A high-performance, secure caching infrastructure for APT packages in Debian-based environments
Developed as part of my thesis project at the University of Bologna (2023/2024), this system optimizes package management in corporate environments through intelligent caching and secure VPN connectivity.
- Overview
- Key Features
- Architecture
- Technologies
- Getting Started
- Configuration
- Results
- Contributing
- License
- Author
In modern corporate environments, managing software packages across multiple machines can be challenging. Repeatedly downloading the same packages from remote repositories leads to:
β οΈ Excessive bandwidth consumption- π Slow download speeds
- πΈ Increased operational costs
- π Network congestion
This project addresses these challenges by implementing a centralized caching proxy that stores downloaded packages locally and serves them to multiple clients through a secure VPN tunnel.
- Smart Caching: First download caches the package; subsequent requests served instantly
- Bandwidth Optimization: Reduces redundant downloads by up to 80%
- Speed Improvement: Significantly faster package installation across the network
- WireGuard VPN: Modern, lightweight VPN with state-of-the-art cryptography
- Encrypted Communications: All traffic between clients and server is protected
- Network Isolation: Secure tunnel prevents unauthorized access
- Automated Deployment: Complete setup via Vagrant provisioning scripts
- Reproducible Environments: Consistent configuration across all instances
- Scalable Architecture: Easy to add new clients to the network
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Corporate Network β
β β
β ββββββββββββββββ ββββββββββββββββ β
β β Client 1 β β Client 2 β β
β β (Ubuntu) β β (Ubuntu) β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β
β β WireGuard VPN β β
β ββββββββββ¬ββββββββββββββββ β
β β β
β ββββββββββΌββββββββββ β
β β Cache Server β β
β β apt-cacher-ng β β
β β + WireGuard β β
β ββββββββββ¬ββββββββββ β
β β β
ββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββ
β
βΌ
Internet / APT Repositories
| Component | Technology | Purpose |
|---|---|---|
| Virtualization | Vagrant + VirtualBox | Automated VM management |
| Cache Server | apt-cacher-ng | Package caching proxy |
| VPN | WireGuard | Secure client-server communication |
| OS | Ubuntu 18.04 (Bionic) | Base system for all machines |
- Vagrant - Infrastructure automation and VM management
- apt-cacher-ng - Specialized APT package caching proxy
- WireGuard - Fast, modern VPN implementation
- VirtualBox - Virtualization provider
Vagrant over Docker/Multipass:
- Complete OS-level isolation
- Better network control for VPN configuration
- Easier filesystem management for caching
- Reproducible environments with simple configuration
apt-cacher-ng over Squid/Approx:
- Optimized specifically for APT packages
- Native support for package signatures and dependencies
- Automatic cache management
- Simpler configuration for Debian-based systems
WireGuard over OpenVPN/IPsec:
- Superior performance (lower latency, faster speeds)
- Modern cryptography
- Minimal configuration complexity
- Smaller codebase = reduced attack surface
Ensure you have the following installed:
- Vagrant (2.0+)
- VirtualBox (6.0+)
- Unix-based host system (Linux/macOS)
-
Clone the repository
git clone https://github.com/yourusername/linux-package-caching.git cd linux-package-caching -
Configure the environment
Edit the
Vagrantfileif you need to customize:- Number of clients
- Network configuration
- Resource allocation (RAM, CPU)
-
Deploy the infrastructure
vagrant up
This command will:
- Create and configure the cache server
- Set up WireGuard VPN
- Deploy client VMs
- Run all provisioning scripts automatically
-
Verify the setup
vagrant status
The server is automatically configured via setup_apt_cacher.sh:
- apt-cacher-ng: Listens on VPN interface (10.0.0.1:3142)
- WireGuard: Creates secure tunnel on UDP port 51820
- Firewall: Configured with iptables for proper routing
Clients are provisioned using setup_client.sh:
# APT proxy configuration is automatically set to:
Acquire::http::Proxy "http://10.0.0.1:3142";To connect external Debian-based machines:
-
Copy the client setup script
scp setup_client.sh user@external-machine:~/ -
Update the server endpoint in the script:
SERVER_ENDPOINT="<server-ip>:51820" -
Run the setup
chmod +x setup_client.sh ./setup_client.sh
-
Add peer to server (
/etc/wireguard/wg0.conf):[Peer] PublicKey = <client-public-key> AllowedIPs = 10.0.0.X/32
-
Restart WireGuard on server:
sudo wg-quick down wg0 sudo wg-quick up wg0
The implementation demonstrated significant improvements:
- β Bandwidth Reduction: ~80% decrease in external bandwidth usage
- β Speed Improvement: 3-5x faster package installation for cached packages
- β Network Efficiency: Reduced load on upstream repositories
- π All client-server communications encrypted via WireGuard
- π Zero-trust network architecture
- π Protected against man-in-the-middle attacks
- π Fully automated deployment and configuration
- π¦ Reproducible infrastructure as code
- π― Easy scalability for additional clients
-
SSH into a client
vagrant ssh client-1
-
Update package lists
sudo apt update
-
Install a package
sudo apt install -y htop
-
Verify caching (install same package on client-2 - should be much faster)
vagrant ssh client-2 sudo apt install -y htop
Access the apt-cacher-ng web interface:
http://10.0.0.1:3142/acng-report.html
Contributions are welcome! Here's how you can help:
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
- Support for additional Linux distributions (Fedora, CentOS)
- Docker-based implementation
- Monitoring and metrics dashboard
- Automated testing suite
- Cloud deployment guides (AWS, Azure, GCP)
This project is licensed under the MIT License - see the LICENSE file for details.
Samite Mounir
Bachelor's Thesis in Computer Science and Engineering
Alma Mater Studiorum - UniversitΓ di Bologna
Academic Year 2023/2024
Advisor: Prof. Vittorio Ghini
Special thanks to:
- Prof. Vittorio Ghini for supervision and guidance
- The University of Bologna, School of Engineering
- The open-source community behind Vagrant, WireGuard, and apt-cacher-ng
- Official Thesis Publication
- apt-cacher-ng Documentation
- WireGuard Documentation
- Vagrant Documentation
β If you find this project useful, please consider giving it a star! β
Made with β€οΈ for the DevOps and Linux