Spiped And Synergy

I am a big fan of the triple monitor setup. You can have your editor, a full screen browser and a bunch of terminal sessions all open at the same time. No time spent moving windows around. But at work we only have shitty corporate desktops which can't take a full size video card, so I have to use two systems and Synergy to do three screens. This generally works pretty okay:

monitors

See? Rad.

Except When It Breaks

Today I updated my systems to Ubuntu 14.04 and somehow this broke Synergy's built in encryption. Since plain text Synergy is not an option in a large network, I needed a way to secure the transport to fix my setup. Stunnel and SSH were obvious options, but was I bored and I figured this was as good an opportunity as any to finally try out spiped. For science.

WTF Is Spiped

Spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically encrypted and authenticated pipes between socket addresses...

http://www.tarsnap.com/spiped.html

Spiped is a utility for creating encrypted tunnels between different hosts, similar to ssh -L. It uses a pre shared key so it's really easy to deploy. And it's written by Colin Percival, founder of Tarsnap and creator of scrypt. Which means that it has, at least in my estimation, crypto cred.

The simplicity of using a shared keyfile makes spiped super useful for jobs where you just want something to be encrypted over the network and don't need the hassle of PKI. It's quick to deploy, easy to configure, and provides a very high level of encryption and authentication (AES-256 and HMAC-SHA256, respectively).

It's worth it to reiterate that point: spiped makes it hard to fuck things up. It does one thing, really well, and that's it. This is something that cannot be said for many other daemons out there.

Spiped is also handy for tunneling other stuff as a means of protecting services from zero days. For example, if you were tunnelling SSH and some really bad vulnerability was discovered, you'd still be okay. Layered security! It's good.

Building It

There is actually an spiped package in Trusty, but it's pretty easy to build if you want to do it from source for security reasons. On Ubuntu, you need to have libssl-dev installed (and make, obviously). Unpack the tarball and then:

# If MAN1DIR is not preset, create the directory first
~$ sudo make BINDIR=/usr/local/sbin MAN1DIR=/usr/local/share/man/man1 install
~$ sudo mandb

This will build spipe and spiped, install them, and put the man pages in the right place. mandb updates the man page database.

Doin' Stuff

First you need to generate a keyfile:

~$ dd if=/dev/urandom bs=32 count=1 of=keyfile
~$ chown 0600 keyfile

To create a tunnel, this keyfile must be present on both the client and the server.

The server invocation looks like this:

~$ spiped -d -s '[0.0.0.0]:25800' -t '[127.0.0.1]:24800' -k keyfile

In this instance we are accepting encrypted traffic on 0.0.0.0:25800, -decrypting it and sending it to Synergy which is listening on localhost:24800.

The client invocation is similar:

~$ spiped -e -s '[127.0.0.1]:24800' -t '[my-server-ip]:25800' -k keyfile

Here it's reversed. We are accepting unencrypted traffic from Synergy client on localhost:24800, -encrypting it and sending it to the Synergy server on serverip:25800. You can use DNS names too but if DNS doesn't resolve (for example at system startup) it won't work.

Upstart

You can use Upstart to automatically start the tunnel and keep it running. For example, here's the script I'm using for my main workstation which is the Synergy server. I'm just running it as myself, cause I'm lazy like that.

# /etc/init/synergy-tunnel.conf
# spiped tunnel for synergy

description "Spiped tunnel for Synergy"

start on (local-filesystems and net-device-up IFACE!=lo)  
stop on [!12345]

respawn  
respawn limit 10 5  
console log

setuid pliu  
setgid pliu

exec spiped -F -d -s '[0.0.0.0]:25800' -t '[127.0.0.1]:24800' -k /home/pliu/.synergy/keyfile

Why don't you just use SSH you dumb

Technically speaking, spiped is not really a great fit for Synergy because it pads packets to 1024 bytes and Synergy packets are probably a lot smaller, but I haven't really noticed even if it is inefficient. Spiped is more fun than SSH anyway.