Scribd
Upload
10 views

06_vpn

A Virtual Private Network (VPN) allows users to create a secure network over a public network, protecting internal resources through authentication and IP tunneling. Two types of IP tunneling are discussed: IPSec and TLS/SSL, with a focus on the latter for creating secure connections. The document also covers the setup of a VPN, including configuration of TUN/TAP interfaces and methods for bypassing firewalls using VPN technology.

Uploaded by

kimthachbtm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

06_vpn

A Virtual Private Network (VPN) allows users to create a secure network over a public network, protecting internal resources through authentication and IP tunneling. Two types of IP tunneling are discussed: IPSec and TLS/SSL, with a focus on the latter for creating secure connections. The document also covers the setup of a VPN, including configuration of TUN/TAP interfaces and methods for bypassing firewalls using VPN technology.

Uploaded by

kimthachbtm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Virtual Private Network

Introduction
• Networks primarily intended for internal use are
called private network.

• If we grant access from outside to the private


network, the attack surface will significantly broaden.

• If the internal resources still use IP address as the


basis for authorization, it is not difficult for attackers
to access the protected resources
Virtual Private Network
VPN allows users to create a secure, private network over a
public network such as the Internet. This is achieved by:
• Having a designated host (VPN server) on the network
• Outside computers have to go through the VPN server to reach the
hosts inside a private network via authentication.
• VPN server is exposed to the outside and the internal computers are
still protected, via firewalls or reserved IP addresses.
A Typical Setup
This is a typical VPN setup where the “Client” machine wants to
connect with machine “V” on a private network. “Client” uses the
“VPN Server” to get authenticated to the private network

IP Tunneling
IP Tunneling
Traffics
Tunnel End A inside the Tunnel End B
tunnel are
protected The tunnel goes
through a public
network, such as
the Internet.

The actual The payload carries another IP


packet between packet, which is the packet
the two ends of that needs to be protected,
the tunnel such as packets to/from a
private network
Two Types of IP Tunneling
• IPSec Tunneling:
– Utilizes the Internet Protocol Security protocol
– IPSec has a mode called Tunneling mode, where the original IP packet is
encapsulated and placed into a new IP packet
• TLS/SSL Tunneling:
– Tunneling done outside the kernel, at the application level
– Idea is to put each VPN-bound IP packet inside a TCP or UDP packet
– The other end of the tunnel will extract the IP packet from the TCP/UDP
payload
– To secure the packets, both ends will use TLS/SSL protocol on top of
TCP/UDP
Two Types of IP Tunneling

IPSec Tunneling

TLS/SSL
Tunneling
(we will focus
on this type)
An Overview of How TLS/SSL VPN Works
Question: How can the This is just a normal TCP or
Tunnel application get an IP UDP based SSL connection
packet?
TUN/TAP Interface
• Question: How can
the Tunnel
application get an IP
Socket
Interface
packet?
– Typically, applications
interact with kernel
using socket
– Using socket, kernel
only gives the data
part of a packet to
applications
– Applications need to
use a different way
to interact with
kernel
TUN/TAP Interface
• Most operating systems have two types of network
interfaces:
– Physical: Corresponds to the physical Network Interface Card (NIC)
– Virtual: It is a virtualized representation of computer network interfaces
that may or may not correspond directly to the NIC card. Example: loopback
device

• TUN Virtual Interface


– Work at OSI layer 3 or IP level
– Sending any packet to TUN will result in the packet being delivered to user
space program

• TAP Virtual Interfaces


– Work at OSI layer 2 or Ethernet level
– Used for providing virtual network adapters for multiple guest machines
connecting to a physical device of the host machine
Creating a TUN Interface

The flag IFF_TUN


specifies that we
are creating a TUN
interface
Configure the TUN Interface
• Find the TUN interface

• Assign an IP address to the TUN interface and bring it up


Set UP the Routing

Routing
packets to
the tunnel
Set UP the Routing

Packets to this destination should be All other traffic will be


routed to the tun0 interface, i.e., they routed to this interface, i.e.,
should go through the tunnel. they will not go through the
tunnel
Experiment: Reading From TUN
Interface
We did an experiment by sending a ping packet to 10.0.8.32. The
packet was sent to the TUN interface and then to our program.
We use “xxd” to read from the interface and convert the into
hexdump.
0a00 0863: Source IP (128.0.8.99)
IP Header

0a00 0820: Destination IP (128.0.8.32)


Experiment: Writing To TUN Interface

• We can write data to TUN interfaces.


• We can create a valid packet using the same “xxd”
command.
• Copy-paste the xxd output from the previous slide into a
file called “hexfile” and run “xxd –r hexfile > packetfile”.
• Now we write the packetfile to the interface:

• We should be able to observe the packet using Wireshark.


Establish a Transport-Layer Tunnel

• A tunnel is just a TLS/SSL connection.


• Two applications (VPN client and server applications)
just establish a TLS/SSL connection between themselves.
• Traffics inside are protected by TLS/SSL
• What makes this TLS/SSL connection a tunnel?
– The payloads inside are IP packets
– That is why it is called IP tunnel
How to Send/Receive Packets via Tunnel
Sending a packet via the tunnel
• Get an IP packet from the TUN
interface
• Encrypt it (also add MAC)
• Send it as a payload to the other end
of the tunnel

Receiving a packet from the tunnel


• Get a payload from the tunnel
• Decrypt it and verify its integrity
• We get the actual packet
• Write the packet to the TUN interface
Monitoring Both Interfaces

• Each tunnel application has


two interfaces: socket and
TUN
• Need to monitor both
• Forward packets between
these two interfaces
Implementation (TUN Socket)

Note: the encryption step is omitted from the code (for the sake of simplicity)
Implementation (Socket TUN)

Note: the decryption step is omitted from the code (for the sake of
simplicity)
Implementation (Monitoring the 2
Interfaces)

select() will be
blocked until one of the
interfaces has data.
Case Study: Configuring a VPN
Configure VPN Server
• On VPN Server, we first run the server program.
• Configure the tun0 interface.
– We use 10.4.2.0/24 as IP prefix for the TUN interface (for
both VPN Client and VPN Server)
• The following two commands assign the IP address to
the tun0, bring it up and then add a corresponding
route to routing table.
Configure VPN Client

• On VPN Client, we first run the client program.


• Add route for the 10.4.2.0/24 network.
• Add a route, so that all the packets for 192.168.60.0/24
are routed to the tun0 interface.
Configure Host V

• The reply packets should go back via the same VPN tunnel,
so that they are protected.
• To ensure that, route all packets for the 10.4.2.0/24
network toward the tunnel.
• For Host V, we route such packets to VPN Server.
• Add the following routing entry to Host V:
Testing VPN: ping Testing
• Ping Host V from Host U and we see the following result:

• The following figure shows the packets generated when we


ping Host V (192.168.0.6).
Testing VPN: telnet Testing
• The following result shows that we can successfully
connect to the telnet server on Host V inside the private
network
Testing VPN: telnet Testing
• Let us break the tunnel and see what happens

Observation: the telnet connection is not broken. TCP will keep resending packets, but
they cannot be delivered because the tunnel is broken. Whatever we type in telnet will
be buffered by TCP, not lost, but we can’t see anything. As soon as we reconnect the
tunnel, everything that we have typed will show up.
Bypassing Firewalls using VPN
Bypassing Firewall using VPN: the Main
Idea

• Send our Facebook-bound packets to the TUN interface towards VPN server
• VPN server will release our Facebook-bound packets to the Internet
• Facebook’s reply packets will be routed to the VPN server (question: why)
• VPN server sends the reply packets back to us via the tunnel
Experiment: Network Setup
Setting UP Firewall
• Setup firewall to block User from accessing Facebook
• We run the following command to get the list of IP prefixes
owned by Facebook:

• We can also get IP addresses returned by Facebook’s DNS


server by running the following command (this IP address
can change): dig www.facebook.com
Blocking Facebook
One of the IP prefixes belong to Facebook

Facebook becomes unreachable


Bypassing the Firewall
• We add a routing entry to the user machine, changing the
route for all Facebook traffic. Instead of going through eth6,
we use the TUN interface:

• The Facebook-bound packets are going through our tunnel.


• The Facebook-bound packets are hidden inside a packet
going to the VPN server, so it does not get blocked.
• VPN server will release the packet to the Internet.
• Replies from Facebook will come back to VPN server, which
will forward it back to us via the tunnel.
Summary
• What is VPN?
• IP tunneling
• IP tunneling using TLS/SSL
– TUN/TAP interface
• Building a VPN using TUN/TAP interface
• Using VPN to bypass firewalls

You might also like