OpenVPN-ng, an application-layer tunnel for Mobile Life

OpenVPN-ng, an application-layer tunnel for Mobile Life

VPN makes people think that it is always a good thing and a way to escape from supervision. In fact, VPN has become the only synonym for escaping from supervision. You see, no matter what technology, IPSec, or WEB Proxy, as long as it is the technology that encrypts the original information, it can all be called VPN, so there is a so-called layer-2 VPN technology, layer-3 VPN technology, or even layer-7 VPN technology. VPN is a tool for grassroots and exclusive organizations. from private companies to multinational companies, they do not want their own company information to be seen by others, therefore, various VPN technologies are used to provide remote access for staff on business trips or for branches in different regions. However, supervision is necessary for such access, because VPN technology users are not consciously using it, they are required to use it.

1. How about OpenVPN?

This is the first choice for grassroots DIY. However, it is not suitable for large enterprises with high traffic volumes.

1.1.OpenVPN performance problems

1.2.OpenVPN deployment problems

2. Full star topology advantages

It is like a company's internal LAN, and everyone is connected to a switch with enough ports. This Is a bma network. If you want to access it, simply ARP it.

3. Available Implementation Details of OpenVPN

It must be the TLS and Realiable layers implemented by memory BIO.

4. Implement OpenVPN-ng

The new VPN is called OpenVPN-ng. It consists of two modules: Switch module and processing module, the processing module is mainly responsible for the encryption/decryption of VPN data and the authentication/key negotiation (TLS) between VPN nodes, while the Switch is only responsible for the routing and forwarding of VPN traffic, encryption, decryption, and authentication are not involved.

All VPN nodes only communicate with the Switch over UDP. There are two types of traffic. One is the TLS process traffic between nodes, which is encapsulated in a control packet, the other is the VPN data traffic between nodes, which is encapsulated in a datagram text. The two types of packets are differentiated only in the packet header. Shows the packet header and communication model:

As you can see, VPN processing nodes are differentiated by node IDs instead of conventional IP addresses and port numbers, in this way, a stack network is formed that is stacked on the IP address and port and is irrelevant to the IP address and port number.

4. 1. Stack Network

The power of this stack is that it has nothing to do with IP addresses, protocols, and port numbers. VPN nodes are completely addressable according to the VPN node ID. This part of the task is completed by the VPN Switch module. The Switch module has a {node ID, IP/port} ing table. Its effectiveness is that as long as the connectivity between the VPN processing node and the VPN Switch is maintained, the interconnection between nodes can be guaranteed.

4.2.data structure of the VPN processing node

Because a VPN node communicates with more than one VPN node, it is clear that each VPN node stores a linked list, and each linked list node saves a session. Security parameters include:

4.3.VPN Switch Data Structure

On the VPN Switch, you only need to save the forwarding ing table. When receiving a packet sent from a node, you only need to retrieve the node ID and query its {node ID, IP/port} ing table, the VPN processing node to which the data is sent.

5. Use BIO instead of the network to implement TLS between nodes

It should be clear that the SSL handshake has nothing to do with the network elements. As implemented by OpenVPN, TLS negotiation can be implemented between two memory buffers through the BIO/Realiable layer. In this way, a tunnel can be established between the VPN processing nodes, but all the outer IP data packets are sent to the VPN Switch node in a unified manner, then, the Switch performs a route query based on the internal destination IP address indicated on the VPN packet header and forwards it to the correct VPN processing node.

6. Just stack the Ponitopoint mode OpenVPN?

None! This is not a simple superposition of multiple P2P openvpns. Note: In OpenVPN-ng, I explicitly separated Switch forwarding and processing (OpenVPN itself separated the relationship between the TLS channel and the network )! Therefore, the Switch does not focus on the specific content of the packet. It is just a simple forwarding proxy, and each incoming data packet is its destination, it only needs to forward the buffer to the corresponding destination VPN node.

7. Trust Problems

Does the VPN processing node trust the VPN Switch?

8. managed key to VPN Swtich

See the previous section.

9. Share the key to the Cluster

This is another extension. The negotiated symmetric key is shared only between two nodes or between two clusters. If the two clusters are shared, it involves how the keys are shared with the cluster. There are many solutions to this problem, digital envelopes? TLS channel...
10. Fixed Point-ultimate meaning

This is a fixed point in the ultimate sense. It can solve the problem of changing the IP address when a mobile terminal moves. Previously, I used a custom Session Layer to remove the restriction of IP address changes. So let's look at my current OpenVPN-ng implementation. There is no direct network connection between VPN nodes, which means that, as long as the VPN node is always connected with the VPN Switch, communication between the VPN nodes can be performed. The constant point is the VPN Switch! Of course, I need to design a state machine to actively report a message to the VPN Switch when the VPN node changes the IP address, so that the VPN Switch can update its {node ID, IP/port} ing table. Previously, I used SID instead of IP Address/port as the search key value of the multi_instance linked list, which only solved the problem of IP address change on the client. But now, OpenVPN-ng, there is no difference between the server and the client. Only the VPN processing nodes are left behind. They only maintain connectivity with the fixed point VPN Switch. In this way, the VPN processing nodes are moved at will!

11. Mobile Life

I have been writing this article for several weeks. In the past month, it was too busy. First, I was on a business trip in the first half of the year. But that was good because I learned a lot in just a few days, in the middle and lower half of the year, it was sad. The repetitive technical support made me think that I had to drop my iPhone 5 several times, I have been thinking about how to make the mobile terminal support a full smooth transition, but just think about it, because I know that OpenVPN-ng will not be adopted... later, as I had to prepare for my kindergarten, I had a parent-teacher meeting, home visit ,... in a short time, I learned a lot about the world. After a few nights, I implemented OpenVPN-ng.