Implementing VPN in an embedded system using LwIP - McMap

About

Implementing VPN in an embedded system using LwIP

Asked 26/8, 2015 at 7:11 Answered 26/8, 2015 at 7:11

network-programming embedded vpn tunneling lwip

O

0

6

I've been asked to implement VPN capabilities in an existing software project on an embedded system, in order to make the device available via network to an external server while avoiding trouble with firewalls (no need for encryption, just to make it accessible).

Unfortunately, the embedded system is based on a Cortex-M4 MCU, therefore Linux, which would allow for VPN nearly out of the box, is not an option. All I've got is an RTOS and a working LwIP stack.

I've used VPNs in the past. However, my network knowledge is rather limited concerning implementing VPNs, so I'm rather stumped. As I think, I'd use the current LwIP instance for building up the tunnel connection, and the application would use a second instance for the actual network communication, while the network interface of the second instance is a virtual one (like a tap device on linux), encapsulating its low level data and tranceiving it via the tunnel connection of the first LwIP instance.

Maybe this way I'd be able to create a custom solution for the problem, but the solution should conform to any standards (as the server will be any kind of sophisticated system).

So I wonder if anyone has been confronted with a task like this, and would appreciate any hint what to do, at least a direction where to look at. Thanks in advance!

Orbital answered 26/8, 2015 at 7:11 Comment(9)

Just to warn you, this will likely be downvoted / flagged as off-topic because "Can you recommend an X for Y" questions usually are. – Piddling 26/8, 2015 at 14:9

That said, decide what VPN strategy you're required to use. E.g. IPSEC, TLS/SSL, SSH. I know there are SSL and SSH implementations for tiny processors, not sure about IPSec. And evaluate how much RAM/ROM you have available for this capability because crypto and IP and both fairly resource intensive when you're talking M4. Then there's the whole matter of whether or not LwIP even supports running multiple instances (it might rely on a lot of globals?) so it may take extensive modification there. – Piddling 26/8, 2015 at 14:18

Hi Brian, thanks for your answer; but in my understanding, IPSec, TSL/SSL/SSH are security layers for encrypted communication. What I need, is a communication tunnel, without any need for encryption. LwIP seems to support multiple network interfaces, so I think, multiple instances should'nt be an issue. – Orbital 27/8, 2015 at 6:53

If lwip doesn't already support any type of tunnel, I would think IP in IP would be a good first approach. I would think that would take the least work to implement since the code is almost all already there in the IP stack. – Maxim 27/8, 2015 at 11:3

Thank you, pfa! IP-in-IP is a helpful catchword. I found RFC 1853. Thats the direction I've been looking for. – Orbital 27/8, 2015 at 14:58

I missed the part about "no encryption needed", sorry. crypto and vpn usually goes hand-in-hand, but I guess I can see there being uses w/o it. I should also add that LwIP (at least 3-ish years ago, last time I used it) had a fairly active mailing list. You might have better luck asking on there than here. – Piddling 27/8, 2015 at 22:51

@Orbital So, have you found a solution to your problem? – Worldweary 26/4, 2017 at 2:23

Hello morcillo, unfortunately not, as on out current platform we're already out of memory without a tunnelled communication. Maybe in a future product, we'll go for a small embedded linux system. – Orbital 26/4, 2017 at 7:14

You could look into husarnet/husarnet – Pipeline 21/2, 2022 at 1:39

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.