FreePN is a set of open source (see FLOSS definition) privacy tools for an improved online user experience (and yes, there's even an ISO standard for that). The current prototype implementation is mainly this repository.
Yes, it's "free" (as in FLOSS) and it's sort of like a VPN. FreePN is
essentially an anonymizing p2p internet proxy using a "virtual private
cloud" of peers, and the fpnd
tools are the automation layer on top
of the ZeroTier network virtualization engine that makes it happen.
Freepn is not a full VPN solution (eg, openvpn or vpnc) and does not require setup of any pre-shared keys or certs. Traffic over Freepn network links is always encrypted, however, since each network link is independent, the traffic must be decrypted as it passes through each peer host. When running in "peer" mode, each peer is assumed to be an untrusted host; when running in "adhoc" mode, the hosts can be assumed to be trusted hosts (as they belong to the user).
The Alpha release target is "peer mode", which puts the above cloud of peers between you and the internet. Each peer link provides an isolated, private, and encrypted path to the internet, with a new/random peer for each session.
The pre-Alpha release target (starting with 0.7.2.p6) is "adhoc mode", which addresses a more specific use case for routing (your own) remote traffic through (your own) trusted internet connection. In (older) jargon this may have been called a kluge or involve some ad-hockery (or could even be a Rube-Goldberg Device) but in today's "agile" world this is called a feature!
Note
Adhoc mode requires a one-time manual setup of your devices and a ZeroTier network; be sure and stay tuned for the (fully automated) Alpha release!
Currently all web and non-encrypted dns traffic (ie, ports 80, 443, 53) is routed over fpn virtual network links to an "exit" peer (although other ports may be added/dropped in future releases). In adhoc mode, the default network rules allow all traffic, however, only the ports above are automatically routed over FPN network links. In peer mode no other TCP/UDP traffic is allowed between peers except the routed ports above (some IGMP traffic is also allowed to check peer connectivity, ie, you are allowed to ping your gateway, but the gateway may or may not allow the replies).
The general advice is: do use https
for everything (especially anything
sensitive/private) and don't use http
for anything. At all. Period. Note
that today this also applies to DNS traffic, ie, if you want to increase your overall
level of online privacy, then you should 1) use only "trusted" non-logging DNS providers,
and 2) consider setting up a local DNS stub resolver that uses DNS over TLS and your chosen
DNS servers. See our DNS privacy readme doc for more info and pointers.
- adhoc mode - you own the network link and the peers
- peer mode - you only control your own host (peers are random, networks are auto-assigned and configured)
- current "adhoc mode" release is
0.7.3
- any updates to adhoc mode will stay in the
0.7.x
series - peer mode development continues using
0.8.x
for pre-release - current Alpha release target for peer mode is
0.9.0
Adhoc mode is now enabled in the current release; at this point we only target Linux with at least Python 3.5. Packages are available for Ubuntu and Gentoo using the live ebuild in our python overlay and a PPA on Launchpad. The PPA sources can also be used to build Debian packages, however, we don't (yet) support any "official" Debian releases.
Note
This stack depends on both Python and nanomsg and the Ubuntu releases are just enough out of sync with Debian, so the PPA binaries are not usable directly on any specific Debian version (so must be rebuilt from source).
A supported linux distribution, mainly something that uses .ebuilds (eg, Gentoo or funtoo) or a supported Ubuntu series, currently bionic 18.0.4 LTS, and focal 20.0.4 LTS (see the above PPA on Launchpad). Note you can also use the focal PPA series on the latest kali linux.
For all ubuntu series, make sure you have the gpg
and add-apt-repository
commands installed and then add the PPA:
$ sudo apt-get install -y software-properties-common $ sudo add-apt-repository -y -s ppa:nerdboy/embedded
If the second command above does not run apt-get update
automatically,
then you'll need to run it manually:
$ sudo apt-get update
If you get a key error you will also need to manually import the PPA signing key like so:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <PPA_KEY>
where <PPA_KEY> is the key shown in the launchpad PPA page under "Adding
this PPA to your system", eg, 41113ed57774ed19
for Embedded device ppa.
On kali you will need to edit the file created under /etc/apt/sources.list.d
for the PPA and change the series name to focal
.
Finally, install fpnd:
$ sudo apt-get install python3-fpnd
Since the main user daemon fpnd.py
needs to manipulate networks and
routes, it currently must run under either systemd or openrc as a daemon service,
which means you will need root (or sudo) priveleges to start and stop the init
script or service files. That said, we DO NOT recommend enabling the service
to run on boot (so it does not need to be enabled this way). We DO
recommend using start|stop as needed so it only runs when you want it to.
The fpnd tools require access to the following privileged interfaces on each peer host:
- zerotier API via access token (requires tun/tap on Linux)
- sysctl, kernel routing, and iptables/netfilter interfaces
When running under systemd we can take advantage of some of the isolation
features and allow the daemon to run as a non-priveleged user (fpnd
)
using linux capabilities to gain the required priveleges. The alternative
option of running under openrc requires running with full root priveleges.
Please choose one of the following user config options for starting and
stopping the fpnd
Systemd service:
- use
sudo systemctl start|stop fpnd
with your current setup - install the fpnd.sudoers file to allow
sudo
with no password prompt for only the abovefpnd
service commands - install the polkit rule file
org.freedesktop.systemd1.pkla
for polkit versions 0.105 or lower - install the polkit rule file
55-fpnd-systemd.rules
for newer polkit versions
The available options depend on whether you use systemd, openrc, or something else:
- Using systemd: sudo or polkit rules
- Using openrc: sudo or polkit/pkexec
- Anything else: sudo
Use one of the following:
- to use your current
sudo
config as-is, do nothing - to use the sudoers file, rename it just
fpnd
and drop it in the/etc/sudoers.d/
directory (perms must be 0440 root:root) - to use the older polkit rule, drop the file in the directory
/etc/polkit-1/localauthority/50-local.d/
- to use the newer polkit rule, drop the file in the directory
/etc/polkit-1/rules.d/
Note to use any other method besides "do nothing" you must first add your
user to the fpnd
group for the required priveleges, eg:
usermod -aG fpnd <user>
If you are running Openrc as your init system, we have the following config options for running the Openrc init script:
- use the usual
sudo
prefix and run the init script - install the fpnd.sudoers file to allow
sudo
with no password prompt for only the openrcfpnd
service commands - use a polkit rule to allow the
/sbin/openrc
command without a password usingpkexec
The last option above is somewhat klunky but is more restrictive than using
the sudoers
file with NOPASSWD
. If you want to use this rule, then
drop the rules file 55-fpnd-openrc.rules
into /etc/polkit-1/rules.d/
and use the following command / args as your normal user:
$ pkexec /sbin/openrc -s fpnd start|stop
Using the sudo rules instead of pkexec
:
$ sudo openrc -s fpnd start
As long as you have git and at least Python 3.5, then the "easy" dev install is to clone this repository and install tox (optional) and the nanomsg and datrie libraries (required).
Install the overlay and do the usual install dance; add FEATURES=test
if you want the pytest deps:
# FEATURES=test emerge net-misc/fpnd
or on Ubuntu:
$ sudo apt-get build-dep python3-fpnd $ sudo apt-get install tox
After cloning the repository, you can run the current tests with the
tox
command. It will build a virtual python environment for each
installed version of python with all the python dependencies and run
the tests (including style checkers and test coverage).
$ git clone https://github.com/freepn/fpnd $ cd fpnd $ tox
If you're on Ubuntu and you want to experiment with the current state of fpnd, then just install the package after doing the above:
$ sudo apt-get install python3-fpnd
Both pep8 and flake8 are part of the above test suite. There are also some CI code analysis checks for complexity and security issues (we try to keep the "cognitive complexity" low when possible).
Use the latest package for your Linux distro and hardware architecture; all arch-specific packages should support at least the following:
- armhf/arm
- aarch64/arm64
- x86_64/amd64
- i686/x86
See the Prerequisites above.
- python - at least version 3.5
- appdirs - standardized app directories
- datrie - python interface to libdatrie
- schedule - python scheduling engine
- python-diskcache - various cache types
- python-daemon - python daemon class
- nanoservice - python micro-messaging services
- nanomsg-python - python interface to nanomsg
- nanomsg - library for messaging protocols
- ztcli-async - python async client for zerotier API
- ZeroTier - network virtualization engine
- tox and pytest- needed for local testing
Currently we also require a recent Linux kernel with iptables
and
iproute2
installed (host requirements will be updated as we add
new platform support).
For the required kernel support, your kernel module listing should include something like this:
$ sudo lsmod iptable_filter 16384 1 iptable_nat 16384 1 xt_nat 16384 10 nf_nat 36864 2 xt_nat,iptable_nat nf_conntrack 102400 2 xt_nat,nf_nat nf_defrag_ipv6 20480 1 nf_conntrack nf_defrag_ipv4 16384 1 nf_conntrack libcrc32c 16384 2 nf_conntrack,nf_nat iptable_mangle 16384 1 xt_mark 16384 6 xt_tcpudp 16384 34 bpfilter 24576 0 ip_tables 24576 3 iptable_mangle,iptable_filter,iptable_nat x_tables 24576 6 xt_nat,iptable_mangle,ip_tables,iptable_filter,xt_mark,xt_tcpudp tun 45056 0
We use SemVer for versioning. For the versions available, see the releases on this repository.
Please read CONTRIBUTING.rst for details on our code of conduct, and the process for submitting pull requests to us.
- Stephen Arnold - Design, implementation, tests, and packaging - FreePN
- This project is licensed under the AGPL-3.0 License - see the
- LICENSE file for details.
- Thanks to the ZeroTier devs for providing the network virtualization engine
- Thanks to all the upstream Python and other project authors so we don't have to re-invent fire...