EdgeVPN – Overview

Docs: Tunnel connections

Mon, 01 Jan 0001 00:00:00 +0000

Forwarding a local connection

EdgeVPN can also be used to expose local(or remote) services without establishing a VPN and allocating a local tun/tap device, similarly to ngrok.

Exposing a service

If you are used to how Local SSH forwarding works (e.g. ssh -L 9090:something:remote <my_node>), EdgeVPN takes a similar approach.

A Service is a generalized TCP service running in a host (also outside the network). For example, let’s say that we want to expose a SSH server inside a LAN.

To expose a service to your EdgeVPN network then:

$ edgevpn service-add "MyCoolService" "127.0.0.1:22"

To reach the service, EdgeVPN will setup a local port and bind to it, it will tunnel the traffic to the service over the VPN, for e.g. to bind locally to 9090:

$ edgevpn service-connect "MyCoolService" "127.0.0.1:9090"

with the example above, ‘sshing into 9090 locally would forward to 22.

Docs: DNS

Thu, 05 Jan 2017 00:00:00 +0000

Experimental feature!

DNS Server

A DNS Server is available but disabled by default.

The DNS server will resolve DNS queries using the blockchain as a record and will forward unknown domains by default.

It can be enabled by specifying a listening address with --dns. For example, to bind to default 53 port locally, run in the console:

edgevpn --dns "127.0.0.1:53"

To turn off dns forwarding, specify --dns-forwarder=false. Optionally a list of DNS servers can be specified multiple times with --dns-forward-server.

The dns subcommand has several options:

   --dns value                             DNS listening address. Empty to disable dns server [$DNSADDRESS]
   --dns-forwarder                         Enables dns forwarding [$DNSFORWARD]                 
   --dns-cache-size value                  DNS LRU cache size (default: 200) [$DNSCACHESIZE]                  
   --dns-forward-server value              List of DNS forward server (default: "8.8.8.8:53", "1.1.1.1:53") [$DNSFORWARDSERVER]

Nodes of the VPN can start a local DNS server which will resolve the routes stored in the chain.

For example, to add DNS records, use the API as such:

$ curl -X POST http://localhost:8080/api/dns --header "Content-Type: application/json" -d '{ "Regex": "foo.bar", "Records": { "A": "2.2.2.2" } }'

The /api/dns routes accepts POST requests as JSON of the following form:

{ "Regex": "<regex>", 
  "Records": { 
     "A": "2.2.2.2",
     "AAAA": "...",
  },
}

Note, Regex accepts regexes which will match the DNS requests received and resolved to the specified entries.

Docs: Sending and receiving files

Thu, 05 Jan 2017 00:00:00 +0000

Sending and receiving files

EdgeVPN can be used to send and receive files between hosts via p2p with the file-send and file-receive subcommand.

Sending and receiving files, as services, don’t establish a VPN connection.

Sending

$ edgevpn file-send --name unique-id --path /src/path

Receiving

$ edgevpn file-receive --name unique-id --path /dst/path

Docs: Peerguardian

Wed, 05 Jan 2022 00:00:00 +0000

Experimental feature!

Peerguardian

PeerGuardian is a mechanism to prevent unauthorized access to the network if tokens are leaked or either revoke network access.

In order to enable it, start edgevpn nodes adding the --peerguradian flag.

edgevpn --peerguardian

To turn on peer gating, specify also --peergate.

Peerguardian and peergating has several options:

   --peerguard                                   Enable peerguard. (Experimental) [$PEERGUARD]
   --peergate                                    Enable peergating. (Experimental) [$PEERGATE]
   --peergate-autoclean                          Enable peergating autoclean. (Experimental) [$PEERGATE_AUTOCLEAN]
   --peergate-relaxed                            Enable peergating relaxation. (Experimental) [$PEERGATE_RELAXED]
   --peergate-auth value                         Peergate auth [$PEERGATE_AUTH]
   --peergate-interval value                     Peergater interval time (default: 120) [$EDGEVPNPEERGATEINTERVAL]

When the PeerGuardian and Peergater are enabled, a VPN node will only accepts blocks from authorized nodes.

Peerguardian is extensible to support different mechanisms of authentication, we will see below specific implementations.

ECDSA auth

The ECDSA authentication mechanism is used to verify peers in the blockchain using ECDSA keys.

To generate a new ECDSA keypair use edgevpn peergater ecdsa-genkey:

$ edgevpn peergater ecdsa-genkey
Private key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JSGNBZ0VCQkVJQkhUZnRSTVZSRmlvaWZrdllhZEE2NXVRQXlSZTJSZHM0MW1UTGZlNlRIT3FBTTdkZW9sak0KZXVPbTk2V0hacEpzNlJiVU1tL3BCWnZZcElSZ0UwZDJjdUdnQndZRks0RUVBQ09oZ1lrRGdZWUFCQUdVWStMNQptUzcvVWVoSjg0b3JieGo3ZmZUMHBYZ09MSzNZWEZLMWVrSTlEWnR6YnZWOUdwMHl6OTB3aVZxajdpMDFVRnhVCnRKbU1lWURIRzBTQkNuVWpDZ0FGT3ByUURpTXBFR2xYTmZ4LzIvdEVySDIzZDNwSytraFdJbUIza01QL2tRNEIKZzJmYnk2cXJpY1dHd3B4TXBXNWxKZVZXUGlkeWJmMSs0cVhPTWdQbmRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
Public key: LS0tLS1CRUdJTiBFQyBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFCbEdQaStaa3UvMUhvU2ZPS0syOFkrMzMwOUtWNApEaXl0MkZ4U3RYcENQUTJiYzI3MWZScWRNcy9kTUlsYW8rNHROVkJjVkxTWmpIbUF4eHRFZ1FwMUl3b0FCVHFhCjBBNGpLUkJwVnpYOGY5djdSS3g5dDNkNlN2cElWaUpnZDVERC81RU9BWU5uMjh1cXE0bkZoc0tjVEtWdVpTWGwKVmo0bmNtMzlmdUtsempJRDUzWT0KLS0tLS1FTkQgRUMgUFVCTElDIEtFWS0tLS0tCg==

For example, to add a ECDSA public key, use the API as such from a node which is already trusted by PeerGuardian:

$ curl -X PUT 'http://localhost:8080/api/ledger/trustzoneAuth/ecdsa_1/LS0tLS1CRUdJTiBFQyBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBL09TTjhsUU9Wa3FHOHNHbGJiellWamZkdVVvUAplMEpsWUVzOFAyU3o1TDlzVUtDYi9kQWkrVFVONXU0ZVk2REpGeU50dWZjK2p0THNVTTlPb0xXVnBXb0E0eEVDCk9VdDFmRVNaRzUxckc4MEdFVjBuQTlBRGFvOW1XK3p4dmkvQnd0ZFVvSTNjTDB0VTdlUGEvSGM4Z1FLMmVOdE0KeDdBSmNYcWpPNXZXWGxZZ2NkOD0KLS0tLS1FTkQgRUMgUFVCTElDIEtFWS0tLS0tCg=='

Now the private key can be used while starting new nodes:

PEERGATE_AUTH="{ 'ecdsa' : { 'private_key': 'LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JSGNBZ0VCQkVJQkhUZnRSTVZSRmlvaWZrdllhZEE2NXVRQXlSZTJSZHM0MW1UTGZlNlRIT3FBTTdkZW9sak0KZXVPbTk2V0hacEpzNlJiVU1tL3BCWnZZcElSZ0UwZDJjdUdnQndZRks0RUVBQ09oZ1lrRGdZWUFCQUdVWStMNQptUzcvVWVoSjg0b3JieGo3ZmZUMHBYZ09MSzNZWEZLMWVrSTlEWnR6YnZWOUdwMHl6OTB3aVZxajdpMDFVRnhVCnRKbU1lWURIRzBTQkNuVWpDZ0FGT3ByUURpTXBFR2xYTmZ4LzIvdEVySDIzZDNwSytraFdJbUIza01QL2tRNEIKZzJmYnk2cXJpY1dHd3B4TXBXNWxKZVZXUGlkeWJmMSs0cVhPTWdQbmRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=' } }"
$ edgevpn --peerguardian --peergate

Enabling/Disabling peergating in runtime

Peergating can be disabled in runtime by leveraging the api:

Query status

$ curl -X GET 'http://localhost:8080/api/peergate'

Enable peergating

$ curl -X PUT 'http://localhost:8080/api/peergate/enable'

Disable peergating

$ curl -X PUT 'http://localhost:8080/api/peergate/disable'

Starting a new network

To init a new Trusted network, start nodes with --peergate-relaxed and add the neccessary auth keys:

$ edgevpn --peerguardian --peergate --peergate-relaxed
$ curl -X PUT 'http://localhost:8080/api/ledger/trustzoneAuth/keytype_1/XXX'

Note

It is strongly suggested to use a local store for the blockchain with PeerGuardian. In this way nodes persist locally auth keys and you can avoid starting nodes with `–peergate-relaxed'