[141] | 1 | Introduction |
---|
| 2 | ============ |
---|
| 3 | etherws is an implementation of Ethernet over WebSocket tunnel |
---|
| 4 | based on Linux Universal TUN/TAP device driver. |
---|
| 5 | |
---|
[152] | 6 | How to Use |
---|
| 7 | ========== |
---|
| 8 | For example, if you want to make virtual ethernet link for *VM1* and *VM2* |
---|
[170] | 9 | whose hypervisor's broadcast domains were isolated by router *R*:: |
---|
[141] | 10 | |
---|
| 11 | +------------------+ +------------------+ |
---|
| 12 | | Hypervisor1 | | Hypervisor2 | |
---|
| 13 | | +-----+ | | +-----+ | |
---|
| 14 | | | VM1 | | | | VM2 | | |
---|
| 15 | | +--+--+ | | +--+--+ | |
---|
| 16 | | | (vnet0) | | (vnet0) | | |
---|
| 17 | | +--+--+ | | +--+--+ | |
---|
| 18 | | | br0 | | | | br0 | | |
---|
| 19 | | +--+--+ | | +--+--+ | |
---|
| 20 | | | | | | | |
---|
| 21 | | (ethws0) (eth0) | | (eth0) (ethws0) | |
---|
| 22 | +----||--------+---+ +----+-------||----+ |
---|
| 23 | || | +---+ | || |
---|
| 24 | || -----+--------| R |--------+----- || |
---|
| 25 | || +---+ || |
---|
| 26 | || || |
---|
| 27 | ``======================================'' |
---|
| 28 | (Ethernet over WebSocket tunnel) |
---|
| 29 | |
---|
[152] | 30 | then you can use following commands. |
---|
[141] | 31 | |
---|
[152] | 32 | on *Hypervisor1*:: |
---|
[141] | 33 | |
---|
[170] | 34 | # etherws --device ethws0 server |
---|
[141] | 35 | # brctl addbr br0 |
---|
| 36 | # brctl addif br0 vnet0 |
---|
| 37 | # brctl addif br0 ethws0 |
---|
| 38 | # ifconfig br0 up |
---|
| 39 | |
---|
[152] | 40 | on *Hypervisor2*:: |
---|
[141] | 41 | |
---|
[170] | 42 | # etherws --device ethws0 client --uri ws://<Hypervisor1's IP address>/ |
---|
[141] | 43 | # brctl addbr br0 |
---|
| 44 | # brctl addif br0 vnet0 |
---|
| 45 | # brctl addif br0 ethws0 |
---|
| 46 | # ifconfig br0 up |
---|
| 47 | |
---|
[162] | 48 | Additionally, you may improve performance by increasing MTU. |
---|
| 49 | For example, |
---|
[146] | 50 | |
---|
[162] | 51 | on each hypervisor:: |
---|
[144] | 52 | |
---|
[162] | 53 | # ifconfig vnet0 mtu 16436 |
---|
| 54 | # ifconfig ethws0 mtu 16436 |
---|
| 55 | |
---|
| 56 | on each VM:: |
---|
| 57 | |
---|
| 58 | # ifconfig eth0 mtu 16436 |
---|
| 59 | |
---|
[156] | 60 | Using SSL/TLS |
---|
| 61 | ============= |
---|
| 62 | etherws supports SSL/TLS connection. |
---|
[170] | 63 | If you want to encrypt tunnels, then you can use following options. |
---|
[144] | 64 | |
---|
[156] | 65 | on *Hypervisor1*:: |
---|
[152] | 66 | |
---|
[170] | 67 | # etherws --device ethws0 server --keyfile ssl.key --certfile ssl.crt |
---|
[144] | 68 | |
---|
[156] | 69 | *ssl.key* is a server private key, and *ssl.crt* is a server certificate. |
---|
[144] | 70 | |
---|
[156] | 71 | Now you also can test SSL/TLS connection by following command:: |
---|
[144] | 72 | |
---|
[152] | 73 | # openssl s_client -connect <Hypervisor1's IP address>:443 |
---|
| 74 | |
---|
[156] | 75 | on *Hypervisor2*:: |
---|
| 76 | |
---|
[170] | 77 | # etherws --device ethws0 client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt |
---|
[156] | 78 | |
---|
| 79 | Here, URI scheme was just changed to *wss*, and CA certificate to verify |
---|
| 80 | server certificate was specified. |
---|
| 81 | |
---|
| 82 | By the way, client verifies server certificate by default. |
---|
| 83 | So, for example, client will die with error messages if your server uses |
---|
| 84 | self-signed certificate and client uses another CA certificate. |
---|
| 85 | |
---|
[170] | 86 | If you want to just encrypt tunnels and do not need to verify |
---|
[156] | 87 | certificate, then you can use following option:: |
---|
| 88 | |
---|
[170] | 89 | # etherws --device ethws0 client --uri wss://<Hypervisor1's IP address>/ --insecure |
---|
[156] | 90 | |
---|
[158] | 91 | Note: see `<http://docs.python.org/library/ssl.html>`_ |
---|
[156] | 92 | for more information about certificates. |
---|
| 93 | |
---|
[152] | 94 | Client Authentication |
---|
| 95 | ===================== |
---|
| 96 | etherws supports HTTP Basic Authentication. |
---|
| 97 | It means you can use etherws as simple L2-VPN server/client. |
---|
| 98 | |
---|
| 99 | On server side, etherws requires user information in Apache htpasswd |
---|
| 100 | format (and currently supports SHA-1 digest only). To create this file:: |
---|
| 101 | |
---|
| 102 | # htpasswd -s -c filename username |
---|
| 103 | |
---|
| 104 | If you do not have htpasswd command, then you can use python one-liner:: |
---|
| 105 | |
---|
| 106 | # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))' |
---|
| 107 | |
---|
| 108 | To run server with this:: |
---|
| 109 | |
---|
[170] | 110 | # etherws --device ethws0 server --htpasswd filename |
---|
[152] | 111 | |
---|
| 112 | You also can test by following command:: |
---|
| 113 | |
---|
| 114 | # telnet <address> 80 |
---|
| 115 | GET / HTTP/1.1 |
---|
| 116 | |
---|
| 117 | It will return *401 Authorization Required*. |
---|
| 118 | |
---|
[160] | 119 | On client side, etherws requires username from option, and password from |
---|
| 120 | option or stdin:: |
---|
[152] | 121 | |
---|
[170] | 122 | # etherws --device ethws0 client --uri ws://<address>/ --user username --passwd password |
---|
| 123 | # etherws --device ethws0 client --uri ws://<address>/ --user username |
---|
[152] | 124 | Password: |
---|
| 125 | |
---|
| 126 | If authentication did not succeed, then it will die with some error messages. |
---|
| 127 | |
---|
| 128 | Note that you should not use HTTP Basic Authentication without SSL/TLS |
---|
| 129 | support, because it is insecure in itself. |
---|
| 130 | |
---|
[170] | 131 | Complex Examples |
---|
| 132 | ================ |
---|
| 133 | etherws has simple virtual Ethernet switch in itself and it can handle multiple |
---|
| 134 | TAP interfaces or WebSocket connections as virtual switch port:: |
---|
| 135 | |
---|
| 136 | (A)# etherws --device ethws0 --device ethws1 --device ethws2 server |
---|
| 137 | (B)# etherws --device ethws0 server |
---|
| 138 | (C)# etherws --device ethws0 --device ethws1 client --uri ws://x.x.x.x/ |
---|
| 139 | (D)# etherws --device ethws0 client --uri ws://x.x.x.x/ --uri ws://y.y.y.y/ |
---|
| 140 | |
---|
| 141 | This will create following network:: |
---|
| 142 | |
---|
| 143 | (ethws0) (ethws1) (ethws2) (ethws0) |
---|
| 144 | | | | | |
---|
| 145 | +-----+--------+---------+-----+ +--------+--------+ |
---|
| 146 | | server (A) | | server (B) | |
---|
| 147 | | (ws://x.x.x.x/) | | (ws://y.y.y.y/) | |
---|
| 148 | +-----+------------------+-----+ +-----+-----------+ |
---|
| 149 | | | | |
---|
| 150 | | (WebSocket) | +------------+ |
---|
| 151 | | | | |
---|
| 152 | +-------+------+ +-------+----+--+ |
---|
| 153 | | client (C) | | client (D) | |
---|
| 154 | +--+--------+--+ +-------+-------+ |
---|
| 155 | | | | |
---|
| 156 | (ethws0) (ethws1) (ethws0) |
---|
| 157 | |
---|
| 158 | Also you can use TAP interface which is created by etherws as 802.1Q VLAN |
---|
| 159 | interface using vconfig command and so on. |
---|
| 160 | |
---|
[141] | 161 | History |
---|
| 162 | ======= |
---|
[170] | 163 | 0.7 (2012-06-29 JST) |
---|
| 164 | - switching support |
---|
| 165 | - multiple ports support |
---|
| 166 | |
---|
[162] | 167 | 0.6 (2012-06-16 JST) |
---|
| 168 | - improve performance |
---|
| 169 | |
---|
[160] | 170 | 0.5 (2012-05-20 JST) |
---|
| 171 | - added passwd option to client mode |
---|
| 172 | - fixed bug: basic authentication password cannot contain colon |
---|
| 173 | - fixed bug: client loops meaninglessly even if server stops |
---|
| 174 | |
---|
[158] | 175 | 0.4 (2012-05-19 JST) |
---|
| 176 | - server certificate verification support |
---|
| 177 | |
---|
[152] | 178 | 0.3 (2012-05-17 JST) |
---|
| 179 | - client authentication support |
---|
| 180 | |
---|
[144] | 181 | 0.2 (2012-05-16 JST) |
---|
| 182 | - SSL/TLS connection support |
---|
| 183 | |
---|
| 184 | 0.1 (2012-05-15 JST) |
---|
[141] | 185 | - First release |
---|