Zebedee: A Secure TCP Tunnel ============================ Main (and only) URL: http://www.winton.org.uk/zebedee/ Zebedee is a port forwarded. Its client side listens on a local port, forwards data received on connections to that port to a zebedee server, which then sends it on to servers as per configuration. Data between zebedee instances may be compressed, is always encrypted. Setup is a bit intricate, though much less complicated as OpenSSL was prior to PiVPN. Being a port forwarder, Zebedee does not establish a VPN between client and server, so there are neither TAP nor TUN interfaces to configure. There also is no modification to IP routing tables. Consequently, zebedee does not require root privileges to run unless one wants it to bind to a privileged port. That's not a good idea. Quote: Zebedee is a simple program to establish an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems. This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression. The main goals for Zebedee are to: Provide full client and server functionality under both UNIX/Linux and Windows. Be easy to install, use and maintain with little or no configuration required. Have a small footprint, low wire protocol overhead and give significant traffic reduction by the use of compression. Use only algorithms that are either unpatented or for which the patent has expired. Be entirely free for commercial or non-commercial use and distributed under the term of the GNU General Public Licence. /Quote Zebedee is not available via apt/yum/..., so it needs to be installed from scratch, so there is compilation involved. "buildThis", the default install script, compiles and installs zebedee and required libraries (blowfish-0.9.5a, bzip2-1.0.3, and zlib-1.2.3) underneath /apps/ on a Raspberry Pi. /apps was chosed because it does not interfere with Linux's, BSD's, Solaris's software installation preferences of /opt, /usr, /usr/local, /usr/pkg, ... To run, invoke /apps/bin/zebedee -s -f /home/pi/VPN/zebedee.cfg "-s" tells zebedee to act as a server. Omit for the client. "-f" specifies a configuration file. Typical configuration settings: server is true or false. If true, then this is the "far end" of a zebedee connection, which listens on some publicly reachable port for zebedee clients to connect. listenmode is used to reverse roles between client and server, to allow a client sitting behind a restrictive firewall to establish a connection to an easily reachable server, then to reverse roles so that the server accepts local connections, sends data on to the client. Works well as long as one gets timeout configuration under control. targetconnecttimeout sets the time limit for zebedee's server side's connections to target servers. detached tells zebedee to disconnect from the controlling terminal, sending itself into the background. Set this to false too monitor and restart zebedee from a shell script. idletimeout specifies the time after which the server disconnects a silent client. Don't set this to something low, and/or establish a way to keep something send data through the tunnel ever so often. ipmode (server side) can be tcp, udp or both, for the type of connection to accept. UDP has been added late, might need some testing. There are rumors of some cell phone service providers not always forwarding UDP traffic. As always, the old saying applies: I'd like to tell you a UDP joke, and I don't care if you get it. readtimeout specifies the time allowed for a complete message to arrive. Needs to be less or equal to idletimeout. serverport is the port for a zebedee server to listen on for new connections. Should be non-privileged. Default is 11965 (0x2EBD) for TCP and mixed mode, 11230 (0x2BDE) for UDP-only mode. If using server-initiated connections (see listenmode and clienthost) then this is also the port on which the client listens for the server’s incoming connections. keylength is the maximum amount of bits for Blowfish's encryption. Maximum is 576 (why am I only using 512? FIX THIS!), default 128. minkeylength is the minimum of a client's key length. Clients trying to connect with a shorter key will get dropped. Default is 0 (zero). Don't use the default. idletimeout drops connections after that time of inactivity. compression picks a compression algorithm and level. The higher the level, the less data will be exchanged, at the expense of throughput, due to the amount of computation required on both ends. Fast hardware, slow wire? Set it high. Otherwise not. keylifetime specifies the amount a previously shared key can be reused to create new session keys for new client connections. At expiration, a new connection causes a new shared secret key to be negotiation. Set to 0 (zero) if paranoid (why is mine 600? FIX THIS!) checkidfile "/path/to/client.idlist" refers to a file containing public fingerprints of clients connecting to this system. These fingerprints are typically created by the client. To start out with that, a client needs to first set up a private key, store it in its configuration file using the "privatekey" option. The client uses fingerprints derived from the private key This is used to identify itself to a server. Without this feature (it is optional), zebedee is vulnerable to man-in-the-middle attacks. Invoke zebedee -p on the client to generate a private key. Being private, this key needs to be kept secret. Seriously. For easy of configuration file setup, try this: zebedee -p > my.client.key then replace the privatekey line in zebedee's client configuration with include "/path/to/my.client.key" Next step is to create a client's public fingerprint, by invoking: zebedee -P -f myclient.key > myclient.id myclient.id contains something like 1234caffee... hex hex hex.... myclient with myclient being the host name of the client. The fingerprint is not confidential, and needs to be added to the server's ID file. With this in place, only clients providing one of these fingerprints may connect to a server. redirect provides a comma-separated list of ports (either abstract, means the port's name must translate into a port number in /etc/services, or numerical) zebedee's server side forwards connections to. Attempts to talk to a port not listed in redirect fail. target provides a comma-separated list of host names or IP addresses for a zebedee server to connect to. Servers not mentioned in this list won't be contacted. Client configuration differs slightly from a server's. For a regular client, both server and listenmode are false. localsource true forces the client to listen only on 127.0.0.1 for connections. If false, it listens on 0.0.0.0, acts as a gateway to the server. For more granularity, use listenip, followed by one or more IP addresses to listen on. multiuse keeps the client side up and running after a connection drops, if set to yes. If not, the client exits after termination of the first tunneled connection. serverhost and serverport specify host name and port to connect to. Might need to sign up with a dynamic DNS service provider if your server sits on a dynamic IP address. tunnel sourceport:host:destinationport forwards traffic from a local port to a destination port on remote server, if the host is named as part of the server's side configuration's "target" configuration, and the port on the "redirect" option. zebedee coexists just fine with OpenVPN. The sample client configuration puts the server at 10.8.0.1, OpenVPN's default server address when set up using PiVPN. ---------------------------------------------------------------- Sample client configuration: # Calling home to www.keck.us. server false listenmode false localsource true multiuse true serverhost 10.8.0.1 serverport 12345 tunnel 20021:127.0.0.1:22 udpmode false keylength 512 minkeylength 256 idletimeout 65000 # The id for my key in key.zbd is in id.zbd include "c:\Travel\key.zbd" checkidfile "c:\Travel\idlist.zbd" verbosity 2 ---------------------------------------------------------------- Sample server configuration: detached true server true targetconnecttimeout 600 detached false idletimeout 600 ipmode both readtimeout 300 serverport 12345 keylength 512 minkeylength 256 checkidfile "/path/to/client.idlist" idletimeout 65000 compression zlib:2 keylifetime 600 redirect ssh target 127.0.0.1 verbosity 3 ---------------------------------------------------------------