Skip to content

Latest commit

 

History

History
353 lines (296 loc) · 10.5 KB

README.md

File metadata and controls

353 lines (296 loc) · 10.5 KB

grpc-vpn

language license

GRPC-VPN is the VPN server and client which supports authentications such as Google OpenId Connect or AWS IAM, using GRPC.

Other authentications(LDAP, ...) will be to apply it, if you will implement custom ServerAuthMethod for VPN server and ClientAuthMethod for VPN client.


Motivation
Of course, the well-made VPN is already around us.

But many VPN aren't to support multiple authentications. (Generally support to LDAP, configuration file having shared key)

I want to apply multiple authentications by circumstances, so protocol for authentication should organize the plugin which implements it.


GRPC-VPN

  • It's composed of server and client.
  • It's implemented using Golang.
  • Communicates via GRPC.
  • Use Tun device.
  • Server on VPN can only run on Linux, and Client on VPN can run on Linux or Mac.
  • Supports to inject custom authentication function.
  • Issued JWT is expired after 1.day. (later it will support to change mannually.)

Why GRPC?

For multiple authentications will support, authentication flow and connection flow should definitely distinguish.

Authentication flow needs to a little unification protocol for applying various case.

Connection flow should have the unitary policy regardless of authentications.
So I was to use JWT authentication and GRPC.

Using GRPC can implement the unification authentication flow, also using JWT and GRPC stream can connect VPN regardless of authentications.



Getting Started

  • It's possible to be used both a third-party library and standalone application.
  • Server on VPN can only run on Linux, and Client on VPN can run on Linux or Mac.
  • It must run with sudo, becausue it's included network setting that can change on kernel mode.

1. Be used Third-Party Library.

You can write code and run, if you utilize it on circumstances.

1. Non Authentication

# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/server"    
)

s, _ = server.NewVpnServer(
            server.WithVpnSubNet("ex) 192.168.0.100/24"),
      		server.WithGrpcPort("ex) 443"),
      		server.WithVpnJwtSalt("ex) jwt salt"),
      		server.WithVpnJwtExpiration(24*time.Hour),
      		server.WithGrpcTlsCertification("ex) tls cert"),
      		server.WithGrpcTlsPem("ex) tls pem"),       
)
s.Run()

# ------------------------------------------------- 
# CLIENT 
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/client"
        "github.com/gjbae1212/grpc-vpn/auth"
)

c, _ := client.NewVpnClient(
            client.WithServerAddr("ex) server addr"),
     		client.WithServerPort("ex) server port"),
     		client.WithSelfSignedCertification("ex) server tls cert"),     
)
c.Run()

2. Authentication Google OpenID Connect

# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/server"
    "github.com/gjbae1212/grpc-vpn/auth"
)

authGoogle, _ := auth.NewServerManagerForGoogleOpenID(
		"ex) google openid connect client_id",
		"ex) google openid connect client_secret",
		"ex) if your GSUITE is using, it's domain name to allow",
		[]string{"[email protected]", "blahblah"},
	)
authMethod, _ := authGoogle.ServerAuth()

s, _ := server.NewVpnServer(
    server.WithVpnSubNet("ex) 192.168.0.100/24"),
    server.WithGrpcPort("ex) 443"),
    server.WithVpnJwtSalt("ex) jwt salt"),
    server.WithVpnJwtExpiration(24*time.Hour),
    server.WithGrpcTlsCertification("ex) tls cert"),
    server.WithGrpcTlsPem("ex) tls pem"),
    server.WithAuthMethods([]auth.ServerAuthMethod{authMethod}), // authentication
)
s.Run()

# ------------------------------------------------- 
# CLIENT 
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/client"
    "github.com/gjbae1212/grpc-vpn/auth"
)

authGoogle, _ := auth.NewClientManagerForGoogleOpenID(
		"ex) google openid connect client_id",
		"ex) google openid connect client_secret",
	)
	
authMethod, _ := authGoogle.ClientAuth()
c, _ := client.NewVpnClient(
    client.WithServerAddr("ex) server addr"),
    client.WithServerPort("ex) server port"),
    client.WithSelfSignedCertification("ex) server tls cert"),
    client.WithAuthMethod(authMethod), // authentication
)
c.Run()

3. Authentication(AWS IAM)

# -------------------------------------------------
# SERVER
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/server"
    "github.com/gjbae1212/grpc-vpn/auth"
)

authAws, _ := auth.NewServerManagerForAwsIAM(
		"ex) allow aws account id",
		[]string{"[email protected]", "blahblah"},
	)
authMethod, _ := authAws.ServerAuth()

s, _ := server.NewVpnServer(
    server.WithVpnSubNet("ex) 192.168.0.100/24"),
    server.WithGrpcPort("ex) 443"),
    server.WithVpnJwtSalt("ex) jwt salt"),
    server.WithVpnJwtExpiration(24*time.Hour),
    server.WithGrpcTlsCertification("ex) tls cert"),
    server.WithGrpcTlsPem("ex) tls pem"),
    server.WithAuthMethods([]auth.ServerAuthMethod{authMethod}), // authentication
)
s.Run()

# ------------------------------------------------- 
# CLIENT 
# -------------------------------------------------

import (
    "github.com/gjbae1212/grpc-vpn/client"
    "github.com/gjbae1212/grpc-vpn/auth"
)

authAws, _ := auth.NewClientManagerForAwsIAM(
		"ex) aws key",
		"ex) aws secret access key",
	)
authMethod, _ := authAws.ClientAuth()

c, _ := client.NewVpnClient(
    client.WithServerAddr("ex) server addr"),
    client.WithServerPort("ex) server port"),
    client.WithSelfSignedCertification("ex) server tls cert"),
    client.WithAuthMethod(authMethod), // authentication
)
c.Run()

2. Be used Standalone Application.

You can run an application which already built.

1. Download or build

$ git clone https://github.com/gjbae1212/grpc-vpn.git
$ cd grpc-vpn
$ bash script/make.sh build_vpn_server # make an application to dist directory.
$ bash script/make.sh build_vpn_client # make an application to dist directory.

2. Run Server server config(config.yaml)

# Template
vpn:
  port: "" # Required(vpn port)
  subnet: "" # Required(vpn subnet(private ip range), ex) 192.168.0.100/24)
  log_path: "" # Required(log path)
  jwt_salt: "" # Required(random string)
  jwt_expiration: "" # Required(expire-time in JWT), ex) 100ms, 10m, 2h30m, ...  
  tls_certification: "" # Required(tls cert)
  tls_pem: "" # Required(tls pem)

auth: # Optional 
  google_openid: # Optional(if you want to google openid connect authentication)
    client_id: "" # Google client id
    client_secret: "" # Google client secret
    hd: "" # If you are using GSuite, domain name for allowing.
    allow_emails: # Allow emails
      - ""
  aws_iam: # Optional(if you want to aws iam authentication)
    account_id: "" # Allow AWS Account ID 
    allow_users: # Allow users
      - ""

----------------------------------------------------------------------

# 1. Example Non Authentication
vpn:
  port: "8080" 
  subnet: "192.168.0.100/24" 
  log_path: "" 
  jwt_salt: "hello-world" 
  jwt_expiration: "2h10m" 
  tls_certification: "blahblah" 
  tls_pem: "blahblah" 

# 2. Example Google OpenId Connect (Reference https://developers.google.com/identity/protocols/oauth2/native-app)
vpn:
  port: "8080" 
  subnet: "192.168.0.100/24" 
  log_path: "" 
  jwt_salt: "hello-world" 
  jwt_expiration: "1h10m"
  tls_certification: "blahblah" 
  tls_pem: "blahblah"
auth:  
  google_openid: 
    client_id: "google client id" 
    client_secret: "google client secret" 
    hd: "" 
    allow_emails: 
      - "[email protected]"

# 3. Example Aws IAM
vpn:
  port: "8080" 
  subnet: "192.168.0.100/24" 
  log_path: "" 
  jwt_salt: "hello-world"
  jwt_expiration: "3h"
  tls_certification: "blahblah" 
  tls_pem: "blahblah"
auth:    
  aws_iam: 
    account_id: "aws accoount id"  
    allow_users: 
      - "blahblah"

Run

$ cd grpc-vpn/dist
$ sudo vpn-server-linux run -c "config.yaml path" 

3. Run Client client config(config.yaml)

# Template
vpn:
  addr: "" # Required(vpn server addr)
  port: "" # Required(vpn server port)
  insecure: true or false # Required (true is to disable tls, false is to enable tls)
  self_signed_certification: "" # Optional(If you are using self-signed certification, you must insert it.)
auth: # Optional
  google_openid: # Optional(if your vpn-server support to google openid connect authentication)
    client_id: ""
    client_secret: ""
  aws_iam:  # Optional(if your vpn-server support to aws iam authentication)
    access_key: ""
    secret_access_key: ""

---------------------------------------------------------------

# 1. Example Non Authentication
vpn:
  addr: "localhost" 
  port: "8080"
  insecure: false 
  self_signed_certification: ""   

# 2. Example Google OpenId Connect (Reference https://developers.google.com/identity/protocols/oauth2/native-app)
vpn:
  addr: "localhost" 
  port: "8080"
  insecure: false
  self_signed_certification: ""   
auth: 
  google_openid: 
    client_id: "gogole client id"
    client_secret: "google client secret"

# 3. Example Aws IAM
vpn:
  addr: "localhost" 
  port: "8080"
  insecure: false
  self_signed_certification: ""  
auth: 
  aws_iam:  # Optional(if your vpn-server support to aws iam authentication)
    access_key: "aws access key"
    secret_access_key: "aws secret key"  
Run
```bash
$ cd grpc-vpn/dist

# MAC
$ sudo vpn-client-darwin run -c "config.yaml path"

# LINUX 
$ sudo vpn-client-linux run -c "config.yaml path" 

License

This project is following The MIT.