VPN Principle and Implementation-General Theory

Openvpn implements Security Based on OpenSSL, but it is not an sslvpn in the traditional sense. It is just a common VPN that works on the IP layer rather than the transport layer. VPN has two meanings: V, virtual, P, and private. Virtualization means that physical cabling is not required, and only one network is implemented logically. The reason why a virtual network can be implemented and established depends on the advantages of a layered model, the layered model directly divides the network into seven layers (or five layers of TCP/IP) according to the logic meaning. Each layer only carries data regardless of the data format and content, in theory, data at any level can be carried at any other level or its current level, as a result, many XX over YY network models have emerged, such as PPP over Ethernet. The over model can be divided into three types based on data layers. The first type is that the upper layer data is carried on the lower layer, this is actually the common TCP/IP model we use. The second type is the same layer. For example, pppoe mentioned above, this construction method is mainly used to add a non-transmission logic or implement a tunnel at a transport-dominated layer. For example, in pppoe, Ethernet is mainly used for LAN transmission, in addition, the price/performance ratio is reasonable, but the authentication mechanism is lacking. It is good, but it lacks multi-point communication and addressing capabilities. It is of little significance as a transmission protocol, so Ethernet is used for transmission and PPP is used for authentication, another example at the same layer is the IPsec tunnel mode, which encapsulates an IP datagram into another IP datagram, in this way, the "virtual local area network" (note that it is not a VLAN) is actually implemented, because before the datagram arrives at the final destination, the IP address that participates in the routing is always the outer IP address header, the inner IP header and real data are considered as data by the outer IP address, so they do not participate in routing. Therefore, the router from the start of the tunnel to the end router, regardless of the LAN in the middle, the Wan is nothing else. The IP datagram in the inner layer always "thinks" that he is in the LAN of the departure router. Therefore, a virtual network is realized and the V in the VPN is realized. What about P, IPSec achieves the combination of V and P, that is to say, security is achieved in the process of implementing IP over IP. This is the well-known Ah protocol and ESP protocol. Only when security is realized can we ensure the uniqueness, otherwise, everyone else can access your virtual network. For VPN, ipse C. So far, but the use of IPSec is not only so, IPSec is mainly to ensure the security of IP datagram (because the IP layer does not provide any security protection, IPv6 is different, IPSec is not required at all. VPN is only an application in its tunnel mode. In addition to the tunnel mode, IPSec also has the transmission mode, and no tunnel is established, only the authentication or encryption function is placed in the IP datagram, that is, the IP over IP address is not required. As we all know, there is a defect in the VPN implemented by the IPsec tunneling mode, that is, it is difficult to cross the NAT, because the Nat needs to modify the IP header, once the IP header is modified, the final Ah or ESP authentication and encryption verification results will be wrong, so you cannot use the IPSec VPN in the NAT network environment at will, of course, the IPSec protocol that does not involve IP header authentication can still be used. Is VPN a straw of IPSec? The authentication and encryption logic is very complex and diverse. It is not suitable for the IP layer. It is sufficient for the IP layer to quickly route and connect to different subnets, if we look at each layer of the layered model as a means of transportation, the problem will be easily solved. Transport or transport means can transport each other, while large trucks can transport small trucks, it can also be removed and transported by small trucks, while large trucks can also transport other large trucks. They can all be placed in containers and transported by ships. This is the hierarchical model, we can enable the application layer, presentation layer, or transmission layer to carry IP datagram. This is the third type of the over model, that is, the upper layer carries the lower layer. In many cases, the logic of the upper layer is more complex and the implementation is more flexible, if you want to implement highly complex logic at a low level, try this model. In this sense, the VPN implemented by IPSec is definitely not as good as IP over SSL, because it is difficult to expand IPSec, after all, it is not suitable for making significant changes in the location of the protocol stack, but the SSL scalability is very good, it is at the top of the protocol stack, even if the impact affects the application layer, for example, force HTTP to be converted to HTTPS. If the design idea that the lower layer should not have complex, diverse, and variable logic is correct, IPSec should not appear. In addition to expanding the address space, IPv6, the new features increase the burden on the IP layer. The complex design of IPv6 is a trick made by commercial companies to push their own interfaces or devices. However, it is inaccurate. Leave it to the historical review.
VPN does not have to implement a tunnel. As long as the network can access each other and ensure the uniqueness of the mutual access, it is theoretically a VPN. However, the tunnel method is more representative, and various implementations are richer and more fancy.