OpenVPN On-Demand connection implementation

God creates a human being based on his own image, a computer based on his own preferences, and a computer heartbeat. The operating system uses the heartbeat like clock interruption to push the machine's time. However, later Linux implemented NOHZ, that is, when nothing happens, it no longer triggers the clock interruption, but completely halt, when there is something to do, other interruptions will wake up the machine and continue the heartbeat. This nohz mechanism saves resources and minimizes the bug trigger rate.

IPSec VPN is fully connected on demand. In tunneling mode, if the data packet comes over and matches the Encryption Policy, it depends on whether the encrypted tunnel has been established. If the data packet is not yet established, IKE negotiation is triggered, if data is already created, data is transmitted directly through a tunnel. Of course, IPSec can also use a heartbeat...

VPN persistent connection with heartbeat persistence has several problems. First, if the heartbeat cannot be received, the tunnel will be forced to be disconnected once. Such a disconnection event will be audited as an exception event, as it seems normal, since it is necessary to maintain a persistent connection, it should not be disconnected. Now it is disconnected, and that is not necessary. Second, for those environments where bandwidth is scarce resources, heartbeat packets occupy considerable resources, such as 3G users, without actual data transmission, the heartbeat packets sent will be completely wasted.

Why does VPN need to maintain a persistent connection? Isn't it easy to connect with your use? Is the long connection of a tunnel just to show itself as an infrastructure? This may be true for the network-to-network topology, but for end users, the persistent connection infrastructure means pressure because end users have to pay for heartbeat packets. OpenVPN is a highly flexible VPN. Its flexibility and advantage lies in how you associate it with the outside world, not in itself! It is very important to remember this!

OpenVPN can also achieve on-demand connection, that is, when there is no data, the tunnel is broken, when there is data, and the tunnel is broken again when there is no data for a period of time. In these events, except "Disconnect the tunnel again when there is no data for a period of time" (-- inactive parameter) Is the function of OpenVPN itself, and other tasks require external assistance, first, we need to consider how to create a connection as needed.

Using iptables to identify what is the data that needs to be encrypted through OpenVPN. After the data is identified, it must be blocked until the tunnel is established and then released. Where is the congestion? Of course, it is blocked in the queue. If the tunnel has been established for a long time, the queue will undoubtedly be full, and dropping new users is a last resort. With this general direction, the next step is the specific solution. In Linux, almost nothing needs to be redone by yourself. The above function can be implemented through the QUEUE of iptables. This target will send the data packet queue, the user-state process reads the queued packets to the user-state, and then...

Then the process can directly inject the package back to the kernel, or establish an OpenVPN tunnel before the injection, and then inject data packets after the tunnel is established. Now that the tunnel has been established, the routing rules should also be added, so the subsequent data packets do not need to be QUEUE to the user State. How does this happen? Fortunately, Netfilter has an addons extension that expands the iptables function. What we need is a module called condition, this module enables multiple iptables rules to complete many complex control logics, as shown in the following figure:

Iptables-t mangle-a prerouting-d 192.168.1.1/32-m condition -- condition "vpn"-j QUEUE

It means that packets sent to 192.168.1.1 will be queued only when the value of the vpn condition variable is 1. Otherwise, the next rule will be matched directly and will not be queued. So far, all the preparations are basically ready, and the rest is how to splice them together to form a solution. In order to quickly illustrate the problem, I will no longer use OpenVPN as an example. I will describe the problem in an equivalent way:

A detailed route is established only when the data packet arrives at 192.168.1.1. The route is deleted five seconds after the traffic does not reach 192.168.1.1.

This is enough to explain the problem. It is simple enough. Even though it is so simple, it is still lazy and not completely implemented. First, add the iptables rule listed above and create a user-state process. The Code is as follows:

# Include <linux/netfilter. h>
# Include <string. h>
# Include <stdlib. h>
# Include <libipq. h>
# Include <stdio. h>
# Include <libnetfilter_queue/libnetfilter_queue.h>
# Include <linux/ip. h>
# Include <signal. h>

# Define BUFSIZE 2048
Static int condition = 0;

Void condition_handler (int num)
{
If (condition = 1 ){
Condition = 0;
} Else {
Condition = 1;
}
}

Int main (int argc, char ** argv)
{
Int status;
Unsigned char buf [BUFSIZE];
Struct ipq_handle * h;
Signal (SIGUSR1, condition_handler );
H = ipq_create_handle (0, 2/* PROTO_IPV4 */);
Status = ipq_set_mode (h, IPQ_COPY_PACKET, BUFSIZE );
Do {
Status = ipq_read (h, buf, BUFSIZE, 0 );
Switch (ipq_message_type (buf )){
Case IPQM_PACKET :{
Ipq_packet_msg_t * m = ipq_get_packet (buf );
Size_t data_len = m-> data_len;
// When a packet is read, the command to start the VPN script is triggered.
System ("/home/zhaoya/start_vpn param1 param2 paramX ");
// Wait until the start_vpn command is executed, it will establish a VPN tunnel, and establish a signal sent to the Process
While (! Condition ){
Pause ();
}
// After a tunnel is successfully established, the packets are injected back intact.
Status = ipq_set_verdict (h, m-> packet_id,
NF_ACCEPT, data_len + sizeof (struct iphdr), (char *) m-> payload );
Break;
}
Default:
Break;
}
} While (1 );
Ipq_destroy_handle (h );
Return 0;
}

For more details, please continue to read the highlights on the next page:

Related reading:

OpenVPN client configuration tutorial in Ubuntu

Build OpenVPN in Ubuntu 10.04

Ubuntu 13.04 VPN (OpenVPN) configuration and connection cannot access the Intranet and Internet at the same time

How to build a secure remote network architecture using OpenVPN in Linux

OpenVPN details: click here
OpenVPN: click here

1 2 Next Page