Date: Sun, 7 Jun 2020 17:21:51 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Tom Marcoen <tom.marcoen@gmail.com> Cc: Julian Elischer <julian@freebsd.org>, freebsd-net@freebsd.org, eugen@grosbein.net Subject: Re: On Netgraph Message-ID: <20200608002151.GN4213@funkthat.com> In-Reply-To: <CAJ-iVrPLuKYQgPCwsJvWfhi9ZaziHgnbN1Zvd54PFnQUsF3VyA@mail.gmail.com> References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com> <CAJ-iVrNLtokv1abMWht=B1CZKxOC_Q=EvOh_hs%2BS3b%2Bd4F5RMA@mail.gmail.com> <4e1a0775-be6f-d1e7-4b10-33df717ba0bf@freebsd.org> <CAJ-iVrPLuKYQgPCwsJvWfhi9ZaziHgnbN1Zvd54PFnQUsF3VyA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Marcoen wrote this message on Fri, Jun 05, 2020 at 22:07 +0200:
> I'm sure I can come up with those ten-or-so lines myself. I was just hoping
> I could use a Netgraph node which performs the encryption before sending it
> through the ksocket node. Perhaps I should write such a node then.
There are LOTS of things you have to be careful about when writing
code to do this.. Key renegotiation after period of time, replay
preventation, authentication, etc... It's not an easy task...
Using IPSEC would make a lot more sense...
> On Fri, 5 Jun 2020 at 22:04, Julian Elischer <julian@freebsd.org> wrote:
>
> > On 6/5/20 12:13 PM, Tom Marcoen wrote:
> > > Hey Eugen,
> > >
> > > For some reason I did not receive your email. But I found your reply in
> > the
> > > archives.
> > >
> > > Anyway, the goal is to have two computers, each with a Netgraph bridge
> > node
> > > and jails connecting to these bridges. I want to connect both bridges
> > over
> > > the Internet securely. Using a UDP tunnel and encrypting that with IPsec
> > or
> > > wireguard or .... would be an option, but it would be nicer if I could
> > use
> > > a Netgraph-native option.
> >
> >
> > In years past I used netgraph ksocket nodes to generate a udp tunnel
> > and then set up IPSEC to encrypt it.
> >
> > can be done from the command line with about 10 lines from memory.
> >
> > Unfortunately I don't have those 10 line at hand as it was at
> > JOB[current - 5]
> >
> > Julian
> >
> >
> > > Regards,
> > > Tom
> > >
> > > On Wed, 27 May 2020 at 10:06, Tom Marcoen <tom.marcoen@gmail.com> wrote:
> > >
> > >> Hey all,
> > >>
> > >> I'm new to this mailing list and also quite new to FreeBSD (huray,
> > welcome
> > >> to me!) so bare with me, please.
> > >>
> > >> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails
> > >> and I was looking at some of the examples provided in
> > >> /usr/share/examples/netgraph and now have the following question.
> > >> The udp.tunnel example shows an iface point-to-point connection but it
> > is
> > >> unencrypted. Of course I could encrypt it with an IPsec tunnel on the
> > host
> > >> or tunnel it through SSH, but I was wondering whether there exists a
> > nice
> > >> Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> > >> traffic on the inside hook and sending out encrypted traffic on the
> > outside
> > >> hook.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200608002151.GN4213>