Vpn Principle and Implementation-tcp or udp vpnssltcp decryption network server has the key idea of ip over ssl. openvpn is an inevitable result, so I will not talk about it much, openvpn and openssl are not at the same level, although they are both open. The openvpn configuration is very complex, mainly to establish a more reasonable tunnel. Although the vpn implemented by ipsec does not distinguish between the client and the server, the establishment of the sa relies entirely on the dh symmetric negotiation encryption key and algorithm, however, openvpn Based on openssl distinguishes the two because the security of openvpn is implemented by ssl, while ssl distinguishes between the client and the server. The virtual network card has already said a lot. Now let's talk about some details about the tunnel, openvpn can establish a tcp tunnel and a udp tunnel. As the name suggests, the tcp tunnel uses tcp to encapsulate the vpn data stream, and udp is also the same, but although it can use udp encapsulation, in openvpn, you do not need to worry about data out of order, because there is ssl over udp, and ssl does not allow data out of order. Specifically, it should not be said that ssl, udp-based ssl is actually tls, because ssl data is not stream-based, but record-based, it must read a record at a time. Therefore, ssl is stored for receiving and storing the sent data. If udp transmission is used below, then there may be packet loss or out-of-order situations, so that the read records will be incorrect, in the ss L decryption, especially in cbc mode, may cause an error. Therefore, ssl must be reliable and ordered, that is, udp is used. Therefore, reliability and order must be achieved between ssl and udp. So how to choose the tcp tunnel and udp tunnel? Let's look at a combination. Aside from tcp/udp, there are four kinds of tunnels: tcp in tcp, udp in tcp, tcp in udp, and udp in udp, the first and last types of problems are the biggest. First, because tcp is connected, if packet loss occurs, data will be re-transmitted either through the tunnel or by the real receiver, the data retransmitted by both parties is actually a copy of data for one purpose. The vpn Router only provides encapsulation services and does not need to be responsible for packet loss. Therefore, the receiving and receiving parties are responsible for this, however, the semantics of tcp cannot manage such a complicated strategy. It only allows both of them to re-transmit data packets. Once packet loss occurs in the network, a large number of re-transmissions will occur immediately, the opposite is true for udp in udp. udp will have packet loss and will not be lost. The udp tunnel will aggravate this problem. The average packet loss of the network without a tunnel will have x, if a tunnel is used, n * x packets may be lost, and n * x packets may not be retrieved. The remaining udp in tcp and tcp in udp are left. in fact, you need to consider whether the preceding in protocol is used, but later, because Layer, We have to select a protocol to create a tunnel, instead of forcing users to use a certain protocol. Is tcp good or udp good? This seems to be a matter of trade-offs. I personally think that udp is better. If you use tcp, you can handle retransmission and out-of-order issues by yourself without using vpn, if the user uses udp, it means that he does not care about packet loss and out-of-order. vpn does not need to use tcp to ensure no packet loss and order. The reason why the user chooses udp is offset. If you use tcp to establish a tunnel, the user will cause a retransmission storm when using tcp, and the user's use of udp will significantly reduce the aging rate. However, if udp is used, a problem occurs, that is, if one of the two ends of the vpn is disconnected, no notification will be sent to the other end because udp is disconnected normally or unexpectedly, therefore, the connection perception between the two parties must be completed through a heartbeat. In openvpn, you can configure the connection through -- ping and -- ping-restart. If the heartbeat time is too short, although the perception is increased, however, heartbeat storms do not mean that when the physical distance between the endpoints is very long, network congestion may be considered as a disconnection, resulting in misjudgment. This is another thing worth balancing.