注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

itoedr的it学苑

记录从IT文盲学到专家的历程

 
 
 

日志

 
 

n2n-新一代开源p2p VPN  

2013-11-05 14:55:37|  分类: linux vpn |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

n2n是一个二层架构的VPN网络体系。

n2n-新一代开源p2p VPN - itoedr - itoedr的it学苑
说明:Edge节点间通过虚拟的tap网卡交互。每个tap网卡都是一个n2n edge节点。每台PC机可以有多个tap网卡,所以,在n2n网络中,同一台PC机可以属于多个网络。

   如上图所示,n2n是一个二层架构的VPN网络,其中super node提供场所,让两个位于NAT/防火墙之后的edge node进行会面,一旦双方完成首次握手,剩下的数据流就之发生在两个edge node之间,如果有一方的NAT属于对称型(symmetrical),super node则还需继续为双方提供数据包的转发;edge node负责数据流的加解密,原理很简单。
  对于一个VPN而言,主要涉及封装和加解密两个步骤,edge node使用UDP协议进行封装,目的是为了更好的兼容防火墙的策略,因为很多防火墙禁用了非TCP/UDP协议禁用。加密算法则采用了twofish,好处开源、简便,处理速度快。
  为了降低设计难度,n2n利用了tap/tun虚拟网卡,这样做得好处是一方面软件尺寸极小,一方面源码的依赖性极低,可以很容易移植到嵌入式设备中,目前有openwrt的版本,在未来的计划中,还将移植到android和iPhone中。
  相对于hamachi,n2n最大的优势在于:
   1. 开源,任何人都可以检查代码,看看是否有猫腻,而hamachi是闭源的,LogMeIn是否会截获密钥不得而知,一旦截获密钥,就可以对流经 hamachi服务器的数据包进行解码。n2n的加解密过程由edge node实现,只有两端的用户知道协商好的共享密钥,super node无从知晓。
  2. 灵活性,n2n允许用户在Internet上自行创建super node,也可以利用任何一个公开的super node。hamachi用户则必须登录到LogMeIn服务器才能创建隧道。
  n2n支持的OS也非常广,Linux、FreeBSD、MAC OSX、甚至windows,不过由于n2n只提供源代码,需要用户自行手工编译。
  下面就介绍一下如何在Debian Lenny中安装和使用n2n。
       注:在UBUNTU环境下,直接apt-get install n2n即可完成安装。
       n2n安装后形成两个工作工具:

  ## 使用方式
  家里的电脑:
        alfie:~# edge -d n2n0 -c linuxabc -k linuxabc -a 10.1.2.1 -l 88.86.108.50:82
  公司的电脑
  ds-server:~# edge -d n2n0 -c linuxabc -k linuxabc -a 10.1.2.2 -l 88.86.108.50:82
  说明:88.86.108.50是提供的一个公共super node。

附注说明:

N2N架构组件

     Edge节点:用户PC机上安装的用于建立n2n网络的软件。几乎每个edge节点都会建立一个tun/tap设备,作为接入n2n网络的入口。

   Supernode超级节点:它在edge节点间建立握手,或为位于防火墙之后的节点中转数据。它的基础作用是注册节点的网络路径,并为不能直通的节点做路由,能够直通的节点间通信,是P2P的。

     Edge节点间通过虚拟的tap网卡交互。每个tap网卡都是一个n2n edge节点。每台PC机可以有多个tap网卡,所以,在n2n网络中,同一台PC机可以属于多个网络。


一:公网可见N2N 服务节点服务器:supernode(握手界面服务器)

supernode - n2n supernode daemon
SYNOPSIS
       supernode -l <port> [-v]
DESCRIPTION
       N2N is a peer-to-peer VPN system. Supernode is a node introduction reg‐
       istry, broadcast conduit and packet relay node for the n2n  system.  On
       startup  supernode  begins listening on the specified UDP port for node
       registrations, and other packets to route. The  supernode  can  service
       any  number  of  communities and routes packets only between members of
       the same community. The supernode does not hold the  community  encryp‐
       tion key and so cannot snoop or inject packets into the community.

       Supernode can service a number of n2n communities concurrently. Traffic
       does not cross between communities.

       All logging goes to stdout.

OPTIONS
       -l <port>
              listen on the given UDP port

       -v     use verbose logging

EXAMPLES(举例)
       supernode -l 7654 -v
              Start supernode listening on UDP port 7654 with verbose output.

RESTART
       When suprenode restarts it  loses  all  registration  information  from
       associated  edge  nodes.  It  can  take up to five minutes for the edge
       nodes to re-register and normal traffic flow to resume.

EXIT STATUS
       supernode is a daemon and any exit is an error
二、边界通讯工具(edge)

NAME
       edge - n2n edge node daemon

SYNOPSIS
       edge  [-d <tun device>] -a <tun IP address> -c <community> -k <encrypt key> -l <supernode host:port> [-p <local port>] [-u <UID>] [-g <GID>]
       [-f] [-m <MAC address>] [-t] [-r] [-v]
如:edge -a 虚拟IP -c 你的虚拟网名 -k 密码  -l supernodeip:端口

DESCRIPTION
       N2N is a peer-to-peer VPN system. Edge is the edge node daemon for n2n which creates a TAP interface to  expose  the  n2n  virtual  LAN.  On startup  n2n creates the TAP interface and configures it then registers with the supernode so it can begin to find other nodes in the commu‐ nity.

OPTIONS
       -d <name>
              sets the TAP device name as seen in ifconfig.
       -a <addr>
              sets the n2n virtual LAN IP address being claimed. This is a private IP address. All IP addresses in an n2n community  should  belong
              to the same /24 network (ie. only the last segment of the IP addresses varies).
       -b     cause edge to perform hostname resolution for the supernode address each time the supernode is periodically contacted.

       -c <community>
              sets the n2n community name. All edges within the same community look to be on the same LAN (layer 2 network segment). All edges com‐
              municating must use the same key and community name.

       -h     write usage to tty then exit.

       -k <keystring>
              sets the twofish encryption key from ASCII text (see also N2N_KEY in ENVIRONMENT). All edges communicating must use the same key  and
              community name.

       -l <addr>:<port>
              sets the n2n supernode IP address and port to register to.

       -p <num>
              binds edge to the given UDP port. Useful for keeping the same external socket across restarts of edge.

       -u <uid>
              causes the edge process to drop to the given user ID when privileges are no longer required.

       -g <gid>
              causes the edge process to drop to the given group ID when privileges are no longer required.

       -f     causes the edge process to fork and run as a daemon, closing stdin, stdout, stderr and becoming a process group leader.

       -m <MAC>
              start  the  TAP  interface  with  the given MAC address. This is highly recommended as it means the same address will be used if edge
              stops and restarts. If this is not done, the ARP caches of all peers will be wrong and packets will not flow to this edge  until  the
              next ARP refresh.

       -M <MTU>
              set  the  MTU of the edge interface in bytes. MTU is the largest packet fragment size allowed to be moved throught the interface. The
              default is 1400.

       -s <netmask>
              set the netmask of edge interface in IPv4 dotted decimal notation. The default is 255.255.255.0 (ie. /24).

       -t     use HTTP tunneling instead of the normal UDP mechanism (experimental).

       -r     enable packet forwarding/routing through the n2n virtual LAN. Without this option, packets arriving over n2n which are not for the -a
              <addr> IP address are dropped.

       -v     use verbose logging.

ENVIRONMENT
       N2N_KEY
              set the encryption key so it is not visible on the command line
EXAMPLES
       edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:23 -a 192.168.254.7 -p 50001 -l 123.121.120.119:7654

              Start  edge  with  TAP  device  n2n0  on community "mynetwork" with community supernode at 123.121.120.119 UDP port 7654 and bind the
              locally used UDP port to 50001. Use "encryptme" as the shared encryption key. Assign MAC address DE:AD:BE:EF:01:23 to the n2n  inter‐
              face and drop to user=99 and group=99 after the TAP device is successfull configured.

       Add the -f option to make edge run as a daemon.

       Somewhere else setup another edge with similar parameters, eg.

       edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:21 -a 192.168.254.5 -p 50001 -l 123.121.120.119:7654

       Now you can ping from 192.168.254.5 to 192.168.254.7.

       The MAC address (-m <MAC>) and virtual IP address (-a <addr>) must be different on all edges in the same community.


CONFIGURATION
       All  configuration  for edge is from the command line and environment variables. If you wish to reconfigure edge you should kill the process
       and restart with the desired options.

EXIT STATUS
       edge is a daemon and any exit is an error.
  评论这张
 
阅读(772)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017