Vpn Principle and Implementation-virtual Nic build vpn virtual Nic support the physical layer by implementing one character device, so that the application layer and the physical layer are connected through this character device, the character device reads the byte stream sent from the virtual network card to the physical layer. The data written to the character device is received by the virtual network card as the byte stream. The data under the virtual network card is no longer a network cable or radio waves, it is a character device. In this way, all the characters read from the character device are physical layer byte streams. It is no longer easy to use it for tunneling. The vpn program reads character devices, get the encapsulated raw data, and then encapsulate it with ssl and then send it to the peer end of the vpn. This is the same as the initial attempt of loopback to configure a route, so that the data to be passed through the tunnel flows out of the virtual network card, and finally the character device of the virtual network card is imported into the vpn process at the application layer. With a virtual Nic, the vpn tunnel can be implemented simply as described above. what additional work should I do? Because the physical layer of the virtual Nic can be read and written freely through character devices, one machine is virtualized into two machines, and the vpn process can be imagined as running on another machine, this machine has a network card connected to the real machine, and the network card is a virtual network card, so the problem becomes a problem of communication between the two machines. This is easy to handle and can be done through routing, therefore, there is basically no additional work, and we also avoided the concept of packet capture, proxy, and other performance reduction and difficult expansion. The tunnel of the virtual network card is very flexible. You only need to install a virtual network card driver, and then configure the route. Everything is done in the familiar route command. For data flow direction, see zookeeper. In fact, the IP network itself is a virtual network. Any network that is not directly connected through a wire is a virtual network. Isn't the IP network built on a variety of LAN, Wan, and telecom networks, are virtual networks on physical networks, such as television networks? From a layered perspective, pstn can be regarded as a virtual network. vpn is of more special significance as a virtual network, and is also implemented in a variety of ways. Ip over ssl does not touch the protocol stack, nor does it add new protocols. It uses the flexibility of ssl to encapsulate ip addresses more securely. ssl is much more flexible than ipsec, the ssl at the application layer is relatively configurable. It not only implements dh key negotiation in ipsec, but also uses many outstanding features of pki. Open-source software never gives up anything outstanding. openvpn is accomplished with the above ideas. In fact, openvpn has almost nothing to do. It is an integration and integration? The Code discovery through reading is to configure virtual NICs, configure routes, read/write character devices, and use openssl libraries for ssl protocol encapsulation. Almost all of them are existing, however, the integration of openvpn has become a stable and efficient vpn software.