Problem :
Let’s consider we have unencrypted network connection (for example, Ad-hoc Wifi without any WPA, but not limited to wireless, of course). What is the simplest way to secure it (having GNU/Linux on both sides).
Expecting the following properties:
- Not distro-specific (not ifup/ifdown, not intergrating in any /etc/init.whatever)
- Preferably no config files (just commands in console)
- Preferably replying on standard kernel modules present in most distributed kernels.
Performance is not critical.
Expecting something like doing:
ip link add encrypted_link0 type encrypted link=wlan0 psk=k48M1n3n6
ip link set encrypted_link0 up
ip link addr add 192.168.44.2/30 dev encrypted_link0
ip route add via 192.168.44.1 dev encrypted_link0
on one side and
ip link add encrypted_link0 type encrypted link=wlan0 psk=k48M1n3n6
ip link set encrypted_link0 up
ip link addr add 192.168.44.1/30 dev encrypted_link0
echo 1 > /proc/sys/net/ipv4/conf/encrypted_link0/forwarding
on other side.
Not thinking about any authentication servers, just using some good default algo like aes256, not thinking about configuring various swans or racoons.
Solution :
Created special little program for this: https://github.com/vi/tap_mcrypt
iwconfig wlan0 mode Ad-Hoc
iwconfig wlan0 essid access_point_name
ip link set wlan0 up;
MCRYPT_KEYFILE=/root/enc0_key DEV_NAME=enc0 tap_mcrypt wlan0 74:f0:6d:7b:8d:c3 &
sleep 0.5
ip link set enc0 up
ip addr add 192.168.99.128/24 dev enc0
Not super-secure, but easy to set up and should work with various connections.