OpenVPN-ng: The application-layer tunnel for Mobile Life, And openvpn-ng Application Layer
VPN makes people think that it is always a good thing and a way to escape from supervision. In fact, VPN has become the only synonym for escaping from supervision. You see, no matter what technology, IPSec, or WEB Proxy, as long as it is the technology that encrypts the original information, it can all be called VPN, so there is a so-called layer-2 VPN technology, layer-3 VPN technology, or even layer-7 VPN technology. VPN is a tool for grassroots and exclusive organizations. from private companies to multinational companies, they do not want their own company information to be seen by others, therefore, various VPN technologies are used to provide remote access for staff on business trips or for branches in different regions. However, supervision is necessary for such access, because VPN technology users are not consciously using it, they are required to use it.
SoftEther was once banned from use by the Japanese Information Processing Association, and we cannot say this. In this article, I discuss VPN technology from the perspective of subordinates and regulators, and finally give a design. I may be an rebel.
1. How about OpenVPN? This is the first choice for grass-roots DIY. However, it is not suitable for large enterprises with high traffic volumes.
1.1.OpenVPN performance question 1.2.OpenVPN deployment question 2. the advantage of a completely star topology is like a company's internal lan. Everyone is connected to a switch with enough ports. This Is a bma network. If you want to access it, simply ARP it.
3. The available implementation details of OpenVPN must be the TLS and Realiable layers implemented by memory BIO.
4. openVPN-ng the new VPN is called OpenVPN-ng. It consists of two modules: Switch module and processing module, the processing module is mainly responsible for the encryption/decryption of VPN data and the authentication/key negotiation (TLS) between VPN nodes, while the Switch is only responsible for the routing and forwarding of VPN traffic, encryption, decryption, and authentication are not involved.
All VPN nodes only communicate with the Switch over UDP. There are two types of traffic. One is the TLS process traffic between nodes, which is encapsulated in a control packet, the other is the VPN data traffic between nodes, which is encapsulated in a datagram text. The two types of packets are differentiated only in the packet header. Shows the packet header and communication model:
As you can see, VPN processing nodes are differentiated by node IDs instead of conventional IP addresses and port numbers, in this way, a stack network is formed that is stacked on the IP address and port and is irrelevant to the IP address and port number.
. The power of the stack network is that it has nothing to do with IP addresses, protocols, and port numbers. VPN nodes are completely addressable according to the VPN node ID. This part of the task is completed by the VPN Switch module. The Switch module has a {node ID, IP/port} ing table. Its effectiveness is that as long as the connectivity between the VPN processing node and the VPN Switch is maintained, the interconnection between nodes can be guaranteed.
4.2.the data structure of the VPN processing node because one VPN node communicates with more than one VPN node, it is clear that each VPN node stores a linked list and each linked list node stores a session. Security parameters include:
Peer node ID: ID of the Peer VPN node that has established a secure connection;
Encryption algorithms: such as 3DES, AES, and RC4 symmetric encryption algorithms;
Key Length: the length of the encryption key;
Digest algorithms: MD5, SHA-1, and so on;
Hash length: the length of the Digest Calculation result;
Master Key: the materials used to calculate the work key;
Pre-master key: materials used to calculate the master key;
IV length :...
This is similar to the IPSec SA. If you know SA, you will know how to use this data structure. The peer node ID is used to indicate a Data Structure represented by a linked list node, use the security parameters of the data structure to communicate with the peer.
4.3.data structure of the VPN Switch as long as the forwarding ing table is saved on the VPN Switch, when receiving a packet sent by a node, you only need to retrieve the node ID and query its {node ID, the IP/port} ing table shows the VPN processing node to which the data is sent.
5. to use BIO instead of the network to implement TLS between nodes, you must understand that the SSL handshake has nothing to do with the network elements, just as the OpenVPN implements, you can use the BIO/Realiable layer to implement TLS negotiation between two memory buffers. In this way, a tunnel can be established between the VPN processing nodes, but all the outer IP data packets are sent to the VPN Switch node in a unified manner, then, the Switch performs a route query based on the internal destination IP address indicated on the VPN packet header and forwards it to the correct VPN processing node.
6. Just stack the Ponitopoint mode OpenVPN? None! This is not a simple superposition of multiple P2P openvpns. Note: In OpenVPN-ng, I explicitly separated Switch forwarding and processing (OpenVPN itself separated the relationship between the TLS channel and the network )! Therefore, the Switch does not focus on the specific content of the packet. It is just a simple forwarding proxy, and each incoming data packet is its destination, it only needs to forward the buffer to the corresponding destination VPN node.
The tunnel is built between the VPN processing nodes, but it is neither an IP Tunnel nor a layer-4 tunnel, but an application layer tunnel, which is a pure buffer tunnel, A buffer arrives at the VPN Switch and is read as the socker buffer. This buffer is an encrypted IP datagram or an Ethernet frame with the OpenVPN-ng header added, after Routing Based on the header information, the buffer is sent to the target VPN processing node as the buffer of a socket.
7. Trust problem VPN handling node trust VPN Switch?
Can the VPN processing node host all the keys to the VPN Switch?
If yes, the VPN processing node can establish an SSL connection with the VPN Switch. (to support mobility, this SSL still uses BIO heap on the Reliable layer for remote memory, and then transmit the symmetric key negotiated between the VPN nodes to the VPN Switch in a digital envelope, so the VPN Switch establishes a n * n ing, save the symmetric keys between each pair of VPN processing nodes.
Now, what can VPN Switch do? It can decrypt each data packet and process it before re-encryption. In this way, security auditing and protocol conversion can be implemented. However, this is a matter of trust. Whether we should trust a third party or not is authoritative is a big problem.
8. For details about how to host a key to VPN Swtich, see the previous section.
9. Sharing keys to the cluster is another extension. The negotiated symmetric key is shared only between two nodes or between two clusters. If the two clusters are shared, it involves how the keys are shared with the cluster. There are many solutions to this problem, digital envelopes? TLS channel...
10. Fixed Point-the ultimate point is a fixed point in the ultimate sense. It can solve the problem of changing IP addresses when mobile terminals move. Previously, I used a custom Session Layer to remove the restriction of IP address changes. So let's look at my current OpenVPN-ng implementation. There is no direct network connection between VPN nodes, which means that, as long as the VPN node is always connected with the VPN Switch, communication between the VPN nodes can be performed. The constant point is the VPN Switch! Of course, I need to design a state machine to actively report a message to the VPN Switch when the VPN node changes the IP address, so that the VPN Switch can update its {node ID, IP/port} ing table. Previously, I used SID instead of IP Address/port as the search key value of the multi_instance linked list, which only solved the problem of IP address change on the client. But now, OpenVPN-ng, there is no difference between the server and the client. Only the VPN processing nodes are left behind. They only maintain connectivity with the fixed point VPN Switch. In this way, the VPN processing nodes are moved at will!
Let's take a look at the situation where all the networks are mobile terminals, such as mobile phones.
Let's look for another fixed point, that is, the virtual IP address. The IP address of the virtual network card remains unchanged. Although the IP address of the mobile terminal is constantly changing, the IP address of the virtual network card does not change because the connectivity between the VPN node and the VPN Switch remains unchanged, therefore, the TCP Connection established between the IP addresses of these virtual NICS will be maintained and will not be interrupted due to changes in the IP addresses of mobile terminals. Is it a bit like the idea of LISP (note, not the Lisp language, but the location identity separation Protocol?
11. I have been writing this article for mobile endurance for several weeks. In the past month, I was very busy. First, I was on a business trip in the first ten days, but that was good, because I learned a lot in just a few days, and then I was sad in the middle and the lower half. The repetitive technical support made me think several times that I had to drop my iPhone 5, I have been thinking about how to make the mobile terminal support a full smooth transition, but just think about it, because I know that OpenVPN-ng will not be adopted... later, as I had to prepare for my kindergarten, I had a parent-teacher meeting, home visit ,... in a short time, I learned a lot about the world. After a few nights, I implemented OpenVPN-ng.
OpenVPN not only encrypts data, but also has its own protocol. It is also an application layer protocol that encapsulates an IP datagram or Ethernet frame, this makes the application layer tunnel possible, and then it uses the virtual network card to capture data packets to the application layer in a routing manner, which can encapsulate IP data packets or Ethernet frames at the application layer, if all communications are centered around the IP address of the virtual network card, moving is no longer a problem. However, to find a Switch as a fixed point, it is like an aircraft carrier, but it is providing mobility endurance! This centralized mobility strategy is very simple. At least I think so, It is very suitable for a single mobile environment.
