[141] | 1 | Introduction |
---|
| 2 | ============ |
---|
| 3 | etherws is an implementation of Ethernet over WebSocket tunnel |
---|
| 4 | based on Linux Universal TUN/TAP device driver. |
---|
| 5 | |
---|
[152] | 6 | How to Use |
---|
| 7 | ========== |
---|
| 8 | For example, if you want to make virtual ethernet link for *VM1* and *VM2* |
---|
| 9 | whose hypervisor's broadcast domains were split by router *R*:: |
---|
[141] | 10 | |
---|
| 11 | +------------------+ +------------------+ |
---|
| 12 | | Hypervisor1 | | Hypervisor2 | |
---|
| 13 | | +-----+ | | +-----+ | |
---|
| 14 | | | VM1 | | | | VM2 | | |
---|
| 15 | | +--+--+ | | +--+--+ | |
---|
| 16 | | | (vnet0) | | (vnet0) | | |
---|
| 17 | | +--+--+ | | +--+--+ | |
---|
| 18 | | | br0 | | | | br0 | | |
---|
| 19 | | +--+--+ | | +--+--+ | |
---|
| 20 | | | | | | | |
---|
| 21 | | (ethws0) (eth0) | | (eth0) (ethws0) | |
---|
| 22 | +----||--------+---+ +----+-------||----+ |
---|
| 23 | || | +---+ | || |
---|
| 24 | || -----+--------| R |--------+----- || |
---|
| 25 | || +---+ || |
---|
| 26 | || || |
---|
| 27 | ``======================================'' |
---|
| 28 | (Ethernet over WebSocket tunnel) |
---|
| 29 | |
---|
[152] | 30 | then you can use following commands. |
---|
[141] | 31 | |
---|
[152] | 32 | on *Hypervisor1*:: |
---|
[141] | 33 | |
---|
| 34 | # etherws server |
---|
| 35 | # brctl addbr br0 |
---|
| 36 | # brctl addif br0 vnet0 |
---|
| 37 | # brctl addif br0 ethws0 |
---|
| 38 | # ifconfig br0 up |
---|
| 39 | |
---|
[152] | 40 | on *Hypervisor2*:: |
---|
[141] | 41 | |
---|
| 42 | # etherws client --uri ws://<Hypervisor1's IP address>/ |
---|
| 43 | # brctl addbr br0 |
---|
| 44 | # brctl addif br0 vnet0 |
---|
| 45 | # brctl addif br0 ethws0 |
---|
| 46 | # ifconfig br0 up |
---|
| 47 | |
---|
[152] | 48 | If connection through the tunnel is unstable, then you may fix it |
---|
| 49 | by changing VM's MTU to under 1500, e.g.:: |
---|
[146] | 50 | |
---|
[152] | 51 | # ifconfig eth0 mtu 1400 |
---|
[144] | 52 | |
---|
[152] | 53 | Tunnel Encryption |
---|
| 54 | ================= |
---|
| 55 | etherws supports SSL/TLS connection (but client does not verify server |
---|
| 56 | certificates). |
---|
| 57 | If you want to encrypt the tunnel, then you can use following options. |
---|
[144] | 58 | |
---|
[152] | 59 | on *Hypervisor1* (options *keyfile* and *certfile* were specified):: |
---|
| 60 | |
---|
[144] | 61 | # etherws server --keyfile ssl.key --certfile ssl.crt |
---|
| 62 | |
---|
[152] | 63 | on *Hypervisor2* (option *uri*'s scheme was changed to *wss*):: |
---|
[144] | 64 | |
---|
| 65 | # etherws client --uri wss://<Hypervisor1's IP address>/ |
---|
| 66 | |
---|
[152] | 67 | You also can test by following command:: |
---|
| 68 | |
---|
| 69 | # openssl s_client -connect <Hypervisor1's IP address>:443 |
---|
| 70 | |
---|
| 71 | Client Authentication |
---|
| 72 | ===================== |
---|
| 73 | etherws supports HTTP Basic Authentication. |
---|
| 74 | It means you can use etherws as simple L2-VPN server/client. |
---|
| 75 | |
---|
| 76 | On server side, etherws requires user information in Apache htpasswd |
---|
| 77 | format (and currently supports SHA-1 digest only). To create this file:: |
---|
| 78 | |
---|
| 79 | # htpasswd -s -c filename username |
---|
| 80 | |
---|
| 81 | If you do not have htpasswd command, then you can use python one-liner:: |
---|
| 82 | |
---|
| 83 | # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))' |
---|
| 84 | |
---|
| 85 | To run server with this:: |
---|
| 86 | |
---|
| 87 | # etherws server --htpasswd filename |
---|
| 88 | |
---|
| 89 | You also can test by following command:: |
---|
| 90 | |
---|
| 91 | # telnet <address> 80 |
---|
| 92 | GET / HTTP/1.1 |
---|
| 93 | |
---|
| 94 | It will return *401 Authorization Required*. |
---|
| 95 | |
---|
| 96 | On client side, etherws requires username as option, and password from |
---|
| 97 | stdin:: |
---|
| 98 | |
---|
| 99 | # etherws client --uri ws://<address>/ --user username |
---|
| 100 | Password: |
---|
| 101 | |
---|
| 102 | If authentication did not succeed, then it will die with some error messages. |
---|
| 103 | |
---|
| 104 | Note that you should not use HTTP Basic Authentication without SSL/TLS |
---|
| 105 | support, because it is insecure in itself. |
---|
| 106 | |
---|
[141] | 107 | History |
---|
| 108 | ======= |
---|
[152] | 109 | 0.3 (2012-05-17 JST) |
---|
| 110 | - client authentication support |
---|
| 111 | |
---|
[144] | 112 | 0.2 (2012-05-16 JST) |
---|
| 113 | - SSL/TLS connection support |
---|
| 114 | |
---|
| 115 | 0.1 (2012-05-15 JST) |
---|
[141] | 116 | - First release |
---|