How to implement OpenVPN on Linux

First, the working principle of OpenVPN

VPN technology establishes a private tunnel on the public network through key exchange, encapsulation, authentication and encryption, which guarantees the integrity, privacy and effectiveness of the transmitted data. OpenVPN is a new open source project emerging in recent years, which realizes a sslvpn solution.

Traditional SSL VPN through the port proxy method, the proxy server according to the type of application protocol (such as http,telnet, etc.) to do the appropriate port agent, the client and proxy server to establish an SSL secure connection between the client and the application server for all data transmission through the proxy server forwarding. This way of implementation cumbersome, the application scope is also narrower: applies only to the application system which uses the TCP fixed port to communicate, and each needs the proxy the port to carry on the separate configuration; For each protocol that needs to use dynamic port must be developed, and the application protocol can be resolved in the agent, such as FTP protocol ; You cannot proxy other network communication protocols other than TCP; the firewall on the front end of the proxy server also adjusts according to the configuration changes of the proxy port.

OpenVPN implements the Sslvpn function in a completely new way, overcomes some defects of the traditional Sslvpn, expands the application domain, and only one port of TCP or UDP protocol can be opened on the firewall.

1, Virtual network card

Above the Linux2.4 version, the operating system supports a device called Tun, which contains two parts in the driver of the Tun device, part of the character device driver, and partly the NIC driver. The driver of the network card SKB the packet structure received from the TCP/IP protocol stack on the read queue of the Tun device, the user process obtains the complete IP packet by calling the character device interface read, and the function of the character driven read function is to read the data from the reading queue of the device and pass the SKB of the ; The character-driven write function gives the user the interface to write the data of the user state to the kernel, and the Write function writes the user data into the core space and enters the TCP/IP protocol stack. The device can be read and written as a character device, as the system's virtual network card, but also has the same characteristics as the physical network card: the ability to configure IP addresses and routes. The use of the virtual NIC is the key to OpenVPN realize its sslvpn function.

2, address pool and routing

OpenVPN servers typically need to configure a virtual IP address pool and a static virtual IP address for use (static addresses and address pools must be in the same subnet), and then dynamically assign an unassigned address to a virtual IP address pool for each client that successfully establishes an SSL connection. In this way, the client and the OpenVPN server in the physical network are connected to a star-structured LAN on a virtual network, and the OpenVPN server becomes the gateway for each client on the virtual network. The OpenVPN server also provides routing management for the client virtual network card. When the client to the OpenVPN server on the backend of any access to the application server, the packet will be routed through the virtual network card, OpenVPN program on the virtual network card interception data IP packets, and then use the SSL protocol to encapsulate these IP packets, and then through the physical network card sent out. OpenVPN servers and clients build a virtual local area network on the virtual NIC, which is transparent to the users of the system.

3, the establishment of client-server secure connection

OpenVPN servers and clients support TCP and UDP two ways of connecting, with the client and server on the basis of the connection (TCP or UDP) and the port number that the client and server are predefined to use. The connection process includes the SSL handshake and the management information on the virtual network, OpenVPN sends the network segment, address and route to the client on the virtual net. After the connection is successful, the client and server end up with SSL secure connection, the client and server end of the data flow into the virtual network card to do SSL processing, and then in TCP or UDP connection from the physical network card sent out.

4, the process of packet processing

4.1 Send Data Flow

Application layer of outgoing data, through the system call interface into the core TCP/IP layer to do processing, in TCP/IP routed to virtual network card, virtual network card driver send handler Hard_start_xmit () to add packets to the SKB table and complete the packet from the core to the user area of replication, OpenVPN calls the virtual Nic's character Handler Tun_read (), reads the packet on the device, and sends it through the socket system call after the packet is encapsulated with the SSL protocol.

4.2 Receiving Data Flow

The physical network card receives the packet, passes through the core TCP/IP to Openvpn,openvpn through the Link_socket_read () receives the packet, uses the SSL protocol to unpack the processing, the processed packet OpenVPN calls the virtual network card character processing program Tun_ Write () writes to the virtual network card character device, the device driver completes the data from the user zone to the core area replication, and writes the data to the SKB list, then calls the network card NETIF_RX () receives the program, the data packet enters the system TCP/IP protocol stack again, uploads to the upper application.