node > > > and jails connecting to these bridges. I want to connect both bridges > > over > > > the Internet securely. Using a UDP tunnel and encrypting that with IPsec > > or > > > wireguard or .... would be an option, but it would be nicer if I could > > use > > > a Netgraph-native option. > > > > > > In years past I used netgraph ksocket nodes to generate a udp tunnel > > and then set up IPSEC to encrypt it. > > > > can be done from the command line with about 10 lines from memory. > > > > Unfortunately I don't have those 10 line at hand as it was at > > JOB[current - 5] > > > > Julian > > > > > > > Regards, > > > Tom > > > > > > On Wed, 27 May 2020 at 10:06, Tom Marcoen wrote: > > > > > >> Hey all, > > >> > > >> I'm new to this mailing list and also quite new to FreeBSD (huray, > > welcome > > >> to me!) so bare with me, please. > > >> > > >> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails > > >> and I was looking at some of the examples provided in > > >> /usr/share/examples/netgraph and now have the following question. > > >> The udp.tunnel example shows an iface point-to-point connection but it > > is > > >> unencrypted. Of course I could encrypt it with an IPsec tunnel on the > > host > > >> or tunnel it through SSH, but I was wondering whether there exists a > > nice > > >> Netgraph solution, e.g. a node with two hooks, receiving unencrypted > > >> traffic on the inside hook and sending out encrypted traffic on the > > outside > > >> hook. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."