Giter Site home page Giter Site logo

Comments (5)

RalfJung avatar RalfJung commented on July 3, 2024

Tunneldigger is using l2tp for the "data plane", but implementing its own control logic. It uses a custom protocol to negotiate an l2tp connection, but once that is set up, the kernel is doing the rest and tunneldigger is no longer involved.

l2tp/Tunneldigger provide no encryption or authentication. You could try using IPsec for this. But at that point it might be easier to just use Wireguard instead of l2tp/Tunneldigger.

from tunneldigger.

CodingSpiderFox avatar CodingSpiderFox commented on July 3, 2024

OK I thought L2TP would encrypt by default? Why would anyone not want to encrypt tunnels?

from tunneldigger.

RalfJung avatar RalfJung commented on July 3, 2024

L2TP does not support encryption, you need to either use it over an encrypted link or put an encrypted link into it.

Our usecase for Tunneldigger is the Freifunk community-run open Wifi network. The Wifi network itself is unencrypted, and the network is open so anyone can join and start doing MITM on the user traffic. Thus the additional security obtained by encrypting the l2tp link is tiny -- it does not help against any reasonable attacker model I can imagine. If the attacker is inside your layer 2 network, encrypting the transport does nothing for you -- you as the user need to use encrypted links such as https anyway.

from tunneldigger.

mitar avatar mitar commented on July 3, 2024

you as the user need to use encrypted links such as https anyway.

Yes, in general you should not be trusting your network provider, open or closed one, and should do end-to-end encryption yourself.

There is another more practical reason for not using encryption by default: it consumes a lot of CPU and some off-the-shelf routing equipment we run things on would choke doing encryption at speeds their links might be. So, given that there is little benefit of encrypting links and that encryption should be done end-to-end anyway, this is not done.

But if you want, you can use IPSec on top of these links. Tunneldigger supports hooks so that you can run a script to configure that inside the tunnel.

from tunneldigger.

RalfJung avatar RalfJung commented on July 3, 2024

This is not an actionable issue or something wrong with the software, so I am going to close it.

from tunneldigger.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.