From Secure Computing Wiki
Revision as of 02:42, 26 January 2010 by Krzee (Talk | contribs) (rough draft of a writeup on vpn chains)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

I decided to finally document what I call VPN Chains. This may not be very clear at first, but hopefully I come back and clean it up later.
You may not see a practical purpose to doing this, and if that is the case: dont do it =] This is just something I chose to play with some time ago, and revisited for the purpose of documenting it. I will not be documenting exactly HOW to set this up, but rather my findings while playing with this sort of setup. for HOW, see my writeup OpenVPN/Routing
Here is the basic idea:
a vpn chain is a network of VPNs setup in such a way that I can connect to one node, and have my traffic flow encrypted from machine to machine through a chain until my target.
In this example I will use the following computers:
ME (my laptop)
I connect to SERVER-A, which has CLIENT-A connected to it. CLIENT-A has another openvpn client running connected to SERVER-B, which also has CLIENT-B connected to it.

Now if I ping CLIENT-B, it travels over each of the 3 machines before hitting CLIENT-B.

If I choose I could run a socks server on any or all of those machines' vpn ip, and set my programs to tunnel over the vpn and exit whichever computer I say (maybe later I'll make another writeup on the uses of running a socks server inside a vpn).

Now I could choose to run a VPN server on CLIENT-B, listening only on, but using the subnet 10.8.2.x
Now I connect my laptop to that new server, and my laptop now has another ip, CLIENT-B has another ip as well
In the VPN chain any machine can inspect traffic by sniffing the tun interface, so if one is compromised the traffic is also compromised. When I add this second VPN on top of the first, the whole chain becomes another untrusted network, like the internet is to the chain.

When I setup the second VPN on top of the first, i expected to see a drop in throughput. I was very much surprised by my findings.

bash-3.2# iperf -c
[ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 2.21 MBytes 1.85 Mbits/sec
round-trip min/avg/max/stddev = 246.391/248.359/250.786/1.218 ms

bash-3.2# iperf -c
[ ID] Interval Transfer Bandwidth [ 3] 0.0-10.3 sec 1.63 MBytes 1.33 Mbits/sec
round-trip min/avg/max/stddev = 245.459/247.041/249.719/1.348 ms

While I get the same latency over each of the vpns, the vpn ON TOP OF the chain gets better throughput.