Difference between revisions of "OpenVPN/VpnChains"

From Secure Computing Wiki
Jump to: navigation, search
(rough draft of a writeup on vpn chains)
 
 
(8 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
{{OpenVPN_Menu}}
 
I decided to finally document what I call VPN Chains.  This may not be very clear at first, but hopefully I come back and clean it up later.<br>
 
I decided to finally document what I call VPN Chains.  This may not be very clear at first, but hopefully I come back and clean it up later.<br>
You may not see a practical purpose to doing this, and if that is the case: dont do it =]  This is just something I chose to play with some time ago, and revisited for the purpose of documenting it.  I will not be documenting exactly HOW to set this up, but rather my findings while playing with this sort of setup.  for HOW, see my writeup OpenVPN/Routing<br>
+
You may not see a practical purpose to doing this, and if that is the case: dont do it =]  This is just something I chose to play with some time ago, and revisited for the purpose of documenting it.  I will not be documenting exactly HOW to set this up, but rather my findings while playing with this sort of setup.  Almost everything you need for the HOW is in my writeup [[OpenVPN/Routing]]  The only other thing to know is you must enable ip forwarding on CLIENT-A<br>
 
Here is the basic idea:<br>
 
Here is the basic idea:<br>
 
a vpn chain is a network of VPNs setup in such a way that I can connect to one node, and have my traffic flow encrypted from machine to machine through a chain until my target.<br>
 
a vpn chain is a network of VPNs setup in such a way that I can connect to one node, and have my traffic flow encrypted from machine to machine through a chain until my target.<br>
In this example I will use the following computers:<br>
+
In this example I will use a setup that looks like this:<br>
ME (my laptop) 10.8.1.10<br>
+
 
SERVER-A  10.8.1.1<br>
+
[[Image:Vpnchains.jpg]]
SERVER-B  10.8.0.1<br>
+
 
CLIENT-A  10.8.1.6 AND 10.8.0.6<br>
+
CLIENT-B  10.8.0.10<br>
+
 
I connect to SERVER-A, which has CLIENT-A connected to it.  CLIENT-A has another openvpn client running connected to SERVER-B, which also has CLIENT-B connected to it.<br>
 
I connect to SERVER-A, which has CLIENT-A connected to it.  CLIENT-A has another openvpn client running connected to SERVER-B, which also has CLIENT-B connected to it.<br>
  
Line 22: Line 21:
 
<blockquote>
 
<blockquote>
 
bash-3.2# iperf -c 10.8.2.1 <br>
 
bash-3.2# iperf -c 10.8.2.1 <br>
[ ID] Interval      Transfer    Bandwidth
+
[ ID] Interval      Transfer    Bandwidth<br>
 
[  3]  0.0-10.0 sec  2.21 MBytes  1.85 Mbits/sec <br>
 
[  3]  0.0-10.0 sec  2.21 MBytes  1.85 Mbits/sec <br>
 
round-trip min/avg/max/stddev = 246.391/248.359/250.786/1.218 ms
 
round-trip min/avg/max/stddev = 246.391/248.359/250.786/1.218 ms
Line 28: Line 27:
  
 
<blockquote>
 
<blockquote>
bash-3.2# iperf -c 10.8.0.6 <br>
+
bash-3.2# iperf -c 10.8.0.10 <br>
[ ID] Interval      Transfer    Bandwidth
+
[ ID] Interval      Transfer    Bandwidth<br>
 
[  3]  0.0-10.3 sec  1.63 MBytes  1.33 Mbits/sec <br>
 
[  3]  0.0-10.3 sec  1.63 MBytes  1.33 Mbits/sec <br>
 
round-trip min/avg/max/stddev = 245.459/247.041/249.719/1.348 ms
 
round-trip min/avg/max/stddev = 245.459/247.041/249.719/1.348 ms
Line 35: Line 34:
  
 
While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.
 
While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.
 +
 +
I use UDP for my transport protocol.<br>
 +
In case anyone is curious, here is pings from my laptop without VPN<br>
 +
CLIENT-B:  round-trip min/avg/max/stddev = 114.344/116.139/117.314/0.982 ms<br>
 +
SERVER-A:  round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms

Latest revision as of 15:54, 19 November 2010

OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

I decided to finally document what I call VPN Chains. This may not be very clear at first, but hopefully I come back and clean it up later.
You may not see a practical purpose to doing this, and if that is the case: dont do it =] This is just something I chose to play with some time ago, and revisited for the purpose of documenting it. I will not be documenting exactly HOW to set this up, but rather my findings while playing with this sort of setup. Almost everything you need for the HOW is in my writeup OpenVPN/Routing The only other thing to know is you must enable ip forwarding on CLIENT-A
Here is the basic idea:
a vpn chain is a network of VPNs setup in such a way that I can connect to one node, and have my traffic flow encrypted from machine to machine through a chain until my target.
In this example I will use a setup that looks like this:

Vpnchains.jpg

I connect to SERVER-A, which has CLIENT-A connected to it. CLIENT-A has another openvpn client running connected to SERVER-B, which also has CLIENT-B connected to it.

Now if I ping CLIENT-B, it travels over each of the 3 machines before hitting CLIENT-B.

If I choose I could run a socks server on any or all of those machines' vpn ip, and set my programs to tunnel over the vpn and exit whichever computer I say (maybe later I'll make another writeup on the uses of running a socks server inside a vpn).

Now I could choose to run a VPN server on CLIENT-B, listening only on 10.8.0.10, but using the subnet 10.8.2.x
Now I connect my laptop to that new server, and my laptop now has another ip 10.8.2.6, CLIENT-B has another ip as well 10.8.2.1
In the VPN chain any machine can inspect traffic by sniffing the tun interface, so if one is compromised the traffic is also compromised. When I add this second VPN on top of the first, the whole chain becomes another untrusted network, like the internet is to the chain.

When I setup the second VPN on top of the first, i expected to see a drop in throughput. I was very much surprised by my findings.

bash-3.2# iperf -c 10.8.2.1
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 2.21 MBytes 1.85 Mbits/sec
round-trip min/avg/max/stddev = 246.391/248.359/250.786/1.218 ms

bash-3.2# iperf -c 10.8.0.10
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.3 sec 1.63 MBytes 1.33 Mbits/sec
round-trip min/avg/max/stddev = 245.459/247.041/249.719/1.348 ms

While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.

I use UDP for my transport protocol.
In case anyone is curious, here is pings from my laptop without VPN
CLIENT-B: round-trip min/avg/max/stddev = 114.344/116.139/117.314/0.982 ms
SERVER-A: round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms