source: etherws/trunk/README.rst @ 162

Revision 162, 4.4 KB checked in by atzm, 12 years ago (diff)
  • improve performance
  • Property svn:keywords set to Id
RevLine 
[141]1Introduction
2============
3etherws is an implementation of Ethernet over WebSocket tunnel
4based on Linux Universal TUN/TAP device driver.
5
[152]6How to Use
7==========
8For example, if you want to make virtual ethernet link for *VM1* and *VM2*
9whose hypervisor's broadcast domains were split by router *R*::
[141]10
11  +------------------+            +------------------+
12  | Hypervisor1      |            |      Hypervisor2 |
13  |  +-----+         |            |         +-----+  |
14  |  | VM1 |         |            |         | VM2 |  |
15  |  +--+--+         |            |         +--+--+  |
16  |     | (vnet0)    |            |    (vnet0) |     |
17  |  +--+--+         |            |         +--+--+  |
18  |  | br0 |         |            |         | br0 |  |
19  |  +--+--+         |            |         +--+--+  |
20  |     |            |            |            |     |
21  | (ethws0)  (eth0) |            | (eth0)  (ethws0) |
22  +----||--------+---+            +----+-------||----+
23       ||        |        +---+        |       ||
24       ||   -----+--------| R |--------+-----  ||
25       ||                 +---+                ||
26       ||                                      ||
27       ``======================================''
28            (Ethernet over WebSocket tunnel)
29
[152]30then you can use following commands.
[141]31
[152]32on *Hypervisor1*::
[141]33
34  # etherws server
35  # brctl addbr br0
36  # brctl addif br0 vnet0
37  # brctl addif br0 ethws0
38  # ifconfig br0 up
39
[152]40on *Hypervisor2*::
[141]41
42  # etherws client --uri ws://<Hypervisor1's IP address>/
43  # brctl addbr br0
44  # brctl addif br0 vnet0
45  # brctl addif br0 ethws0
46  # ifconfig br0 up
47
[162]48Additionally, you may improve performance by increasing MTU.
49For example,
[146]50
[162]51on each hypervisor::
[144]52
[162]53 # ifconfig vnet0 mtu 16436
54 # ifconfig ethws0 mtu 16436
55
56on each VM::
57
58 # ifconfig eth0 mtu 16436
59
[156]60Using SSL/TLS
61=============
62etherws supports SSL/TLS connection.
[152]63If you want to encrypt the tunnel, then you can use following options.
[144]64
[156]65on *Hypervisor1*::
[152]66
[144]67  # etherws server --keyfile ssl.key --certfile ssl.crt
68
[156]69*ssl.key* is a server private key, and *ssl.crt* is a server certificate.
[144]70
[156]71Now you also can test SSL/TLS connection by following command::
[144]72
[152]73  # openssl s_client -connect <Hypervisor1's IP address>:443
74
[156]75on *Hypervisor2*::
76
77  # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt
78
79Here, URI scheme was just changed to *wss*, and CA certificate to verify
80server certificate was specified.
81
82By the way, client verifies server certificate by default.
83So, for example, client will die with error messages if your server uses
84self-signed certificate and client uses another CA certificate.
85
86If you want to just encrypt the tunnel and do not need to verify
87certificate, then you can use following option::
88
89  # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure
90
[158]91Note: see `<http://docs.python.org/library/ssl.html>`_
[156]92for more information about certificates.
93
[152]94Client Authentication
95=====================
96etherws supports HTTP Basic Authentication.
97It means you can use etherws as simple L2-VPN server/client.
98
99On server side, etherws requires user information in Apache htpasswd
100format (and currently supports SHA-1 digest only). To create this file::
101
102  # htpasswd -s -c filename username
103
104If you do not have htpasswd command, then you can use python one-liner::
105
106  # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))'
107
108To run server with this::
109
110  # etherws server --htpasswd filename
111
112You also can test by following command::
113
114  # telnet <address> 80
115  GET / HTTP/1.1
116
117It will return *401 Authorization Required*.
118
[160]119On client side, etherws requires username from option, and password from
120option or stdin::
[152]121
[160]122  # etherws client --uri ws://<address>/ --user username --passwd password
[152]123  # etherws client --uri ws://<address>/ --user username
124  Password:
125
126If authentication did not succeed, then it will die with some error messages.
127
128Note that you should not use HTTP Basic Authentication without SSL/TLS
129support, because it is insecure in itself.
130
[141]131History
132=======
[162]1330.6 (2012-06-16 JST)
134  - improve performance
135
[160]1360.5 (2012-05-20 JST)
137  - added passwd option to client mode
138  - fixed bug: basic authentication password cannot contain colon
139  - fixed bug: client loops meaninglessly even if server stops
140
[158]1410.4 (2012-05-19 JST)
142  - server certificate verification support
143
[152]1440.3 (2012-05-17 JST)
145  - client authentication support
146
[144]1470.2 (2012-05-16 JST)
148  - SSL/TLS connection support
149
1500.1 (2012-05-15 JST)
[141]151  - First release
Note: See TracBrowser for help on using the repository browser.