User:Milunj

Embedded VPN
EmbeddedVPN is a free and open source software application that implements virtual private network (VPN) solutions for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses None, Blowfish and AES algorithms for encryption and is capable of traversing network address translators (NATs) and firewalls. It was designed for embedded devices with limited memory and MIPS resources which run with or without OS. Windows implementation uses plenty open source files from sourceforge.net with GPL licenses while embedded VPN Clients does not contain a single line with GPL contamination. It was designed and written by Milun Jovanovic

Introduction
The windows package consists of one binary for both client and server connections, with mandatory server and client configuration files. The VPN clients on embedded devices can run on any real time OS. It requires just simple socket API function with driver to the any Ethernet chip on target OS. The full description of application can be found on EmbeddedVPN

Authentication
EmbeddedVPN authentication solution is based on modified GSM authentication model. It uses 2 challenge strings sent by server in combination with standardized MD5 digest algorithm with AES/Blowfish encryption algorithms.

Every time when a client wants to authenticate itself to the VPN server, server sends 2 random strings which never repeat. The first challenge string RAND1 is used with hidden VPN Client’s Password as input parameters for MD5 digest algorithm. The output is Signature Response. The second challenge string RAND2 is used with hidden VPN Client’s Password for generating Encryption Key. The Signature Response is then encrypted by Encryption Key and sent server for authentication. Encryption algorithm can be Blowfish or AES. The GSM authentication uses two algorithms (A3 and A8) with one challenge string while EmbeddedVPN uses one MD5 with AES/Blowfish with two challenge strings.

The major number of embedded TCP/IP stacks support IETF 1321 MD5 free source digest algorithm. It is used and in 95% GPRS/CDMA networks in the world for authentication of peers (CHAP MD5). Due the prevalent appearance in the world it is used as a part of peer authentication in EmbeddedVPN solution. The strength of EmbeddedVPN authentication is based on cumulative complexity MD5 and Blowfish/AES algorithms.

Encryption
The EmbeddedVPN server allows simultaneous VPN sessions with clients using in parallel non-encrypted tunnels, Blowfish tunnels with key length 32, Blowfish tunnels with key length 64 and AES tunnels. Every VPN client requires encryption type during authentication process according the availability of encryption algorithms on embedded client side. EmbeddedVPN is a client oriented VPN. In non encryption mode the size of VPN client is only 16kB.

Networking
EmbeddedVPN can run over (UDP) or (TCP) multiplexing created tunnels on a single TCP/UDP port. It is good at working through (NAT) and getting out through firewalls. EmbeddedVPN can use two different data link layers types of interfaces for networking: Ethernet and TUN.

EmbeddedVPN use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tie

The VPN clients always receive the same virtual IP address regardless of their physical IP address.

Security
EmbeddedVPN encrypt data on TCP/UDP OSI level and use encrypted Ethernet 32 CRC checksum for checking integrity of received data. It runs on userspace level without any modification of IP header. Beside encrypted CRC32 checksum EmbeddedVPN has extra bytes with sequence number of the current packet with ultimate aim of droping duplicated packets.

Implementation
The EmbeddedVPN Client till now has been designed for PSOS, VxWorks, TI Bios ... The Windows source code (GPL contaminated) is not portable and new client must be developed for any other OS. It requires one working engineering day for having run able client code on embedded device.