[141] | 1 | Introduction |
---|
| 2 | ============ |
---|
| 3 | etherws is an implementation of Ethernet over WebSocket tunnel |
---|
| 4 | based on Linux Universal TUN/TAP device driver. |
---|
| 5 | |
---|
[152] | 6 | How to Use |
---|
| 7 | ========== |
---|
| 8 | For example, if you want to make virtual ethernet link for *VM1* and *VM2* |
---|
| 9 | whose hypervisor's broadcast domains were split by router *R*:: |
---|
[141] | 10 | |
---|
| 11 | +------------------+ +------------------+ |
---|
| 12 | | Hypervisor1 | | Hypervisor2 | |
---|
| 13 | | +-----+ | | +-----+ | |
---|
| 14 | | | VM1 | | | | VM2 | | |
---|
| 15 | | +--+--+ | | +--+--+ | |
---|
| 16 | | | (vnet0) | | (vnet0) | | |
---|
| 17 | | +--+--+ | | +--+--+ | |
---|
| 18 | | | br0 | | | | br0 | | |
---|
| 19 | | +--+--+ | | +--+--+ | |
---|
| 20 | | | | | | | |
---|
| 21 | | (ethws0) (eth0) | | (eth0) (ethws0) | |
---|
| 22 | +----||--------+---+ +----+-------||----+ |
---|
| 23 | || | +---+ | || |
---|
| 24 | || -----+--------| R |--------+----- || |
---|
| 25 | || +---+ || |
---|
| 26 | || || |
---|
| 27 | ``======================================'' |
---|
| 28 | (Ethernet over WebSocket tunnel) |
---|
| 29 | |
---|
[152] | 30 | then you can use following commands. |
---|
[141] | 31 | |
---|
[152] | 32 | on *Hypervisor1*:: |
---|
[141] | 33 | |
---|
| 34 | # etherws server |
---|
| 35 | # brctl addbr br0 |
---|
| 36 | # brctl addif br0 vnet0 |
---|
| 37 | # brctl addif br0 ethws0 |
---|
| 38 | # ifconfig br0 up |
---|
| 39 | |
---|
[152] | 40 | on *Hypervisor2*:: |
---|
[141] | 41 | |
---|
| 42 | # etherws client --uri ws://<Hypervisor1's IP address>/ |
---|
| 43 | # brctl addbr br0 |
---|
| 44 | # brctl addif br0 vnet0 |
---|
| 45 | # brctl addif br0 ethws0 |
---|
| 46 | # ifconfig br0 up |
---|
| 47 | |
---|
[152] | 48 | If connection through the tunnel is unstable, then you may fix it |
---|
| 49 | by changing VM's MTU to under 1500, e.g.:: |
---|
[146] | 50 | |
---|
[152] | 51 | # ifconfig eth0 mtu 1400 |
---|
[144] | 52 | |
---|
[156] | 53 | Using SSL/TLS |
---|
| 54 | ============= |
---|
| 55 | etherws supports SSL/TLS connection. |
---|
[152] | 56 | If you want to encrypt the tunnel, then you can use following options. |
---|
[144] | 57 | |
---|
[156] | 58 | on *Hypervisor1*:: |
---|
[152] | 59 | |
---|
[144] | 60 | # etherws server --keyfile ssl.key --certfile ssl.crt |
---|
| 61 | |
---|
[156] | 62 | *ssl.key* is a server private key, and *ssl.crt* is a server certificate. |
---|
[144] | 63 | |
---|
[156] | 64 | Now you also can test SSL/TLS connection by following command:: |
---|
[144] | 65 | |
---|
[152] | 66 | # openssl s_client -connect <Hypervisor1's IP address>:443 |
---|
| 67 | |
---|
[156] | 68 | on *Hypervisor2*:: |
---|
| 69 | |
---|
| 70 | # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt |
---|
| 71 | |
---|
| 72 | Here, URI scheme was just changed to *wss*, and CA certificate to verify |
---|
| 73 | server certificate was specified. |
---|
| 74 | |
---|
| 75 | By the way, client verifies server certificate by default. |
---|
| 76 | So, for example, client will die with error messages if your server uses |
---|
| 77 | self-signed certificate and client uses another CA certificate. |
---|
| 78 | |
---|
| 79 | If you want to just encrypt the tunnel and do not need to verify |
---|
| 80 | certificate, then you can use following option:: |
---|
| 81 | |
---|
| 82 | # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure |
---|
| 83 | |
---|
| 84 | Note: see `<http://docs.python.org/library/ssl.html#certificates>`_ |
---|
| 85 | for more information about certificates. |
---|
| 86 | |
---|
[152] | 87 | Client Authentication |
---|
| 88 | ===================== |
---|
| 89 | etherws supports HTTP Basic Authentication. |
---|
| 90 | It means you can use etherws as simple L2-VPN server/client. |
---|
| 91 | |
---|
| 92 | On server side, etherws requires user information in Apache htpasswd |
---|
| 93 | format (and currently supports SHA-1 digest only). To create this file:: |
---|
| 94 | |
---|
| 95 | # htpasswd -s -c filename username |
---|
| 96 | |
---|
| 97 | If you do not have htpasswd command, then you can use python one-liner:: |
---|
| 98 | |
---|
| 99 | # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))' |
---|
| 100 | |
---|
| 101 | To run server with this:: |
---|
| 102 | |
---|
| 103 | # etherws server --htpasswd filename |
---|
| 104 | |
---|
| 105 | You also can test by following command:: |
---|
| 106 | |
---|
| 107 | # telnet <address> 80 |
---|
| 108 | GET / HTTP/1.1 |
---|
| 109 | |
---|
| 110 | It will return *401 Authorization Required*. |
---|
| 111 | |
---|
| 112 | On client side, etherws requires username as option, and password from |
---|
| 113 | stdin:: |
---|
| 114 | |
---|
| 115 | # etherws client --uri ws://<address>/ --user username |
---|
| 116 | Password: |
---|
| 117 | |
---|
| 118 | If authentication did not succeed, then it will die with some error messages. |
---|
| 119 | |
---|
| 120 | Note that you should not use HTTP Basic Authentication without SSL/TLS |
---|
| 121 | support, because it is insecure in itself. |
---|
| 122 | |
---|
[141] | 123 | History |
---|
| 124 | ======= |
---|
[152] | 125 | 0.3 (2012-05-17 JST) |
---|
| 126 | - client authentication support |
---|
| 127 | |
---|
[144] | 128 | 0.2 (2012-05-16 JST) |
---|
| 129 | - SSL/TLS connection support |
---|
| 130 | |
---|
| 131 | 0.1 (2012-05-15 JST) |
---|
[141] | 132 | - First release |
---|