Holynet VPN is a high-performance VPN protocol built with Rust, designed for fast and secure connections over UDP.
- UDP-based for low-latency and high-throughput communication;
- Can be used as a library for integrating VPN functionality into custom applications or services;
- Supports two cryptographic algorithms based on the Noise IK+PSK2 protocol: clients can choose between AES or ChaCha encryption depending on the device, such as mobile devices;
- Cross-platform support for Linux, macOS, (and Windows planned);
- Optimized for performance with minimal impact on speed and overhead.
Warning
Not ready for prod
Holynet VPN command-line interface.
Usage: holynet [OPTIONS] <COMMAND>
Commands:
connect Connect to a VPN server
server Server management
help Print this message or the help of the given subcommand(s)
Options:
-d, --debug Enable debug logging
-h, --help Print help
-V, --version Print version
The responder is initialized with a pre-shared long-term static key, which is assumed to be pre-authenticated out of band by the initiator.
sequenceDiagram
participant Client
participant Server
Server->>Client: S (Trusted setup)
Note over Server,Client: ...
Client->>+Server: Handshake Initial (alg, e, es, s, ss)
Server-->>-Client: Handshake Complete (e, ee, se, psk)
Note over Server,Client: Handshake completed! <br/>Packets can be transmit
Client->>Server: Encrypted Packet
Client->>Server: Encrypted Packet
Server->>Client: Encrypted Packet
Message A show detailed analysis
Message A, sent by the initiator, benefits from receiver authentication but
is vulnerable to Key Compromise Impersonation. If the responder's long-term
private key has been compromised, this authentication can be forged. However,
if the initiator carries out a separate session with a separate, compromised
responder, this other session can be used to forge the authentication of this
message with this session's responder. Message contents benefit from message
secrecy and some forward secrecy: the compromise of the responder's long-term
private keys, even at a later date, will lead to message contents being decrypted
by the attacker.
Message B show detailed analysis
Message B, sent by the responder, benefits from sender and receiver authentication
and is resistant to Key Compromise Impersonation. Assuming the corresponding private
keys are secure, this authentication cannot be forged. Message contents benefit from
message secrecy and weak forward secrecy under an active attacker: if the responder's
long-term static keys were previously compromised, the later compromise of the
initiator's long-term static keys can lead to message contents being decrypted
by an active attacker, should that attacker also have forged the initiator's
ephemeral key during the session.
Message C show detailed analysis
Message C, sent by the initiator, benefits from sender and receiver authentication and
is resistant to Key Compromise Impersonation. Assuming the corresponding private keys
are secure, this authentication cannot be forged. Message contents benefit from message
secrecy and strong forward secrecy: if the ephemeral private keys are secure and the
responder is not being actively impersonated by an active attacker, message contents
cannot be decrypted.
Message D show detailed analysis
Message D, sent by the responder, benefits from sender and receiver authentication and
is resistant to Key Compromise Impersonation. Assuming the corresponding private keys
are secure, this authentication cannot be forged. Message contents benefit from message
secrecy and strong forward secrecy: if the ephemeral private keys are secure and the
initiator is not being actively impersonated by an active attacker, message contents
cannot be decrypted.
Noise IKpsk2
sequenceDiagram
participant Client
participant Server
Client->>+Server: Handshake(Initial)
Server-->>-Client: Handshake(Response)
0 8 24 32 800 bit
┌──────┬─────────┬───────┬──────────────────────────────────────┐
│ TYPE │ LEN │ ALG │ NOISE METADATA │
│ 0x00 │ N │ │ (ENCRYPTED) │
│(8bit)│ (16bit) │ (8bit)│ (768 bit) │
└──────┴─────────┴───────┴──────────────────────────────────────┘
ALG values:
0x01— AES-256-GCM (Noise_IKpsk2_25519_AESGCM_BLAKE2s)0x02— ChaCha20-Poly1305 (Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s)
0 8 24 N bit
┌──────┬─────────┬──────────────────────────────────────────────┐
│ TYPE │ LEN │ HANDSHAKE PAYLOAD + NOISE METADATA │
│ 0x01 │ N │ (ENCRYPTED) │
│(8bit)│ (16bit) │ (N-24bit) │
└──────┴─────────┴──────────────────────────────────────────────┘
0 8 40
┌──────┬───────┬───────────────────────────────┐
│ TYPE │ │ │
COMPLETE │ 0x00 │ SID │ IP ADDR │
│(8bit)│(32bit)│ │
└──────┴───────┴───────────────────────────────┘
40 48 176
┌──────┬───────────────────┐
│ TYPE │ │
│ 0x01 │ IPv6 │
│(8bit)│ (128bit) │
└──────┴───────────────────┘
40 48 80
┌──────┬───────────┐
│ TYPE │ │
│ 0x00 │ IPv4 │
│(8bit)│ (32bit) │
└──────┴───────────┘
0 8
┌──────┬───────────────────────────────────────┐
│ TYPE │ │
DISCONNECT │ 0x01 │ REASON │
│(8bit)│ │
└──────┴───────────────────────────────────────┘
8 16 80
┌──────┬───────┬────────────────────────┐
│ TYPE │ LEN │ TEXT │
Unexpected │ 0x02 │ X │ UTF-8 │
│(8bit)│(64bit)│ (X-80bit) │
└──────┴───────┴────────────────────────┘
8 16 46
┌──────┬───────┐
│ TYPE │ │
MaxConnectedDevices │ 0x00 │ COUNT │
│(8bit)│(32bit)│
└──────┴───────┘
8 16
┌──────┐
│ TYPE │
ServerOverloaded │ 0x01 │
│(8bit)│
└──────┘
sequenceDiagram
participant Client
participant Server
Client->>Server: Packet(IP Packet)
Client->>Server: Packet(IP Packet)
Server->>Client: Packet(IP Packet)
loop Every N sec
Client->>Server: KeepAlive(timestamp)
Client-->Server: KeepAlive(timestamp)
end
0 8 40 104 120 N bit
┌──────┬───────┬────────────────────┬──────┬──────────────────────────────────┐
│ TYPE │ SID │ NONCE │ LEN │ DATA PAYLOAD + NOISE METADATA │
│ 0x02 │ │ │ N │ (ENCRYPTED) │
│(8bit)│(32bit)│ (64bit) │(16bit) (N-120bit) │
└──────┴───────┴────────────────────┴──────┴──────────────────────────────────┘
0 8 24
┌────────┬───────┬───────────────┐
│ TYPE │ LEN │ IP │
IP PACKET │ 0x00 │ X │ PACKET │
│ (8bit) │(16bit)│ (X-24bit) │
└────────┴───────┴───────────────┘
0 8 136
┌────────┬──────────────────────┐
│ TYPE │ CLIENT TIMESTAMP │
KEEPALIVE │ 0x01 │ micros │
│ (8bit) │ (128bit) │
└────────┴──────────────────────┘
NONCE is a monotonically increasing counter controlled by the sender. Used as the nonce for AEAD (Noise
StatelessTransportState). The receiver checks it against a sliding anti-replay window (2048 bits) before decrypting.
0 8 72 88 N bit
┌──────┬─────────────────────┬──────┬──────────────────────────────────────────┐
│ TYPE │ NONCE │ LEN │ DATA PAYLOAD + NOISE METADATA │
│ 0x03 │ │ N │ (ENCRYPTED) │
│(8bit)│ (64bit) │(16bit) (N-88bit) │
└──────┴─────────────────────┴──────┴──────────────────────────────────────────┘
0 8 24
┌────────┬───────┬───────────────────────┐
│ TYPE │ LEN │ IP │
PACKET │ 0x00 │ X │ PACKET │
│ (8bit) │(16bit)│ (X-24bit) │
└────────┴───────┴───────────────────────┘
0 8 136
┌────────┬──────────────────────────┐
│ TYPE │ CLIENT TIMESTAMP │
KEEPALIVE │ 0x01 │ micros │
│ (8bit) │ (128bit) │
└────────┴──────────────────────────┘
0 8 16
┌────────┬────────┐
│ TYPE │ CODE │
DISCONNECT │ 0x02 │ │
│ (8bit) │ (8bit) │
└────────┴────────┘
Licensed under the Apache License 2.0
Copyright © 2024 Nikita Boyarshinov (JKearnsl)
Attribution Requirements:
All distributions must retain:
- Original copyright notices
- License text
- NOTICE file contents