ether2any/tunnel/ircvpn/README

89 lines
3.6 KiB
Plaintext

IrcVPN - Irc Virtual Public Network
===================================
This is an ethernet tunnel providing basic hubbed or switchet networks via Irc.
Warning: If you use this software on a "real" (read: not your own) network:
1. You may run into various flood protections
2. Your IRC-OP may (should?) kill you for that
Furthermore: All of your data will go kind-of plaintext over an Irc-channel.
While this is a rather uncommon way of IP transit, everybody who
is able to join the channel may be able to eavesdrop.
Installation and requirements
=============================
* python-irclib
* ether2any
For configuration take a look at conf.py, it has some comments to give you a
hint of what the settings will do. Some of the security settings are rather
untested, keep that in mind. After configuration, start the tunnel with
python ircvpn.py. A tap device will open and the tunnel should be ready to run.
What it does and how it works
=============================
IrcVPN uses an Irc channel as its transport medium. When starting this tunnel,
it makes a connection to the configured Irc server, joins a channel and starts
pushing all outgoing network traffic (base64 encoded with a small header) into
that channel. The nick will be a combination of the configured prefix and
the TAP interfaces MAC address.
There are two network modes available:
.Hubbed Network
In a hubbed network topology all the clients share one broadcast medium, the
Irc channel.
.Switchet Network
In a switched network topology still all the clients join the irc channel and
use it for broadcast messages but unicast traffic goes directly to the user
to whom it is addressed, as it is sent to the nick-prefix-MAC-address
combination. Wether the user with the specific mac actually IS in the network
is not checked.
Flood protection is kind of the biggest issue for the IrcVPN: After a
configured amount of messages most irc servers queue the incoming messages
and send them out throttled to one message per second. If the send queue is
flooded over its capacity the responsible user gets kicked from the server. So
this tunnel is not going to perform very well on normal servers out there.
When setting up your own server, the flood protection CAN be turned off but
irc servers with configurable flood protections tend to allow flooding only in
channels (rendering switched networks unusable) and only if the user has either
voice, half-op or op permissions in that channel. This is where voicebot.py
comes in: The voicebot voices everyone who utters a certain phrase. Therefore
it is kind of ensured that every bot has permission to flood "the ether" with
network packets as much as it wants.
Irc's right management can always be used to mute, rate-limit or remove
spamming or otherwise unwanted clients.
Header Format
=============
<fragmentation flag><packet id> <base64 encoded message>
The *fragmentation flag* can be either of o, b, c, e. *o* stands for oneliner,
which means that afterwards there is a complete ethernet frame (no
fragmentation). *b*, *c*, *e* stand for begin, continue, end and mark packets
which are broken into several pieces (as irc does not support infinite line
length).
The packet id is just a random generated number between 0, 99999 (inclusive).
What could be done
==================
* replace base64 with something more suitable for Irc
* test security settings
* find static linkable irc server, patch out flood protection
* VVLAN - a Virtual VLAN between irc channels/servers
Licensing
=========
Written by Sebastian Lohff <seba@seba-geek.de>
Published under the GPLv3 or later