NKN-Link

An anonymous, encrypted Point-to-Point (Layer 3) tunnel between two peers.

NKN-Link

Table of Contents

• Preface
• Description
• Install
• Setup
• Run
• Performance
• Contribution
• Donations
• Author
• License

Preface

NKN-Link does not aim to replace well tested and already established VPN solutions like OpenVPN or Wireguard.

However, NKN-Link comes with a neat feature that many VPN solutions do not provide. Anonymity.

In a traditional VPN setup (VPN from home PC to VPS in datacenter), the outbound traffic of the home network can be hidden from the ISP, but the ISP does know that there is a connection from the ISP to the VPS. Any traffic after that is masqueraded by using the public IP of the VPS. This means that - as tech-savvy people already know - a VPN does not provide anonymity, only privacy. There is a big difference between the two. Let's enter NKN.

NKN (New Kind of Network) is an infrastructure for a decentralized Internet.

NKN is a new kind of peer to peer network connectivity protocol and ecosystem powered by a novel public blockchain. It uses economic incentives to motivate Internet users to share network connections and utilize unused bandwidth. NKN works without the direct use of an IP address. Data is only in the local device, and always guarantees best protection of privacy and security.

In other words, NKN uses a public DHT overlay on top of internet nodes. Nodes communicate with each other by making use of their public keys.

NKN-Link addds an IP layer on top of two NKN peers.

Description

NKN-Link provides an anonymous and encrypted layer 3, point-to-point tunnel between two peers on the NKN network.

This enables both peers to talk over IP over NKN.

NKN-Link can be seen as a simple alternative to OpenVPN or Wireguard. The code is very simple and began as a fun pet project. I use NKN-Link as my VPN solution at home and for my laptop, by using a VPS as my remote NKN peer.

The code makes use of the NKN MultiClient, but without sessions (no transmission and congestion control).

That means, that this tunnel is similar to a UDP connection.

A TUN device is created and each peer can talk via IP packets over the internet on an encrypted communication channel provided by the NKN network, nkn-link does not come with its own encryption logic. The encryption is completely handled by NKN itself.

The code was written in one go and comes in a single file. No OOP-style logic and only works on Linux.

This tool requires root privileges (sudo) to be able to create the TUN device.

Tested only on GNU/Linux. More builds and tests will follow.

Use Cases

• Connect a VPS to the home network
• Securely route all traffic from home over a VPS in a datacenter
• Quickly spin up a tunnel to reach another peer over SSH
• Connect with a friend over NKN to exchange files
• Upload files to a remote storage
• Make a friend in an oppressed country reach the web by providing an "exit node"
• Connect multiple NKN peers together to form a private network
• Do whatever one can do with IP connectivity

Install

go install github.com/omani/nkn-link@latest

Build from source

go get github.com/omani/nkn-link
make build

Setup

This example will:

• use 2 NKN peers (A and B) on the internet
• show how to create an IP link between both
• show how to enable IP forwarding on peer A
• show how to use peer A as a default route for peer B to route all of its traffic

Initialize configuration

If nkn-link cannot find a config.yaml file it will start in interactive mode to initialize one:

peerA $ sudo $GOPATH/bin/nkn-link
 _ _  _ __ _ _       _    _       _   
| \ || / /| \ | ___ | |  <_>._ _ | |__
|   ||  \ |   ||___|| |_ | || ' || / /
|_\_||_\_\|_\_|     |___||_||_|_||_\_\


Welcome to NKN-Link. A Point-to-Point (Layer 3) tunnel between NKN Peers.

NKN peer address: nkn-link.ab8d73d580e5fcdfaad25ca442dd33066a22b9a7d28809acc5fb3f6ff39666d0

NKN address of remote peer: 

peerB $ sudo $GOPATH/bin/nkn-link
 _ _  _ __ _ _       _    _       _   
| \ || / /| \ | ___ | |  <_>._ _ | |__
|   ||  \ |   ||___|| |_ | || ' || / /
|_\_||_\_\|_\_|     |___||_||_|_||_\_\


Welcome to NKN-Link. A Point-to-Point (Layer 3) tunnel between NKN Peers.

NKN peer address: nkn-link.24cb341473d3c1753611beda13625e2fbfec247141e916753b6e75ed204c42e3

NKN address of remote peer: 

Copy paste each address into the other peer's input NKN address of remote peer: and choose an IP address for your peer.

Peer A:

Welcome to NKN-Link. A Point-to-Point (Layer 3) tunnel between NKN Peers.

NKN peer address: nkn-link.ab8d73d580e5fcdfaad25ca442dd33066a22b9a7d28809acc5fb3f6ff39666d0

NKN address of remote peer: nkn-link.24cb341473d3c1753611beda13625e2fbfec247141e916753b6e75ed204c42e3
IP address for TUN device in CIDR format (eg. 10.0.0.1/24): 10.0.0.1/24
To enable IP forwarding on this peer, set `enable_ip_forwarding` to `true`.
Successfully written to config.yaml.
All set. Run `sudo ./nkn-link` to start.

Peer B:

Welcome to NKN-Link. A Point-to-Point (Layer 3) tunnel between NKN Peers.

NKN peer address: nkn-link.24cb341473d3c1753611beda13625e2fbfec247141e916753b6e75ed204c42e3

NKN address of remote peer: nkn-link.ab8d73d580e5fcdfaad25ca442dd33066a22b9a7d28809acc5fb3f6ff39666d0
IP address for TUN device in CIDR format (eg. 10.0.0.1/24): 10.0.0.2/24
To enable IP forwarding on this peer, set `enable_ip_forwarding` to `true`.
Successfully written to config.yaml.
All set. Run `sudo ./nkn-link` to start.

Both peers have been initialized with a config file named config.yaml in the current directory.

Example config.yaml of peer A:

default_route_enable: false
default_route_gateway_address: ""
enable_ip_forwarding: false
nkn_account_seed: bec785fbd97f5a1287f59ce21ab10d485b3f76802f126d0e2aea82fc5f0e4170
nkn_remote_peer: nkn-link.ab8d73d580e5fcdfaad25ca442dd33066a22b9a7d28809acc5fb3f6ff39666d0
nkn_seedrpcserver_address: http://178.128.136.86:30003
tun_device_ip_address: 10.0.0.1/24
tun_device_name: nkn-link

Note: If a custom nkn_seedrpcserver_address is desired, it should be in IP format rather than DNS.

Run

Ready to start nkn-link as sudo:

sudo $GOPATH/bin/nkn-link

Peer A and Peer B should be able to ping each other now:

peerA $: ping -c3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=345 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=346 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=359 ms

--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 344.750/350.031/358.898/6.307 ms

Note: Traffic is encrypted per default in NKN. The roundtrip time can vary depending on the actual route it takes within NKN.

Enable IP Forwarding

To enable IP Forwarding, set enable_ip_forwarding to true.

Enable default route

Given that peer A has IP Forwarding enabled, peer B can now route all its traffic through peer A.

Set default gateway in config.yaml to IP address of peer A:

default_route_gateway_address: 10.0.0.1

Enable default route in config.yaml:

default_route_enable: true

Start nkn-link:

sudo $GOPATH/bin/nkn-link

Note: Setting default_route_enable to true will alter the route table of the peer. The default route will be kept, but its metric will be increased. The active connection to the NKN seed node and any incoming RPC node update will be added to the old default route so that connectivity is ensured. After that, default_route_gateway_address will be set as the new gateway for the default route. The new route will have a lower metric, so that traffic will flow over it.

Example of route table of peer B after enabling default_route_enable:

peerB $ ip r
default via 10.0.0.1 dev nkn-link
default via 192.168.1.1 dev ens3 metric 100 
10.0.0.0/24 dev nkn-link proto kernel scope link src 10.0.0.2 

The previous default route with gateway 192.168.1.1 has its metric increased to 100. A new default route has been added with gateway default_route_gateway_address over the newly created TUN device nkn-link.

A simple curl ifconfig.me on peer B will now output the public IP address of the remote peer A.

Performance

Speed comparison

Scenario: 2 peers with a 100Mbps uplink, each. One uses the other's link as a hop. Download a 100MB file.

curl with regular uplink (internet connection):

$ curl -o bigfile https://speed.hetzner.de/100MB.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  100M  100  100M    0     0  9.3M      0  0:00:08  0:00:08 --:--:-- 9.3M

Average download speed: 9.3MB/s. 8 seconds.

curl with routing traffic over remote peer using nkn-link:

$ curl --interface nkn-link -o bigfile https://speed.hetzner.de/100MB.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  100M  100  100M    0     0   615k      0  0:02:46  0:02:46 --:--:-- 1292k

Average download speed: 615kB/s. 2:46 minutes.

Result

The connection speed when using the tunnel drops by around 15x (equal to a 6Mbps connection).

Due to the nature of NKN and how it works, the connection speed will vary.

Contribution

• You can fork this, extend it and contribute back.
• You can contribute with pull requests.

Donations

You can make me happy by donating BTC, XMR or NKN.

BTC:

bc1qpg5ld425yusw4kk0erumcemf0taa0shulec9au

XMR:

85udxYhuEmz3WtdGGLe3Xe3VeMs8hPBfcQnjwUfiGFy7UFX8bP78ii52DzoSptz1S6KkfDEbQLBtydpAtqr1Qt1zG1R7zPJ

NKN:

NKNVmZQZcDrgdMJKdgRfz2gn5ZdTAyro5uHm

Author

HAH! Sun (omani)

LICENSE

MIT License