OpenVPN advanced Routing Technology

The difference between an OpenVPN internal route and a system route is that the system route completely follows the longest prefix matching principle. After finding the route, the data packet is forwarded from the corresponding Nic interface. Although the routes inside OpenVPN ultimately decide whether to forward and where to forward data packets, this "whether to forward" and "where to forward" is very different from the system route, does OpenVPN distribute data packets according to a route table in it and has nothing to do with the system route table. Where can it forward data packets? Actually, it is forwarded to two locations. Based on the results obtained by finding the internal route, If the destination address is not from another OpenVPN client or the network host behind these OpenVPN clients, if the destination address is from another OpenVPN client or the network behind it, it is directly forwarded to the corresponding OpenVPN socket when C2C is enabled, before forwarding, use the security parameters of the corresponding socket instance to encapsulate the OpenVPN protocol. Does C2C look like the ip_forward Kernel Parameters in linux?

Note: in the previous sections, I have been talking about the destination address, but not the destination IP address. This is because the internal routing of OpenVPN is not only IP routing, but also in the tap mode, its internal route is actually a link layer route. At this time, the OpenVPN server is not a router, but a switch, or a switch that can "dynamically learn MAC addresses". Therefore, in the tap mode, openVPN internal routing is actually the link layer routing of the switch, and its route table is actually similar to the MAC address table of the switch.

The internal routing of OpenVPN has the following responsibilities:

1. choose whether to forward the incoming load data packet that has been removed from OpenVPN encapsulation. That is, whether the initiator of the load package is within the policy range of OpenVPN;

2. process the communication between different OpenVPN clients and the communication between hosts in the CIDR Block attached to different clients. That is to say, data packets are routed between these hosts. Note that the so-called route here is not an IP route in the protocol stack, but a route inside OpenVPN.

OpenVPN can be expanded into a huge network through internal routing, which directly traverses insecure network areas, such as interconnected wide area networks or man networks, it is the expansion of a huge network that truly becomes virtual and dedicated. This is where OpenVPN provides the most powerful network topology support, in addition, the advantages of OpenVPN are as bad as mentioned in the previous article, such as combination with SSL and PKI. In combination with the host network protocol stack, OpenVPN uses a virtual Nic, this is too bad, so this series of articles focuses on the powerful routing functions of OpenVPN. If you can fully understand this, it is no longer difficult to read the source code and modify the custom source code.

So what is the network extended by OpenVPN? It depends on whether you use the tap mode or the tun mode:

In tap mode, the VPN node (multiple clients and one server) forms an Ethernet, And the VPN Server is equivalent to an Ethernet switch. Because Ethernet is the encapsulation of the lower layer of the IP protocol stack, all VPN nodes in the tap mode and the nodes are formed by the bridge nodes to form a large Ethernet rather than an IP network, the internal routing of OpenVPN acts on the MAC address. For any source IP address, the internal routing of OpenVPN is straight-through. After being written into the virtual network card, the system route determines. Therefore, in the tap mode, if you need to achieve IP intercommunication between the networks behind each VPN node, you must either perform NAT ing to NAT the networks behind the VPN node to the VPN node, these configurations are complex and difficult to maintain. See:

In tun mode, VPN nodes (multiple clients and one server) and other networks (configured through iroute) constitute an IP network, and the VPN Server is equivalent to an IP router. In tun mode, all VPN nodes and nodes are directed by iroute internal routes and system routes to form a large IP network. In this mode, the internal routing and system routing work together, and the OpenVPN event mechanism can seamlessly combine the two. See:

In fact, OpenVPN combines well-defined interfaces with existing excellent frameworks. These interfaces are SSL protocol/PKI, virtual NIC/host protocol stack, internal routing/event mechanism/system IP routing. OpenVPN not only implements a complete mechanism, but also integrates with the external framework and provides flexible configuration for users. Therefore, OpenVPN is great.

Blog: http://blog.csdn.net/dog250/article/details/6979231