Theoretically, a reasonable IP over SSL protocol requires some additional technical support before it can be used. You must try to unseal an IP datagram so that it is reencapsulated by SSL, this action cannot be performed in the original standard protocol stack. The standard protocol stack does not support two-way data flow. One solution is to modify the protocol stack, A lightweight SSL protocol layer is implemented under the IP layer, but it returns to the old IPSec path. Therefore, this method is not desirable. The correct method is not to modify the protocol stack, let everything stay where it should be, so SSL must be implemented at the application layer or the presentation layer. The question now is how to re-introduce the underlying IP datagram to the application layer, in addition, the standard protocol stack cannot be modified, so it is necessary to let the IP datagram continue, and then eventually flow out of a nic, so the protocol stack is available, and then you can play it freely, the reason for the data to flow out of the NIC is that the protocol stack cannot be modified, but it cannot really let it flow out of the machine. If it goes away, it cannot be expected to encapsulate it with SSL. Where can it flow? The loopback device is a good choice. The data flowing from the loopback device actually flows into the loopback device. In user space, you only need to open the loopback device and then read it, note that the data cannot be read through general sockets. After all, the data is not sent to us. We need to use a packet capture method like this, and use the firewall to prevent the captured data from being forwarded, this is actually a clever way to intercept, get captured data, and then send it to a real IP address after the SSL encapsulation. What we need to configure is to send all the VPN data to the loopback device, in fact, it is to add a route. The virtual network has been established, and this seems to end.
However, this is a slow issue. In the future, all VPN data will flow into the loopback through the standard protocol stack, and then enter the application layer as raw data, then, the original VPN data is encapsulated together with its original IP header as application data, which is encapsulated by the SSL protocol. Then, the data is sent to the other end of the VPN and enters from the real nic at the other end, then, because this is the end of the tunnel, the data goes directly to the application layer. At the application layer, the VPN Server waits there to get the raw VPN bare data and its IP header at the sending end, what is the purpose of the server to get this thing? What should it do next? It is just the end of the tunnel, and it is not the machine that really wants to receive data, therefore, it must re-send the data to the machine that actually needs it. Obviously, it must exist as an application-layer proxy and strip the original IP address header to obtain the original data, the data is then sent to a real destination, not to mention whether this method is possible. There are two unreasonable points that are enough to deny it. Because the VPN Server implements proxy, the data must be concentrated and removed from the IP address header, in addition, if you want to perform the same processing in the opposite direction, you must remember all IP addresses. Otherwise, data will be lost, Is the load on the VPN Server tolerable? What about performance? Second, the proxy method eliminates the transparency of the tunnel, and the destination will not know where the data comes from after receiving the data. It is regarded as sent by the VPN Server, in this way, strategic services cannot be implemented based on data source points. To sum up, the loopback device is available but not feasible, because it is closed on the local machine. That is to say, only the data that loopback goes out can enter the loopback, and it has only two exits, one read and one write are all at the application layer. You cannot write data as the stream of the physical layer to loopback. Instead, you can only use the data of the application layer to package it to loopback step by step through the protocol stack, and then unseal it back step by step, the VPN sending end faces the same problem, because only the route points the data egress to the loopback. If you do not need to capture packets (pcap), the data will not be available, and this method has a great impact on performance, in addition, complicated firewall rules should be configured to prohibit data from being forwarded into loopback, and the performance will be affected. Due to full-duplex communication between the two ends of the tunnel, as a result, one end faces the same problem on the peer end when the data is reversed. Aside from this, loopback cannot configure the IP address freely, and it cannot be selected to implement the tunnel, the VPN network needs to be managed, and sometimes the management itself is very complicated. The virtual network is not just one, but we need to prepare a subnet for each virtual network, that is, each Different virtual networks must have different IP addresses, so flexible IP configurations are required. Therefore, loopback cannot implement an elegant and transparent tunnel. In this case, we can return to the origin to achieve two things: first, data must be encapsulated and encapsulated step by step according to the protocol stack standards, and the protocol stack cannot be modified. Second, data cannot be removed when it reaches the bottom physical layer, but is returned to the user space, as a result, the virtual network card has become a good choice.