diff --git a/libs/nacl/Makefile b/libs/nacl/Makefile
new file mode 100644
index 000000000..bdc6fd36c
--- /dev/null
+++ b/libs/nacl/Makefile
@@ -0,0 +1,40 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nacl
+PKG_VERSION:=20100830
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://hyperelliptic.org/nacl
+PKG_MD5SUM:=3f3cfd76d223068856fd987e3e6732a5
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/nacl
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=NaCl Networking and Cryptography library
+  URL:=http://nacl.cace-project.eu/
+endef
+
+define Build/Compile
+	cp do-openwrt $(PKG_BUILD_DIR)
+	( \
+		cd $(PKG_BUILD_DIR); \
+		chmod +x do-openwrt; \
+			CC="$(TARGET_CC)" \
+			CFLAGS="$(TARGET_CFLAGS) $(TARGET_CPPFLAGS)" \
+			AR="$(TARGET_CROSS)ar" \
+			RANLIB="$(TARGET_CROSS)ranlib" \
+			./do-openwrt \
+	)
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/nacl
+	$(CP) $(PKG_BUILD_DIR)/build/include/*.h $(1)/usr/include/nacl/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/build/lib/libnacl.a $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,nacl))
diff --git a/libs/nacl/do-openwrt b/libs/nacl/do-openwrt
new file mode 100755
index 000000000..65d93760c
--- /dev/null
+++ b/libs/nacl/do-openwrt
@@ -0,0 +1,206 @@
+#!/bin/sh
+set -e
+
+# nacl/do
+# D. J. Bernstein
+# Public domain.
+
+version=`cat version`
+project=nacl
+
+top="`pwd`/build"
+bin="$top/bin"
+lib="$top/lib"
+include="$top/include"
+work="$top/work"
+
+
+# and work around bug in GNU sort
+LANG=C
+export LANG
+
+rm -rf "$top"
+mkdir -p "$top"
+mkdir -p "$bin"
+mkdir -p "$lib"
+mkdir -p "$include"
+
+exec >"$top/log"
+exec 2>&1
+exec 5>"$top/data"
+exec </dev/null
+
+echo "=== `date` === starting"
+
+echo "=== `date` === building inttypes"
+for target in int8 int16 int32 int64 uint8 uint16 uint32 uint64; do
+  (
+    echo "#ifndef crypto_${target}_h"
+    echo "#define crypto_${target}_h"
+    echo ""
+    echo "#include <stdint.h>"
+    echo ""
+    echo "typedef ${target}_t crypto_${target};"
+    echo ""
+    echo "#endif"
+  ) > "$include/crypto_$target.h"
+done
+
+echo "=== `date` === building randombytes"
+rm -rf "$work"
+mkdir -p "$work"
+cp -pr randombytes/* "$work"
+(
+  cd "$work"
+  
+  cp devurandom.c randombytes-impl.c
+  cp devurandom.h randombytes-impl.h
+  $CC $CFLAGS -c randombytes-impl.c
+  mkdir -p lib
+  mv randombytes-impl.o lib/randombytes.o
+  mkdir -p include
+  mv randombytes-impl.h include/randombytes.h
+)
+cp -pr "$work"/lib/* "$lib"
+cp -pr "$work"/include/* "$include"
+
+rm -rf "$work"
+mkdir -p "$work"
+echo 'void crypto_'"$project"'_base(void) { ; }' > "$work/${project}_base.c"
+( cd "$work" && $CC $CFLAGS -c ${project}_base.c )
+$AR cr "$lib/lib${project}.a" "$work/${project}_base.o"
+( $RANLIB "$lib/lib${project}.a" || exit 0 )
+
+# loop over operations
+cat OPERATIONS \
+| while read o
+do
+  [ -d "$o" ] || continue
+
+  # for each operation, loop over primitives
+  ls "$o" \
+  | sort \
+  | while read p
+  do
+    [ -d "$o/$p" ] || continue
+    op="${o}_${p}"
+
+    startdate=`date +%Y%m%d`
+
+    echo "=== `date` === $o/$p"
+
+    rm -rf "$work"
+    mkdir -p "$work"
+
+    if [ -d "$o/$p/ref" ]; then
+      implementationdir="$o/$p/ref"
+    else
+      implementationdir="$o/$p/portable"
+    fi
+
+    opi=`echo "$implementationdir" | tr ./- ___`
+    
+    echo "=== `date` === $implementationdir"
+
+    cfiles=`ls "$implementationdir" | grep '\.c$' || :`
+    sfiles=`ls "$implementationdir" | grep '\.[sS]$' || :`
+    
+    cp -p "$o"/*.c "$work"
+
+    cp -pr "$implementationdir"/* "$work"
+
+    cp -p MACROS "$work/MACROS"
+    cp -p PROTOTYPES.c "$work/PROTOTYPES.c"
+
+    (
+      cd "$work"
+      (
+	echo "#ifndef ${o}_H"
+	echo "#define ${o}_H"
+	echo ""
+	echo "#include \"${op}.h\""
+	echo ""
+	egrep "${o}"'$|'"${o}"'\(|'"${o}"'_' < MACROS \
+	  | sed "s/$o/$op/" | while read mop
+	do
+	  echo "#define ${mop} ${mop}" | sed "s/$op/$o/"
+	done
+	echo "#define ${o}_PRIMITIVE \"${p}\""
+	echo "#define ${o}_IMPLEMENTATION ${op}_IMPLEMENTATION"
+	echo "#define ${o}_VERSION ${op}_VERSION"
+	echo ""
+	echo "#endif"
+      ) > "$o.h"
+      (
+	echo "#ifndef ${op}_H"
+	echo "#define ${op}_H"
+	echo ""
+	sed 's/[ 	]CRYPTO_/ '"${opi}"'_/g' < api.h
+	echo '#ifdef __cplusplus'
+	  #echo '#include <string>'
+	  #egrep "${o}"'$|'"${o}"'\(|'"${o}"'_' < PROTOTYPES.cpp \
+	  #    | sed "s/$o/$opi/"
+	echo 'extern "C" {'
+	echo '#endif'
+	egrep "${o}"'$|'"${o}"'\(|'"${o}"'_' < PROTOTYPES.c \
+	  | sed "s/$o/$opi/"
+	echo '#ifdef __cplusplus'
+	echo '}'
+	echo '#endif'
+	echo ""
+	egrep "${o}"'$|'"${o}"'\(|'"${o}"'_' < MACROS \
+	  | sed "s/$o/$opi/" | while read mopi
+	do
+	    echo "#define ${mopi} ${mopi}" | sed "s/$opi/$op/"
+	done
+	echo "#define ${op}_IMPLEMENTATION \"${implementationdir}\""
+	echo "#ifndef ${opi}_VERSION"
+	echo "#define ${opi}_VERSION \"-\""
+	echo "#endif"
+	echo "#define ${op}_VERSION ${opi}_VERSION"
+	echo ""
+	echo "#endif"
+      ) > "$op.h"
+
+      echo "=== `date` === $implementationdir $CC $CFLAGS"
+      for f in $cfiles $sfiles
+      do
+	ok=1
+	$CC $CFLAGS \
+	    -I. -I"$include" \
+	    -c "$f" >errors 2>&1 || ok=0
+	( if [ `wc -l < errors` -lt 25 ]
+	  then
+	    cat errors
+	  else
+	    head errors
+	    echo ...
+	    tail errors
+	  fi
+	) \
+	| while read err
+	do
+	  echo "$version $startdate $o $p fromcompiler $implementationdir $f $err" >&5
+	done
+	
+	[ "$ok" = 1 ]
+      done
+
+      for f in *.o
+      do
+	mv "$f" "${opi}-$f"
+      done
+    )
+  
+    echo "=== `date` === $implementationdir $CC $CFLAGS finishing"
+
+    $AR cr "$lib/lib${project}.a" "$work"/*.o \
+    && ( $RANLIB "$lib/lib${project}.a" || exit 0 ) \
+    && cp -p "$work/$op.h" "$include/$op.h" \
+    && [ -f "$o/$p/selected" ] \
+    && cp -p "$work/$o.h" "$include/$o.h" \
+    || :
+  done
+done
+
+echo "=== `date` === finishing"
diff --git a/net/quicktun/Makefile b/net/quicktun/Makefile
new file mode 100644
index 000000000..9fb877455
--- /dev/null
+++ b/net/quicktun/Makefile
@@ -0,0 +1,62 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=quicktun
+PKG_VERSION:=2.1.3
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
+PKG_SOURCE_URL:=http://oss.ucis.nl/quicktun/src
+PKG_MD5SUM:=f8449162c08954e1bbb2f3353ce43a5a
+
+PKG_BUILD_DEPENDS:=nacl
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/quicktun
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=QuickTun is a simple and secure VPN software
+  URL:=http://wiki.ucis.nl/QuickTun
+  SUBMENU:=VPN
+endef
+
+define Package/quicktun/description
+ QuickTun is a simple and secure VPN software
+endef
+
+define Package/quicktun/conffiles
+/etc/config/quicktun
+endef
+
+define Build/Compile
+	( \
+		cd $(PKG_BUILD_DIR); \
+		mkdir -p obj out; \
+		\
+		export CPATH=$(STAGING_DIR)/usr/include/nacl; \
+		\
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c -DCOMBINED_BINARY        src/proto.raw.c         -o obj/proto.raw.o; \
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c -DCOMBINED_BINARY        src/crypto_scalarmult_curve25519.c      -o obj/crypto_scalarmult_curve25519.o; \
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c -DCOMBINED_BINARY        src/proto.nacl0.c       -o obj/proto.nacl0.o; \
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c -DCOMBINED_BINARY        src/proto.nacltai.c     -o obj/proto.nacltai.o; \
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c -DCOMBINED_BINARY        src/run.combined.c      -o obj/run.combined.o; \
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -c                          src/common.c            -o obj/common.o; \
+		$(TARGET_CC)  $(TARGET_LDFLAGS) -o out/quicktun.combined obj/common.o obj/run.combined.o obj/proto.raw.o obj/proto.nacl0.o obj/proto.nacltai.o \
+			obj/crypto_scalarmult_curve25519.o -lnacl; \
+		\
+		$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) -o out/quicktun.keypair     src/keypair.c           -lnacl \
+	)
+endef
+
+define Package/quicktun/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/out/quicktun.{combined,keypair} $(1)/usr/sbin/
+	$(LN) quicktun.combined $(1)/usr/sbin/quicktun
+
+	$(INSTALL_DIR) $(1)/etc/init.d/
+	$(INSTALL_BIN) files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) files/$(PKG_NAME).config $(1)/etc/config/$(PKG_NAME)
+endef
+
+$(eval $(call BuildPackage,quicktun))
diff --git a/net/quicktun/files/quicktun.config b/net/quicktun/files/quicktun.config
new file mode 100644
index 000000000..33923207d
--- /dev/null
+++ b/net/quicktun/files/quicktun.config
@@ -0,0 +1,55 @@
+package quicktun
+
+config quicktun sample_config
+
+	# Set to 1 to enable this instance:
+	option enable 0
+
+	# IP address or hostname of the local end, optional
+#	option local_address 0.0.0.0
+
+	# Local UDP port
+	option local_port 2998
+
+	# IP address or hostname of the remote end
+	# Use 0.0.0.0 for a floating/dynamic endpoint
+	option remote_address 0.0.0.0
+
+	# Remote UDP port
+	option remote_port 2998
+
+	# Allows the remote address and port to change when properly
+	# encrypted packets are received even when a remote address
+	# is set
+	option remote_float 0
+
+	# "proto raw" uses no encryption
+	# "proto nacl0" uses NaCl encryption without nonce
+	# "proto nacltai" uses NaCl encryption with nonce
+	option protocol raw
+
+	# "tun_mode 0" will create an ethernet tunnel (tap device),
+	# "tun_mode 1" will create an IP tunnel (tun device).
+	option tun_mode 0
+
+	# Set the name of the tunnel interface to use
+	option interface "tap0"
+#	option interface "tun0"
+#	option interface "qt0"
+
+	# The local private key and the remote public key
+	# A keypair can be generated with quicktun.keygen
+	# (nacl0 and nacltai protocols only)
+	#option private_key 0000000000000000000000000000000000000000000000000000000000000000
+	#option public_key 0000000000000000000000000000000000000000000000000000000000000000
+
+	# allowed time window for first received packet in seconds,
+	# positive number allows packets from history
+	# (nacltai protocol only)
+	#option time_window 0
+
+	# command to configure IP addresses etc. after the tunnel is up; $1 will be the interface name (optional)
+#	option up ""
+
+	# command to execute before the tunnel is set down; $1 will be the interface name (optional)
+#	option down ""
diff --git a/net/quicktun/files/quicktun.init b/net/quicktun/files/quicktun.init
new file mode 100644
index 000000000..ae7bdd662
--- /dev/null
+++ b/net/quicktun/files/quicktun.init
@@ -0,0 +1,138 @@
+#!/bin/sh /etc/rc.common
+# Quicktun init script
+# Partly taken the the OpenVPN init script (Copyright (C) 2008 Jo-Philipp Wich)
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+START=95
+BIN=/usr/sbin/quicktun
+SSD=start-stop-daemon
+EXTRA_COMMANDS="up down"
+
+LIST_SEP="
+"
+
+append_opt() {
+	local p="$1"; local v="$2"; local p_uc
+	
+	p_uc=$(echo "$p" | tr '[a-z]' '[A-Z]')
+	OPTS="$OPTS \"$p_uc=$v\""
+}
+
+append_opts() {
+	local p; local v; local s="$1"; shift
+	for p in $*; do
+		config_get v "$s" "$p"
+		[ -n "$v" ] && append_opt "$p" "$v"
+	done
+}
+
+start_service() {
+	local s="$1"
+	local enable=0
+
+	# disabled?
+	config_get_bool enable "$s" enable 0
+	[ "$enable" == 0 ] && return 0
+
+	PID="/var/run/quicktun-$s.pid"
+	OPTS=""
+
+	config_get interface "$s" interface
+	if [ -z "$interface" ]; then
+		echo "$s: interface not set"
+		return 1
+	fi
+
+	if ifconfig "$interface" >/dev/null 2>&1; then
+		echo "$s: interface $interface is already in use"
+		return 1
+	fi
+
+	append_opts "$s" interface local_address local_port remote_address remote_port \
+		protocol private_key public_key time_window
+
+	config_get_bool tun_mode "$s" tun_mode 0
+	[ "$tun_mode" == 1 ] && append_opt tun_mode 1
+
+	config_get_bool remote_float "$s" remote_float 0
+	[ "$remote_float" == 1 ] && append_opt remote_float 1
+
+	eval env $OPTS "$SSD" -q -b -p "$PID" -m -x "$BIN" -S
+
+	sleep 1
+
+	if ! ifconfig "$interface" >/dev/null 2>&1; then
+		echo "$s: daemon startup failed"
+		return 1
+	fi
+
+	config_get up "$s" up
+	[ -n "$up" ] && sh -c "$up" - "$interface"
+}
+
+stop_service() {
+	local s="$1"
+	local enable=0
+
+	# disabled?
+	config_get_bool enable "$s" enable 0
+	[ "$enable" == 0 ] && return 0
+
+	config_get interface "$s" interface
+	if [ -z "$interface" ]; then
+		echo "$s: interface not set"
+		return 1
+	fi
+
+	if ! ifconfig "$interface" >/dev/null 2>&1; then
+		echo "$s: interface $interface does not exist"
+		return 1
+	fi
+
+	config_get down "$s" down
+	[ -n "$down" ] && sh -c "$down" - "$interface"
+
+	PID="/var/run/quicktun-$s.pid"
+
+	$SSD -q -p $PID -x $BIN -K
+	rm -f "$PID"
+}
+
+start() {
+	config_load quicktun
+	config_foreach start_service quicktun
+}
+
+stop() {
+	config_load quicktun
+	config_foreach stop_service quicktun
+}
+
+restart() {
+	stop; start
+}
+
+up() {
+	local exists
+	local INSTANCE
+	config_load quicktun
+	for INSTANCE in "$@"; do
+		config_get exists "$INSTANCE" TYPE
+		if [ "$exists" == "quicktun" ]; then
+			start_service "$INSTANCE"
+		fi
+	done
+}
+
+down() {
+	local exists
+	local INSTANCE
+	config_load quicktun
+	for INSTANCE in "$@"; do
+		config_get exists "$INSTANCE" TYPE
+		if [ "$exists" == "quicktun" ]; then
+			stop_service "$INSTANCE"
+		fi
+	done
+}