Create three VMs with the following config:
- OS: Ubuntu 20.04
- CPU: 6
- RAM: 16 GB
- Disk: 40GB
You can downgrade this later on. This is only to enable oqs in your ubuntu environment. Run all the commands below for all the vms.
sudo apt-get install python3 python3-pip build-essential checkinstall zlib1g-dev cmake gcc libtool libssl-dev make ninja-build git astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind wireshark net-tools traceroute systemd systemd-sysv dbus dbus-user-session -ysudo pip3 install python-pytungit clone https://github.com/adwise-fiu/5G-PQ-TLS-Tunnel/- Unzip Open5GS for the client and server vm
cd 5G-PQ-TLS-Tunnel
unzip open5gs.zip- Import the public key used by the package management system.
sudo apt update
sudo apt install gnupg curl -ycurl -fsSL https://pgp.mongodb.com/server-6.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-6.0.gpg --dearmor- Create the list file /etc/apt/sources.list.d/mongodb-org-6.0.list for your version of Ubuntu.
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list- Install the MongoDB packages.
sudo apt updatesudo apt install -y mongodb-orgsudo systemctl start mongodsudo systemctl enable mongod- Create the TUN device with the interface name ogstun.
sudo ip tuntap add name ogstun mode tunsudo ip addr add 10.45.0.1/16 dev ogstunsudo ip link set ogstun up- Install the dependencies for building the source code.
sudo apt install python3-pip python3-setuptools python3-wheel ninja-build build-essential flex bison git cmake libsctp-dev libgnutls28-dev libgcrypt-dev libssl-dev libidn11-dev libmongoc-dev libbson-dev libyaml-dev libnghttp2-dev libmicrohttpd-dev libcurl4-gnutls-dev libnghttp2-dev libtins-dev libtalloc-dev meson -y - To compile with meson:
cd open5gs/open5gsmeson build --prefix=`pwd`/installninja -C build- You need to perform the installation process.
cd build
ninja install
cd ../-
Node.js is required to build WebUI of Open5GS
-
Download and import the Nodesource GPG key
sudo apt updatesudo apt install -y ca-certificates curl gnupgsudo mkdir -p /etc/apt/keyringscurl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg- Create deb repository
NODE_MAJOR=20echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.listsudo apt updatesudo apt install nodejs -y- Install the dependencies to run WebUI
cd webui
npm cisudo apt update && sudo apt upgrade -y - Unzip UERANSIM
cd ~/5G-PQ-TLS-Tunnel
unzip UERANSIM
cd UERANSIM- Install the required dependencies
sudo apt remove cmake -y
sudo apt install make gcc g++ libsctp-dev lksctp-tools iproute2 build-essential -y
sudo snap install cmake --classicmake- Install OQS in the system
cd ..
sudo chmod +x oqs.sh
./oqs.shIn this case the nrf will have the tls server
- Unzip vpn_over_tls-master
unzip vpn_over_tls-master.zip
cd vpn_over_tls-master/vpn_over_tls-master/src- Modify the server config
nano server/config.pyYou can modify the TUN_ADDRESS if you want and certificates.
config = {
- "TUN_ADDRESS": "192.168.122.1",
+ "TUN_ADDRESS": "10.0.0.1",
"TUN_NETMASK": "255.255.255.0",
- "LISTEN_ADDRESS": "0.0.0.0",
+ "LISTEN_ADDRESS": "192.168.122.117",
"LISTEN_PORT": 443,
"TUN_NAME": "tun0",
"TUN_MTU": 1500,
"BUFFER_SIZE": 1500,
"CERTIFICATE_CHAIN": "./certificates/certchain.pem",
"PRIVATE_KEY": "./certificates/private.pem",
"SALT": "WH!{*ewP]x}0RHoP9k|nu_L(R9jm*/:i"
}- Start the TLS tunnel server
sudo python3 server/server.pyThis will create an interface in your machine called tun0 which Ip address is 10.0.0.1.
- Modify the config file using a new terminal
cd ~/5G-PQ-TLS-Tunnel/open5gs/open5gs/
nano install/etc/open5gs/nrf.yaml- Replace the ip for the tunnel IP. In this case each IP represents what we have below:
NRF TLS Tunnel IP: 10.0.0.1 SCP TLS Tunnel IP: 10.0.0.2 (In the CP VM)
nrf:
sbi:
- addr:
- - 127.0.0.10
+ - 10.0.0.1
- - ::1
+ #- ::1
port: 7777
#.......
scp:
sbi:
- - 127.0.1.10
+ - 10.0.0.2
port: 7777
- Start NRF
./install/bin/open5gs-nrfdExpected output
nrf@nrf:~/5G-PQ-TLS-Tunnel/open5gs/open5gs$ ./install/bin/open5gs-nrfd
Open5GS daemon v2.4.9-268-g739cb59+
04/29 16:52:16.303: [app] INFO: Configuration: '/home/nrf/5G-PQ-TLS-Tunnel/open5gs/open5gs/install/etc/open5gs/nrf.yaml' (../lib/app/ogs-init.c:126)
04/29 16:52:16.303: [app] INFO: File Logging: '/home/nrf/5G-PQ-TLS-Tunnel/open5gs/open5gs/install/var/log/open5gs/nrf.log' (../lib/app/ogs-init.c:129)
04/29 16:52:16.311: [sbi] INFO: nghttp2_server() [http://10.0.0.1]:7777 (../lib/sbi/nghttp2-server.c:238)
04/29 16:52:16.312: [app] INFO: NRF initialize...done (../src/nrf/app.c:31)
In this case the CP VM will have a TLS client and a TLS server. The client will communicate with the NRF while the server will be designated for the UERANSIM gNB.
- Unzip vpn_over_tls-master
unzip vpn_over_tls-master.zip
cd vpn_over_tls-master/vpn_over_tls-master/src- Modify the server config. In this case the Tunel Address has to be different. For this case, it will be 10.0.1.1
nano server/config.pyYou can modify the TUN_ADDRESS if you want and certificates.
config = {
- "TUN_ADDRESS": "10.0.0.1",
+ "TUN_ADDRESS": "10.0.1.1",
"TUN_NETMASK": "255.255.255.0",
- "LISTEN_ADDRESS": "0.0.0.0",
+ "LISTEN_ADDRESS": "192.168.122.105",
"LISTEN_PORT": 443,
"TUN_NAME": "tun0",
"TUN_MTU": 1500,
"BUFFER_SIZE": 1500,
"CERTIFICATE_CHAIN": "./certificates/certchain.pem",
"PRIVATE_KEY": "./certificates/private.pem",
"SALT": "WH!{*ewP]x}0RHoP9k|nu_L(R9jm*/:i"
}- Start the TLS tunnel server
sudo python3 server/server.pyThis will create an interface in your machine called tun0 which Ip address is 10.0.1.1
Expected output
cp@cp:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src$ sudo python3 server/server.py
[sudo] password for cp:
net.ipv4.ip_forward = 1
- Open a New terminal
cd ~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src
- Modify the client config. Match the Ip addresses based on your case.
nano client/config.pyIn this case: 192.168.64.9 is the NRF IP address 192.168.64.8 is the CP Ip address Modify accordingly
config = {
- "SERVER_IP": "192.168.64.9",
+ "SERVER_IP": "192.168.122.205",
"SERVER_PORT": 443,
"USERNAME": "dmitriy",
"PASSWORD": "test",
"TUN_NAME": "tun1",
"SERVER_HOSTNAME": "strangebit.com",
"CA_CERTIFICATE": "./certificates/certchain.pem",
"BUFFER_SIZE": 1500,
- "DEFAULT_GW": "192.168.64.9",
- "DNS_SERVER": "192.168.64.8"
+ "DEFAULT_GW": "192.168.122.205",
+ "DNS_SERVER": "192.168.122.124"
}- Start the TLS tunnel client
sudo python3 client/client.pyExpected output
Sending authentication data...
Authentication succeeded...
Got configuration packet...
Starting to read from TLS socket...
Starting to read from tun device....
- Modify the config file using a new terminal
cd ~/5G-PQ-TLS-Tunnel/open5gs/open5gs/
nano install/etc/open5gs/scp.yamlscp:
sbi:
- - addr: 127.0.1.10
+ - addr: 10.0.0.2
port: 7777
#...........
nrf:
sbi:
- addr:
- - 127.0.0.10
- - ::1
+ - 10.0.0.1
+ #- ::1
port: 7777
- Run SCP
./install/bin/open5gs-scpdnano install/etc/open5gs/amf.yamlREPLACE 127.0.0.5 WITHT YOUR MACHINE IP ADDRESS
amf:
sbi:
- addr: 127.0.0.5
port: 7777
ngap:
- - addr: 127.0.0.5
+ - addr: 10.0.1.1
metrics:
- addr: 127.0.0.5
port: 9090
guami:
- plmn_id:
- mcc: 999
- mnc: 70
+ mcc: 001
+ mnc: 01
amf_id:
region: 2
set: 1
tai:
- plmn_id:
- mcc: 999
- mnc: 70
+ mcc: 001
+ mnc: 01
+ tac: 1
plmn_support:
- plmn_id:
- mcc: 999
- mnc: 70
+ mcc: 001
+ mnc: 01
s_nssai:
- sst: 1
security:
integrity_order : [ NIA2, NIA1, NIA0 ]
ciphering_order : [ NEA0, NEA1, NEA2 ]
network_name:
full: Open5GS
amf_name: open5gs-amf0
#.................
scp:
sbi:
- - addr: 127.0.1.10
+ - addr: 10.0.0.2
port: 7777
- Start AMF
./install/bin/open5gs-amfdnano install/etc/open5gs/smf.yamlREPLACE 127.0.0.4 WITHT YOUR MACHINE IP ADDRESS
smf:
sbi:
- addr: 127.0.0.4
port: 7777
pfcp:
- - addr: 127.0.0.4
- - addr: ::1
+ - addr: 192.168.122.190
+ #- addr: ::1
gtpc:
- addr: 127.0.0.4
- - addr: ::1
+ #- addr: ::1
gtpu:
- addr: 127.0.0.4
- - addr: ::1
+ #- addr: ::1
metrics:
- addr: 127.0.0.4
port: 9090
subnet:
- addr: 10.45.0.1/16
- addr: 2001:db8:cafe::1/48
dns:
- 8.8.8.8
- 8.8.4.4
- 2001:4860:4860::8888
- 2001:4860:4860::8844
mtu: 1400
ctf:
enabled: auto
freeDiameter: /home/cp/open5gs/install/etc/freeDiameter/smf.conf
upf:
pfcp:
- - addr: 127.0.0.7
+ - addr: 192.168.122.167
#.................
scp:
sbi:
- - addr: 127.0.1.10
+ - addr: 10.0.0.2
port: 7777
- Start SMF
./install/bin/open5gs-smfdnano install/etc/open5gs/upf.yamlREPLACE 127.0.0.7 WITHT YOUR MACHINE IP ADDRESS
upf:
pfcp:
- - addr: 127.0.0.7
+ - addr: 192.168.122.167
gtpu:
- - addr: 127.0.0.7
+ - addr: 192.168.122.167
subnet:
- addr: 10.45.0.1/16
- addr: 2001:db8:cafe::1/48
metrics:
- addr: 127.0.0.7
port: 9090- Start NF
cd ~/5G-PQ-TLS-Tunnel/open5gs
./install/bin/open5gs-upfd- Modify all the configs using the command below
cd ~/5G-PQ-TLS-Tunnel/open5gs/open5gs
find install/etc/open5gs -type f -exec sed -i 's/127\.0\.1\.10/10\.0\.0\.2/g' {} +
find install/etc/open5gs -type f -exec sed -i 's/127\.0\.0\.10/10\.0\.0\.1/g' {} +
find . -type f -exec sed -i 's/- ::1/#- ::1/g' {} +
- Start all the other network functions
./install/bin/open5gs-ausfd &
./install/bin/open5gs-udmd &
./install/bin/open5gs-pcfd
./install/bin/open5gs-nssfd
./install/bin/open5gs-bsfd
./install/bin/open5gs-udrd - Access the database
mongosh mongodb://192.168.120.2:27017- Change database
use open5gs - Insert subscriber. Make sure that matches the UE config
db.subscribers.insertOne({
imsi: '001010000000001',
msisdn: [],
imeisv: '4301816125816151',
mme_host: [],
mme_realm: [],
purge_flag: [],
security: {
k: '465B5CE8 B199B49F AA5F0A2E E238A6BC',
op: null,
opc: 'E8ED289D EBA952E4 283B54E8 8E6183CA',
amf: '8000',
sqn: NumberLong("513")
},
ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } },
slice: [
{
sst: 1,
default_indicator: true,
session: [
{
name: 'internet',
type: 3,
qos: { index: 9, arp: { priority_level: 8, pre_emption_capability: 1, pre_emption_vulnerability: 1 } },
ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } },
ue: { addr: '10.45.0.3' },
_id: ObjectId("6473fd45a07e473e0b5334ce"),
pcc_rule: []
}
],
_id: ObjectId("6473fd45a07e473e0b5334cd")
}
],
access_restriction_data: 32,
subscriber_status: 0,
network_access_mode: 0,
subscribed_rau_tau_timer: 12,
__v: 0
})OUTPUT
{
acknowledged: true,
insertedId: ObjectId('663b9854fdf51515222202d8')
}
In this case the gNB VM will have a TLS client and a TLS server. The client will communicate with the AMF while the server will be designated for the UERANSIM UE.
- Change directory to vpn_over_tls-master
cd ~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src/- Modify the server config. In this case the Tunel Address has to be different. For this case, it will be 10.0.2.1
nano server/config.pyYou can modify the TUN_ADDRESS if you want and certificates.
config = {
- "TUN_ADDRESS": "192.168.120.177",
+ "TUN_ADDRESS": "10.0.2.1",
"TUN_NETMASK": "255.255.255.0",
- "LISTEN_ADDRESS": "0.0.0.0",
+ "LISTEN_ADDRESS": "192.168.122.10",
"LISTEN_PORT": 443,
"TUN_NAME": "tun0",
"TUN_MTU": 1500,
"BUFFER_SIZE": 1500,
"CERTIFICATE_CHAIN": "./certificates/certchain.pem",
"PRIVATE_KEY": "./certificates/private.pem",
"SALT": "WH!{*ewP]x}0RHoP9k|nu_L(R9jm*/:i"
}- Start the TLS tunnel server
python3 server/server.py &This will create an interface in your machine called tun0 which Ip address is 10.0.2.1
Expected output
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# python3 server/server.py &
[1] 34
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# net.ipv4.ip_forward = 1
- Modify the client config. Match the Ip addresses based on your case.
nano client/config.pyIn this case: 192.168.64.9 is the AMF IP address 192.168.64.8 is the gNB Ip address Modify accordingly
config = {
- "SERVER_IP": "192.168.64.9",
+ "SERVER_IP": "192.168.122.8",
"SERVER_PORT": 443,
"USERNAME": "dmitriy",
"PASSWORD": "test",
"TUN_NAME": "tun1",
"SERVER_HOSTNAME": "strangebit.com",
"CA_CERTIFICATE": "./certificates/certchain.pem",
"BUFFER_SIZE": 1500,
- "DEFAULT_GW": "192.168.64.9",
- "DNS_SERVER": "192.168.64.8"
+ "DEFAULT_GW": "192.168.122.8",
+ "DNS_SERVER": "192.168.122.9"
}- Start the TLS tunnel client
python3 client/client.py &Expected output
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# python3 client/client.py &
[2] 40
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# Sending authentication data...
Authentication succeeded...
Got configuration packet...
Starting to read from TLS socket...
Starting to read from tun device....
- Modify the config file
- Unzip UERANSIM
cd ~/5G-PQ-TLS-Tunnel
unzip UERANSIM.zip
cd UERANSIMcd ~/5G-PQ-TLS-Tunnel/UERANSIM/config
cp open5gs-gnb.yaml open5gs-gnb1.yaml
nano open5gs-gnb1.yaml-mcc: '999' # Mobile Country Code value
+mcc: '001' # Mobile Country Code value
-mnc: '70' # Mobile Network Code value (2 or 3 digits)
+mnc: '01' # Mobile Network Code value (2 or 3 digits)
nci: '0x000000010' # NR Cell Identity (36-bit)
idLength: 32 # NR gNB ID length in bits [22...32]
tac: 1 # Tracking Area Code
-linkIp: 127.0.0.1 # gNB's local IP address for Radio Link Simulation (Usually same with local IP)
-ngapIp: 127.0.0.1 # gNB's local IP address for N2 Interface (Usually same with local IP)
-gtpIp: 127.0.0.1 # gNB's local IP address for N3 Interface (Usually same with local IP)
+linkIp: 10.0.2.1 # gNB's local IP address for Radio Link Simulation (Usually same with local IP)
+ngapIp: 10.0.1.2 # gNB's local IP address for N2 Interface (Usually same with local IP)
+gtpIp: 192.168.122.9 # gNB's local IP address for N3 Interface (Usually same with local IP)
# List of AMF address information
amfConfigs:
- - address: 127.0.0.5
+ - address: 10.0.1.1
port: 38412
# List of supported S-NSSAIs by this gNB
slices:
- sst: 1
# Indicates whether or not SCTP stream number errors should be ignored.
ignoreStreamIds: true```
## Start using the gNB - UERANSIM
After completing configurations and setups, now you can start using UERANSIM.Run the following command to start the gNB:
cd ..
./build/nr-gnb -c config/open5gs-gnb1.yaml &In this case the UE VM will have a TLS client only. The client will communicate with the UERANSIM gNB.
- Change directory to vpn_over_tls-master
cd ~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src/- Modify the client config. Match the Ip addresses based on your case.
nano client/config.pyIn this case: 192.168.64.9 is the gNB IP address 192.168.64.8 is the UE Ip address Modify accordingly
config = {
- "SERVER_IP": "192.168.64.9",
+ "SERVER_IP": "192.168.120.8",
"SERVER_PORT": 443,
"USERNAME": "dmitriy",
"PASSWORD": "test",
"TUN_NAME": "tun1",
"SERVER_HOSTNAME": "strangebit.com",
"CA_CERTIFICATE": "./certificates/certchain.pem",
"BUFFER_SIZE": 1500,
- "DEFAULT_GW": "192.168.64.9",
- "DNS_SERVER": "192.168.64.8"
+ "DEFAULT_GW": "192.168.120.8",
+ "DNS_SERVER": "192.168.120.9"
}- Start the TLS tunnel client
python3 client/client.py &Expected output
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# python3 client/client.py &
[2] 40
root@e3eaeed2d469:~/5G-PQ-TLS-Tunnel/vpn_over_tls-master/vpn_over_tls-master/src# Sending authentication data...
Authentication succeeded...
Got configuration packet...
Starting to read from TLS socket...
Starting to read from tun device....
- Unzip UERANSIM
cd ~/5G-PQ-TLS-Tunnel
unzip UERANSIM.zip
cd UERANSIM- Modify the config file
cd ~/5G-PQ-TLS-Tunnel/UERANSIM/config
cp open5gs-ue.yaml open5gs-ue1.yaml
nano open5gs-ue1.yaml# IMSI number of the UE. IMSI = [MCC|MNC|MSISDN] (In total 15 digits)
-supi: 'imsi-999700000000001'
+supi: 'imsi-001010000000001'
# Mobile Country Code value of HPLMN
-mcc: '999'
+mcc: '001'
# Mobile Network Code value of HPLMN (2 or 3 digits)
-mnc: '70'
+mnc: '01'
# Permanent subscription key
key: '465B5CE8B199B49FAA5F0A2EE238A6BC'
# Operator code (OP or OPC) of the UE
op: 'E8ED289DEBA952E4283B54E88E6183CA'
# This value specifies the OP type and it can be either 'OP' or 'OPC'
opType: 'OPC'
# Authentication Management Field (AMF) value
amf: '8000'
# IMEI number of the device. It is used if no SUPI is provided
imei: '356938035643803'
# IMEISV number of the device. It is used if no SUPI and IMEI is provided
imeiSv: '4370816125816151'
# List of gNB IP addresses for Radio Link Simulation
gnbSearchList:
- - 127.0.0.1
+ - 10.0.2.1
# UAC Access Identities Configuration
uacAic:
mps: false
mcs: false
# UAC Access Control Class
uacAcc:
normalClass: 0
class11: false
class12: false
class13: false
class14: false
class15: false
# Initial PDU sessions to be established
sessions:
- type: 'IPv4'
apn: 'internet'
slice:
sst: 1
# Configured NSSAI for this UE by HPLMN
configured-nssai:
- sst: 1
# Default Configured NSSAI for this UE
default-nssai:
- sst: 1
sd: 1
# Supported integrity algorithms by this UE
integrity:
IA1: true
IA2: true
IA3: true
# Supported encryption algorithms by this UE
ciphering:
EA1: true
EA2: true
EA3: true
# Integrity protection maximum data rate for user plane
integrityMaxRate:
uplink: 'full'
downlink: 'full'
After completing configurations and setups, now you can start using UERANSIM.
Run the following command to start the UE:
cd ..
./build/nr-ue -c config/open5gs-ue1.yaml