Difference between revisions of "OpenVPN/VpnChains"

From Secure Computing Wiki
Jump to: navigation, search
(added picture)
m
Line 34: Line 34:
 
While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.
 
While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.
  
 +
I use UDP for my transport protocol.
 
In case anyone is curious, here is pings from my laptop without VPN
 
In case anyone is curious, here is pings from my laptop without VPN
 
CLIENT-B:  round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms
 
CLIENT-B:  round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms
 
SERVER-A:  round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms
 
SERVER-A:  round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms

Revision as of 04:31, 26 January 2010

I decided to finally document what I call VPN Chains. This may not be very clear at first, but hopefully I come back and clean it up later.
You may not see a practical purpose to doing this, and if that is the case: dont do it =] This is just something I chose to play with some time ago, and revisited for the purpose of documenting it. I will not be documenting exactly HOW to set this up, but rather my findings while playing with this sort of setup. Almost everything you need for the HOW is in my writeup OpenVPN/Routing The only other thing to know is you must enable ip forwarding on CLIENT-A
Here is the basic idea:
a vpn chain is a network of VPNs setup in such a way that I can connect to one node, and have my traffic flow encrypted from machine to machine through a chain until my target.
In this example I will use a setup that looks like this:

Vpnchains.jpg

I connect to SERVER-A, which has CLIENT-A connected to it. CLIENT-A has another openvpn client running connected to SERVER-B, which also has CLIENT-B connected to it.

Now if I ping CLIENT-B, it travels over each of the 3 machines before hitting CLIENT-B.

If I choose I could run a socks server on any or all of those machines' vpn ip, and set my programs to tunnel over the vpn and exit whichever computer I say (maybe later I'll make another writeup on the uses of running a socks server inside a vpn).

Now I could choose to run a VPN server on CLIENT-B, listening only on 10.8.0.10, but using the subnet 10.8.2.x
Now I connect my laptop to that new server, and my laptop now has another ip 10.8.2.6, CLIENT-B has another ip as well 10.8.2.1
In the VPN chain any machine can inspect traffic by sniffing the tun interface, so if one is compromised the traffic is also compromised. When I add this second VPN on top of the first, the whole chain becomes another untrusted network, like the internet is to the chain.

When I setup the second VPN on top of the first, i expected to see a drop in throughput. I was very much surprised by my findings.

bash-3.2# iperf -c 10.8.2.1
[ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 2.21 MBytes 1.85 Mbits/sec
round-trip min/avg/max/stddev = 246.391/248.359/250.786/1.218 ms

bash-3.2# iperf -c 10.8.0.10
[ ID] Interval Transfer Bandwidth [ 3] 0.0-10.3 sec 1.63 MBytes 1.33 Mbits/sec
round-trip min/avg/max/stddev = 245.459/247.041/249.719/1.348 ms

While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.

I use UDP for my transport protocol. In case anyone is curious, here is pings from my laptop without VPN CLIENT-B: round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms SERVER-A: round-trip min/avg/max/stddev = 122.854/123.362/124.418/0.594 ms