This is a VPN Device design project using SigmaVPN application as the base VPN solution. The SigmaVPN is altered to construct a VPN Device which utilize a cryptogprahic hardware acceleration to execute expensive cryptographic operations in a short time, and maximize the communication bandwidth. Moreover, the device, works with two Ethernet ports: One is public and the other is private communication ports.
A Virtual Private Network (VPN) encrypts and decrypts the private traffic it tunnels over a public network. Maximizing the available bandwidth is an important requirement for network applications, but the cryptographic operations add significant computational load to VPN applications, limiting the network throughput. This work presents a coprocessor designed to offer hardware acceleration for these encryption and decryption operations. The open-source SigmaVPN application is used as the base solution, and a coprocessor is designed for the parts of Networking and Cryptography library (NaCl) which underlies the cryptographic operation of SigmaVPN. The hardware-software codesign of this work is implemented on a Xilinx Zynq-7000 SoC, showing a 93% reduction in the execution time of encrypting a 1024-byte frame, and this improved the TCP and UDP communication bandwidths by a factor of 4.36 and 5.36 respectively for a 1024-byte frame compared to pure software solution.
This work is completed as a Master Thesis project in KU Leuven - ESAT / COSIC.
The device is implemented on Zynq SoC. The Zynq consists of both Processing System (PS) and Programmable Logic (PL). PS refers to dual ARM Cortex-A0 cores, on which Linux and SigmaVPN run, and PL refers to FPGA on which the hardware acceleration for the cryptographic operations are implemented.
The device is configured to operate with two ports which are named as public and private ports. Private port listens every packet arriving the device i.e. all TCP, UDP, DHCP, ARP, ... All specific or broadcast messages received by the private port are encrypted and transmitted to a destination device over public port. The prive port is obtained by creating a new network interface module that promiscuously reads Ethernet frames using libpcap packet sniffing library.
In that scheme, all messages arriving to private sides of both VPN devices are forwarded to each other, and PC's or subnetworks connected to private sides of both VPN pairs communicate with each other as if they are physically connected. And the packets traveling in between two private pairs are transferred over Internet under encryption.
The hardware acceleration is provided for NaCl's CryptoBox which underlies the cryptographic operations of the SigmaVPN. With a new module introduced to the SigmaVPN, it is possible to utilize the NaCl CryptoBox coprocessor hardware implemented in the hardware through provided device driver.
The implementation is given with two sub-repositories.
This subrepository consists of the NaCl Coprocessor IP Cores for Xilinx, a base system design to use it on Zynq-7010 on ZYBO Board, a Linux driver file to reach the NaCl Coprocessor from a Linux user space application, and a test application that utilizes the NaCl coprocessor for encryption and decryption operations.
The subrepository has a fork of original SigmaVPN code. In this fork, the change of SigmaVPN is made to provide it two-port operation capability at first and to make it utilize the coprocessor. For each feature, two new modules to the SigmaVPN are offered. The first one for physical communication feature instead of using virtual network interface, and the other is to utilize designed cryptographic coprocessor.
Running the SigmaVPN requires libsodium, and libpcap libraries. The former is for NaCl and the latter is for two-port operation.
The readme file in the directory describes how to cross-compule these libraries and SigmaVPN for the ZYBO board.
To use the design on a ZYBO board, you should prepare the BootFiles as described in the NaCl Hardware subrepository. You can follow the instructions described until step 9 in the subrepository, and continue with the next steps listed below. (Instead of preparing the BootFiles, you may use the one provided and jump to step 11 directly).
Step 9: Cross-Compile SigmaVPN.
Step 10: Copy the output files to MicroSD card
Step 11: Boot the ZYBO board from SD Card.
Step 12: Install the SigmaVPN on it.
Step 13: Initialize the SigmaVPN application.
Sample initialization scripts (installing, and running the SigmaVPN) together with configuration files are provided in BootFiles directory. For example, you should initialize it with demo1 configuration on one node, and with demo2 configuration on the other node:
cd mnt/sigmavpn
./demo1.sh