GoSecure: Virtual Private Network solution by NSA

goSecure is an easy to use and portable Virtual Private Network (VPN) built with Linux and a Raspberry Pi 3.

The system consists of a single server and one or many clients. strongSwan is used to establish a Suite B IPsec tunnel with pre-shared keys between the server and client(s).

Server and Client

The server component is a multi-homed [laptop/server/cloud instance/Raspberry Pi] that runs strongSwan using the NSA Commercial Solutions for Classified (CSfC) guidelines for protecting classified data. It is built upon a minimal and hardened Linux instance per DISA Security Technical Implementation Guides (STIGs).

The client component is a Raspberry Pi that runs strongSwan using the NSA CSFC guidelines for protecting classified data and it utilizes its hardware Random Number Generator (RNG). It is built upon a minimal and hardened Linux instance per DISA STIGs.

The client currently supports 3 modes of operation:

1. Ethernet (eth0) LAN – Wifi (wlan0) WAN
2. Ethernet (eth1) LAN – Ethernet (eth0) WAN
3. Wifi LAN (wlan0) – Ethernet (eth0) WAN

About strongSwan

StrongSwan is the OpenSource IPsec-based VPN Solution and runs on Linux 2.6, 3.x and 4.x kernels, Android, FreeBSD, OS X, iOS and Windows.

Features:

• implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
• Fully tested support of IPv6 IPsec tunnel and transport connections
• Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
• Automatic insertion and deletion of IPsec-policy-based firewall rules
• NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
• Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
• Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
• Static virtual IPs and IKEv1 ModeConfig pull and push modes
• XAUTH server and client functionality on top of IKEv1 Main Mode authentication
• and much more…