6

I've been asked to implement VPN capabilities in an existing software project on an embedded system, in order to make the device available via network to an external server while avoiding trouble with firewalls (no need for encryption, just to make it accessible).

Unfortunately, the embedded system is based on a Cortex-M4 MCU, therefore Linux, which would allow for VPN nearly out of the box, is not an option. All I've got is an RTOS and a working LwIP stack.

I've used VPNs in the past. However, my network knowledge is rather limited concerning implementing VPNs, so I'm rather stumped. As I think, I'd use the current LwIP instance for building up the tunnel connection, and the application would use a second instance for the actual network communication, while the network interface of the second instance is a virtual one (like a tap device on linux), encapsulating its low level data and tranceiving it via the tunnel connection of the first LwIP instance.

Maybe this way I'd be able to create a custom solution for the problem, but the solution should conform to any standards (as the server will be any kind of sophisticated system).

So I wonder if anyone has been confronted with a task like this, and would appreciate any hint what to do, at least a direction where to look at. Thanks in advance!

SirFrancisDrake
  • 81
  • 2
  • 6
  • Just to warn you, this will likely be downvoted / flagged as off-topic because "Can you recommend an X for Y" questions usually are. – Brian McFarland Aug 26 '15 at 14:09
  • 1
    That said, decide what VPN strategy you're required to use. E.g. IPSEC, TLS/SSL, SSH. I know there are SSL and SSH implementations for tiny processors, not sure about IPSec. And evaluate how much RAM/ROM you have available for this capability because crypto and IP and both fairly resource intensive when you're talking M4. Then there's the whole matter of whether or not LwIP even supports running multiple instances (it might rely on a lot of globals?) so it may take extensive modification there. – Brian McFarland Aug 26 '15 at 14:18
  • Hi Brian, thanks for your answer; but in my understanding, IPSec, TSL/SSL/SSH are security layers for encrypted communication. What I need, is a communication tunnel, without any need for encryption. LwIP seems to support multiple network interfaces, so I think, multiple instances should'nt be an issue. – SirFrancisDrake Aug 27 '15 at 06:53
  • If lwip doesn't already support any type of tunnel, I would think IP in IP would be a good first approach. I would think that would take the least work to implement since the code is almost all already there in the IP stack. – pfa Aug 27 '15 at 11:03
  • Thank you, pfa! IP-in-IP is a helpful catchword. I found RFC 1853. Thats the direction I've been looking for. – SirFrancisDrake Aug 27 '15 at 14:58
  • I missed the part about "no encryption needed", sorry. crypto and vpn usually goes hand-in-hand, but I guess I can see there being uses w/o it. I should also add that LwIP (at least 3-ish years ago, last time I used it) had a fairly active mailing list. You might have better luck asking on there than here. – Brian McFarland Aug 27 '15 at 22:51
  • @SirFrancisDrake So, have you found a solution to your problem? – morcillo Apr 26 '17 at 02:23
  • Hello morcillo, unfortunately not, as on out current platform we're already out of memory without a tunnelled communication. Maybe in a future product, we'll go for a small embedded linux system. – SirFrancisDrake Apr 26 '17 at 07:14
  • You could look into [husarnet/husarnet](https://github.com/husarnet/husarnet) – silvergasp Feb 21 '22 at 01:39

0 Answers0