automatic local network encryption
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
Vula Author 2 a1b35d2f41 re-land podman, docs, pypi, and fixed tests 4 hours ago
configs rename dbus services 2 days ago
misc revert b54de16d1002983b34c6db68efa32025310188e6 1 day ago
multipass-tests revert b54de16d1002983b34c6db68efa32025310188e6 1 day ago
packer multipass-tests: use hirsute release image 6 months ago
podman remove comments 24 hours ago
test fix test 2 days ago
vula re-land podman, docs, pypi, and fixed tests 3 hours ago
www-vula add preprint paper to website template 2 months ago
.coveragerc initial public release 0.1.2 6 months ago
.gitignore initial public release 0.1.2 6 months ago
COMPARISON.md update table 4 months ago
HACKING.md more podman bits 5 days ago
INSTALL.md revert b54de16d1002983b34c6db68efa32025310188e6 1 day ago
LICENSE initial public release 0.1.2 6 months ago
Makefile update docs, podman 2 days ago
NOTES.md add link to veripal 5 months ago
OPERATION_VULA.md minor docs changes 6 months ago
Pipfile initial public release 0.1.2 6 months ago
README.md update COMPARISION.md 4 months ago
STATUS.md update docs 6 months ago
TODO.md more podman bits 5 days ago
pyproject.toml initial public release 0.1.2 6 months ago
pytest.ini upgrade multipass-tests to hirsute 6 months ago
requirements.txt fix editable-image, again 4 hours ago
setup.cfg initial public release 0.1.2 6 months ago
setup.py rename dbus services 2 days ago
tox.ini initial public release 0.1.2 6 months ago

README.md

vula: automatic local network encryption

With zero configuration, vula automatically encrypts IP communication between hosts on a local area network in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping.

With manual key verification and/or automatic key pinning and manual resolution of IP or hostname conflicts, vula will additionally protect against interception by active adversaries.

When the local gateway to the internet is also vula peer, internet-destined traffic will also be encrypted on the LAN.

How does it work?

Automatically.

Vula combines WireGuard for forward-secret point-to-point tunnels with mDNS and DNS-SD for local service announcements, and enhances the confidentiality of WireGuard tunnels by using CSIDH, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration.

Vula's advantages over some other solutions include:

  • design is absent of single points of failure (SPOFs)
  • uses existing IP addresses inside and outside of the tunnels, allowing seamless integration into existing LAN environments using DHCP and/or manual addressing
  • avoids needing to attempt handshakes with non-participating hosts
  • does not require any configuration to disrupt passive surveillance adversaries
  • simple verification with QR codes to disrupt active surveillance adversaries

See NOTES.md for some discussion of the threat model and other technical details, and COMPARISON.md for a comparison of Vula to some related projects.

Current status

Vula is functional today, although it has some known issues documented in STATUS.md. It is ready for daily use by people who are proficient with Linux networking and the command line, but we do not yet recommend it for people who are not.

See INSTALL.md for installation and usage instructions.

See HACKING.md for some tips on opening the hood.

Security contact

We consider this project to currently be alpha pre-release, experimental, research quality code. It is not yet suitable for widespread deployment. It has not yet been audited by an independent third party and it should be treated with caution.

If you or someone you know finds a security issue - please open an issue or feel free to send an email to security at vula dot link.

Our current bug bounty for security issues is humble. We will treat qualifying reporters to a beverage after the COVID-19 crisis has ended; ojalá. Locations limited to qualifying CCC events such as the yearly Congress.

Authors

The authors of vula are anonymous for now, while our paper is undergoing peer review.

Acknowledgements

OPERATION_VULA.md has some history about the name Vula.

Vula is not associated with or endorsed by the WireGuard project. WireGuard is a registered trademark of Jason A. Donenfeld.