VPN technical principles
Virtual private network can help remote users, company branches, business partners and suppliers to establish trusted and secure connections with the company's intranet, and ensure secure data transmission. By transferring data streams to a low-cost pressure Network, an enterprise's virtual private network solution will greatly reduce the cost of user spending on man and remote network connections. At the same time, this will simplify the design and management of the network and accelerate the connection to new users and websites. In addition, the virtual private network can protect existing network investment. With the continuous development of users' business services, enterprise virtual private network solutions allow users to focus on their own business, rather than on the network. A virtual private network can be used for the global internet access of increasing mobile users to achieve secure connections. it can be used to implement virtual private lines for secure communication between enterprise websites, it is used to economically and effectively connect commercial partners and users to a secure, out-of-network virtual private network.
VPC should at least provide the following functions:
Encrypted data to prevent information transmitted over the Internet from being intercepted by others.
Information authentication and identity authentication ensure information integrity and legitimacy, and can identify the user's identity.
Access control is provided. different users have different access permissions.
VPN has the following advantages:
(1) Cost Reduction: enterprises do not need to lease long-distance leased lines to build private networks, and do not need to invest a lot of network maintenance personnel and equipment. Using the existing public network to build an Intranet is much less expensive than renting or laying a leased line, and the longer the distance, the more savings. For example, the connection between an enterprise's Beijing branch and the New York branch is unlikely to be a self-paved leased line. when a remote user wants to connect to the Beijing Intranet in New York, international long-distance calls are spent, while VPN technology is used to connect to the local Internet in New York and Beijing, respectively, to achieve interconnection. both parties are charged with municipal calls.
(2) easy expansion: the configuration of network routing devices is simple, and there is no need to add too many devices, saving time and money. For fast-growing enterprises, VPN is even more important. If an enterprise sets up its own private network and expands its branches, it is much more convenient to set up a new link, add devices, and upgrade devices based on the network capacity, you only need to connect to the public network, set the new network terminal logically, and do not need to consider the public network capacity and equipment problems.
(3) full control initiative: the facilities and services on the VPN are fully controlled by the enterprise. For example, enterprises can hand over dial-up access to NSP and take charge of important work such as user inspection, access, network address, security, and network change management.
II. VPN classification
The classification of VPN is chaotic. Different manufacturers use different classification methods when selling their VPN products. They are mainly divided from the product perspective. Different ISPs also adopt different classification methods when launching VPN services. They are mainly divided from the perspective of business development. Users often have their own division methods, mainly based on their own needs. The following describes the classification of VPN from different angles.
1. divided by access method
This is the most important VPN division method for users and carriers. Under normal circumstances, the user may be on the leased line (Nat) network, or dial-up Internet access, depending on the specific circumstances of the support. VPN built on the IP network corresponds to two access methods: leased line access mode and dial-up access mode.
(1) leased line VPN: it is a VPN solution provided for users who have accessed the ISP edge router through a leased line. This is a "always-online" VPN, which can save the cost of traditional long-distance leased lines.
(2) dial-up VPN (VPDN): It is a VPN service provided to users who use dial-up PSTN or ISDN to access ISP. This is a "on-demand connection" VPN, which can save users' long-distance phone fees. It should be noted that because the user is generally a roaming user and is connected on demand, VPDN usually requires identity authentication (such as using CHAP and RADIUS)
2. define by protocol implementation type
This is the most important way for VPN vendors and ISPs to divide. According to the layered model, VPN can be established on the second layer or on the third layer (some even classify some higher-level security protocols into VPN protocols .)
(1) Layer 2 Tunneling Protocol: this includes point-to-Point Tunneling Protocol (PPTP), Layer 2 Forwarding Protocol (L2F), Layer 2 Tunneling Protocol (L2TP), and multi-protocol Label Switching (MPLS).
(2) layer-3 Tunneling Protocol: this includes the common Routing Encapsulation Protocol (GRE) and IP Security (IPSec), which are currently the two most popular layer-3 protocols.
The difference between Layer 2 and Layer 3 tunnel Protocols is that user data is encapsulated on the layer 3 of the network protocol stack. GRE, IPSec, and MPLS are mainly used to implement leased line VPN services, l2TP is mainly used to implement the dial-up VPN service (but it can also be used to implement the leased line VPN service). of course, these protocols are not in conflict, but can be used in combination.
3. VPN initiation
This is the VPN category that customers and IPS are most concerned about. The VPN service can be independently implemented by the customer or provided by the ISP.
(1) launch (also known as customer-based): the start and end points provided by the VPN service are oriented to the customer. the internal technical structure, implementation and management of the VPN service are visible to the VPN customer. The customer and the tunnel server (or gateway) must install the tunnel software. The customer's software initiates a tunnel and terminates the tunnel at the company's tunnel server. At this time, the ISP does not need to do anything to support the establishment of tunnels. After verifying the user ID and password, the customer and the tunnel server can easily establish a tunnel. Both parties can also communicate in encrypted mode. Once a tunnel is established, the user will feel that the ISP is not involved in communication.
(2) server initiation (also known as the customer's transparent or network-based): install the VPN software at the company's central department or ISP (POP, Point of presence, the customer does not need to install any special software. It mainly provides the ISP with a fully managed VPN service. The starting point and ending point of the service are the isp pop, and its internal structure, implementation and management are completely transparent to the VPN customer.
In the tunneling protocol described above, MPLS can only be used for the VPN method initiated by the server.
4. by VPN service type
According to the service type, VPN businesses are roughly divided into three types: Access VPN, Intranet VPN, and exclusive VPN ). In general, the intranet VPN is a leased line VPN.
(1) access VPN: this is a VPN for enterprise employees or small branches to remotely access the internal network of the enterprise through the public network. A remote user is generally a computer rather than a network. Therefore, a VPN is a topology model from a host to a network. It should be pointed out that the access VPN is different from the previous dial-up VPN, which is prone to confusion, because remote access can be accessed through a leased line or a dial-up access.
(2) intranet VPN: this is a virtual network built between the company's headquarters and branches through the public network. this is a VPN formed by connecting networks to the network in a peering manner.
(3) external network VPN: this is a virtual network built by different enterprises through the public network after an enterprise acquires, merges, or establishes a strategic alliance between enterprises. This is a VPN formed by unequal connection from the network to the network (mainly in different security policies ).
5. divided by subject
Enterprises that operate VPN services can build their own VPN networks or outsource the services to VPN vendors. This is the most important issue for customers and ISPs.
(1) self-built VPN: this is a VPN initiated by the customer. the Enterprise installs the VPN client software on the site and the VPN gateway software on the edge of the enterprise network. it is completely independent of the carrier's construction of its own VPN network, and the operator does not need to do any VPN support work. The advantage of self-built VPN is that it can directly control the VPN network, which is independent from the operator and the VPN access device is also independent. However, the disadvantage is that the VPN technology is very complicated, so the cost of VPN establishment is very high, and QoS is hard to guarantee.
(2) outsourcing VPN: Enterprises outsource VPN services to operators. operators plan, design, implement, and maintain customers' VPN services according to enterprise requirements. Therefore, enterprises can reduce the cost of establishing and maintaining VPN, and operators can also open up new IP service value-added service markets to achieve higher benefits and increase customer persistence and loyalty. I divide the current outsourcing VPN into two types: Network-based VPN and CE-based Managed VPN ). A network-based VPN is usually installed with a carrier-level VPN switching device in the POP of the carrier's network. The CE-based managed VPN service is a trusted third party responsible for designing the desired VPN solution, managing it on behalf of the enterprise, and using the security gateway (Firewall, router, etc) on the user side.
6. division by VPN business level model
This is based on the layer at which the VPN service provided by the ISP works (not based on the layer where the tunnel protocol works ).
(1) dial-up VPN service (VPDN): This is the VPDN in the first partitioning method (in fact, it is divided by access method, because it is difficult to determine which layer the VPDN belongs ).
(2) virtual lease line (VLL): This is a simulation of the traditional lease line business, using an IP network to simulate the lease line, from the perspective of users at both ends, such a virtual lease line is equivalent to the previous lease line.
(3) virtual private routing network (VPRN) service: this is a simulation of the layer-3 IP routing network. VPRN can be understood as the layer-3 VPN technology.
(4) Virtual Private LAN segment (VPLS): This is a technology used to simulate a LAN on an IP wide area network. VPLS can be understood as a layer 2 VPN technology. 3. use OpenVPN
OpenVPN is a powerful, highly configurable, ssl-based VPN (Virtual Private Network) Open Source software. It has multiple verification methods and many powerful functions. OpenVPN operates on layer 2nd or layer 3rd of the OSI model and uses SSL/TLS protocol for network transmission. Supports various customer authentication methods, such as certificates, smart cards, and user name and password certificates. In addition, there is a powerful ACL function that limits the customer's information exchange.
OpenVPN can run in a variety of operating systems, including: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. By using OpenVPN, you can:
Use a specific udp or tcp port to establish a VPN connection between two hosts.
Implement the C/S structure and connect multiple clients through server servers.
Use TLS/SSL encryption to ensure data transmission security.
Data compression improves the data transmission speed.
The OpenVPN installation program is already included in the mainstream Linux installation CD. you can choose to install it during system installation. If the system is not installed, you can use the installation disk for installation at any time. To check whether the software has been installed, run the 1 Command. The figure shows that the system has been installed.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
