Encryption.

[iambenmitchell]

Hi, this is by far my favourite protocol. I am currently using Shadowsocks in my app OneProxy which I on the App Store, however before that I was using this protocol.

However, it has no encryption, thus I resorted to shadow socks.

I am wondering if you could make a update to this project and server and add encryption.

I see in the files that you have actually mentioned encryption and that you didn't have the time to do it.

If you still don't have the time maybe you could point me in the correct direction.

[davlxd]

Hi Ben

Sorry for this delayed replay and thank you for your interest of this project.

I left the encrypt/decrypt unimplemented because encryption alone can be a quite deep topic, and I am no info security expert, and in this case also involves performance(it needs to be fast and save iPhone battery life), and rather independent (say if you already have an good encrypt/decrypt solution you can plug in this demo project easily (I hope :)))

And the entry points to plug encrpyt decrpyt in are here:

• Encrypt: https://github.com/lxdcn/NEPacketTunnelVPNDemo/blob/master/NEPacketTunnelVPNDemoTunnel/PacketTunnelProvider.swift#L21

  • This is the callback where we read packages from the device, right before we write into to tun (L24)

• Decrypt: https://github.com/lxdcn/NEPacketTunnelVPNDemo/blob/master/NEPacketTunnelVPNDemoTunnel/PacketTunnelProvider.swift#L41

  • Conversely, this is the callback we read from tun and write back to device

Of course in server we have to do the same thing, so in a nutshell:

NE extension gather data packs --> NE extension encrypt --> send to server via tun --> server decrypt --> server redirect traffic via iptables (as fare as I remember) --> server receive response data --> server encrypt --> server send to iOS --> NE extension read data packs --> NE extension decrypt --> NE extension forward to iOS (other apps)

Generally encryption process is taking a chunk of binary data, convert into another chunk of binary data (Usually in byte arrays in most programming languages), and also the input data may need to be padded to meet length requirement, and output data length may be different. So in this case we may need to consider data boundaries (use separator to separate encrypt/decrypt data unit)

And also another key point is the key, usually symmetric encryption requires both encrypt part and decrypt part share the same key (in our case the iOS end and server end), this should happen during the connection setup, based on existing authentication, make them somehow share a same piece of string. But if you just create a private app for self usage, you can hard code the key I suppose :)

And also if what you are creating is not for self usage, which means you might have multiple clients (iOS) connect to server simultaneously, as some people already complained in Github issues, the server doesn't support multiple connection, this is due to simplicity of server code and my laziness (no excuse, sorry). And also if your App blossoms and you have tens of thousands of clients connect to it, then handling them securely and efficiently is another deep topic and beyond several lines of C as my server demo shows.

The amount of work involved to implement the whole suite above is enormous, but like I said, the encrypt/decrypt part can be isolated, if you can find a good existing solution, then should be better.

Cheers

On Fri, 31 May 2019 at 09:51, Ben Mitchell [email protected] wrote:

Hi, this is by far my favourite protocol. I am currently using Shadowsocks in my app OneProxy which I on the App Store, however before that I was using this protocol.

However, it has no encryption, thus I resorted to shadow socks.

I am wondering if you could make a update to this project and server and add encryption.

I see in the files that you have actually mentioned encryption and that you didn't have the time to do it.

If you still don't have the time maybe you could point me in the correct direction.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lxdcn/NEPacketTunnelVPNDemo/issues/27?email_source=notifications&email_token=AAERB4NEPMZZY3IRKZVRTYDPYBD7JA5CNFSM4HRMH5W2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GW2NXEA, or mute the thread https://github.com/notifications/unsubscribe-auth/AAERB4MGSL3N7FY3TUFB3PLPYBD7JANCNFSM4HRMH5WQ .