source: etherws/trunk/README.rst @ 152

Revision 152, 3.4 KB checked in by atzm, 12 years ago (diff)
  • modify document
  • Property svn:keywords set to Id

Introduction

etherws is an implementation of Ethernet over WebSocket tunnel based on Linux Universal TUN/TAP device driver.

How to Use

For example, if you want to make virtual ethernet link for VM1 and VM2 whose hypervisor's broadcast domains were split by router R:

+------------------+            +------------------+
| Hypervisor1      |            |      Hypervisor2 |
|  +-----+         |            |         +-----+  |
|  | VM1 |         |            |         | VM2 |  |
|  +--+--+         |            |         +--+--+  |
|     | (vnet0)    |            |    (vnet0) |     |
|  +--+--+         |            |         +--+--+  |
|  | br0 |         |            |         | br0 |  |
|  +--+--+         |            |         +--+--+  |
|     |            |            |            |     |
| (ethws0)  (eth0) |            | (eth0)  (ethws0) |
+----||--------+---+            +----+-------||----+
     ||        |        +---+        |       ||
     ||   -----+--------| R |--------+-----  ||
     ||                 +---+                ||
     ||                                      ||
     ``======================================''
          (Ethernet over WebSocket tunnel)

then you can use following commands.

on Hypervisor1:

# etherws server
# brctl addbr br0
# brctl addif br0 vnet0
# brctl addif br0 ethws0
# ifconfig br0 up

on Hypervisor2:

# etherws client --uri ws://<Hypervisor1's IP address>/
# brctl addbr br0
# brctl addif br0 vnet0
# brctl addif br0 ethws0
# ifconfig br0 up

If connection through the tunnel is unstable, then you may fix it by changing VM's MTU to under 1500, e.g.:

# ifconfig eth0 mtu 1400

Tunnel Encryption

etherws supports SSL/TLS connection (but client does not verify server certificates). If you want to encrypt the tunnel, then you can use following options.

on Hypervisor1 (options keyfile and certfile were specified):

# etherws server --keyfile ssl.key --certfile ssl.crt

on Hypervisor2 (option uri's scheme was changed to wss):

# etherws client --uri wss://<Hypervisor1's IP address>/

You also can test by following command:

# openssl s_client -connect <Hypervisor1's IP address>:443

Client Authentication

etherws supports HTTP Basic Authentication. It means you can use etherws as simple L2-VPN server/client.

On server side, etherws requires user information in Apache htpasswd format (and currently supports SHA-1 digest only). To create this file:

# htpasswd -s -c filename username

If you do not have htpasswd command, then you can use python one-liner:

# python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))'

To run server with this:

# etherws server --htpasswd filename

You also can test by following command:

# telnet <address> 80
GET / HTTP/1.1

It will return 401 Authorization Required.

On client side, etherws requires username as option, and password from stdin:

# etherws client --uri ws://<address>/ --user username
Password:

If authentication did not succeed, then it will die with some error messages.

Note that you should not use HTTP Basic Authentication without SSL/TLS support, because it is insecure in itself.

History

0.3 (2012-05-17 JST)
  • client authentication support
0.2 (2012-05-16 JST)
  • SSL/TLS connection support
0.1 (2012-05-15 JST)
  • First release
Note: See TracBrowser for help on using the repository browser.