tinc: the difficulties of a peer-to-peer VPN on the hostile Internet

Video in TIB AV-Portal: tinc: the difficulties of a peer-to-peer VPN on the hostile Internet

Formal Metadata

tinc: the difficulties of a peer-to-peer VPN on the hostile Internet
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Rather than configuring tunnels, a tinc VPN is more or less specified by its endpoints. The tinc daemons will automatically set up tunnels in order to create a full mesh network. The problem in today's Internet is that many users are trapped behind NAT, and ISPs are known to drop ICMP packets, IP fragments, and/or UDP packets, making reliable connections between peers difficult. Another problem is how to manage authentication and authorization in a fully decentralized, but user-friendly way. In this talk I will look at solutions already implemented in tinc and other VPN software, and I look at future work to solve the remaining problems. tinc is a Virtual Private Network (VPN) daemon that automatically tries to create a full mesh network between peers. It can route IPv4 and IPv6 packets, or switch any type of Ethernet packet to create a virtual LAN. It can tunnel over IPv4 and IPv6, and runs on Linux, *BSD, Solaris, MacOS/X and Windows.

Related Material

Peer-to-peer Internetworking Software Virtuelles privates Netzwerk State of matter Internetworking Freeware Cartesian coordinate system
Demon Presentation of a group IPSec Source code Tap (transformer) Client (computing) Mereology Computer programming Usability Subset Virtuelles privates Netzwerk Single-precision floating-point format Circle Vertex (graph theory) UDP <Protokoll> Touchscreen Block (periodic table) Closed set Shared memory Connected space Virtuelles privates Netzwerk In-System-Programmierung Internetworking Green's function Telecommunication Website Configuration space Router (computing) Reverse engineering Arc (geometry) Laptop Server (computing) Mobile app Line (geometry) Virtual machine Vermaschtes Netz Translation (relic) Computer Number Internetworking Information Server (computing) Projective plane Computer network Line (geometry) Vermaschtes Netz Peer-to-peer Kernel (computing) Software Circle Network topology Point cloud Routing
Source code Slide rule Information Weight Source code Complex (psychology) Line (geometry) Solid geometry Connected space In-System-Programmierung Routing Arc (geometry) Address space Navigation Router (computing) Address space
Demon Gateway (telecommunications) Email Complex (psychology) Image warping Dynamical system Group action System administrator Direction (geometry) Multiplication sign Decision theory Range (statistics) Execution unit Client (computing) Open set Public key certificate Encapsulation (object-oriented programming) IP address Traverse (surveying) Web 2.0 Uniform resource locator Direct numerical simulation Mechanism design Web service Virtuelles privates Netzwerk Formal verification Videoconferencing Software framework Vertex (graph theory) UDP <Protokoll> Physical system Identity management Proof theory Source code Email Public key certificate Mapping Block (periodic table) Complex (psychology) Interior (topology) Sampling (statistics) Electronic mailing list Internet service provider Sound effect Maxima and minima Bit Ɯberlastkontrolle Connected space Band matrix Type theory Shooting method In-System-Programmierung Telecommunication Website Self-organization Authorization Block (periodic table) Router (computing) Relief Server (computing) Real number Firewall (computing) Authentication Streaming media Heat transfer Computer Field (computer science) Cache (computing) Internetworking Ideal (ethics) Authorization Operating system Utility software Address space Form (programming) Default (computer science) Authentication Default (computer science) Gateway (telecommunications) Information Internettelefonie Weight Computer network Limit (category theory) Wind tunnel Uniform resource locator Software Personal digital assistant Universe (mathematics) Video game Key (cryptography) Communications protocol Identity management Library (computing) Address space
Email Decision theory Website Authorization Library (computing) Local Group
yes welcome they will also be talking about the problems the software things to make a VPN encounters when trying to send your packets over the Internet and the problem state accoutred is not only applicable to think but also other VPN software all our peers free applications so with about think it started in
September 1997 and it was a new kernel and it came with a new device the ether tap device and you now know it acceptance app device maybe but then I thought oh that's nice what can I do it I wrote a little program that captured the packets from this virtual network if I set the ease of tap device created and you could send this via netcat or SSH to another computer and there you could do the reverse so send up ppm but it grew and grew and currently it's a mature demon that's a number of features sampled it connects multiple sites together and not just two endpoints but any its routes packets or it can switch them so it can work like an ethernet device or it's fully supports ipv6 both on the VAP VPN but also when tunneling packets over the Internet it has no central server it does not make a distinction between clients and servers and the idea is that you configure some endpoints in the VPN and then think we'll fill in the rest and we'll create a full mesh network I will explain that later behind screens it works this way very simply put the daemons connect via TCP they exchange data in the kernel then there was fittin which started at the same time stink but these projects are to my knowledge debt now but you all know IPSec and openvpn I think and lower one is hamachi it's a closed source commercial like it's kind of a Skype for VPN which is a peer-to-peer and shares many of the features of thing but that's alone but all the projects all open-source projects here are the new virtual private if net which was started as a pink cloud VPN social VPN and 2n and last year the most presentation here about virtual distributed Ethernet which deals with connecting virtual machines together but actually it shares most of the features of VPN so what do you want to do with think now we have the instant here it's the blue cloud and we have some notes these are the black circles a node can be a single laptop for example as a hotel or in airports or it can be complete network from our company and we
all want to connect these nodes together into a single VPN now what you have to do each node has to supply some configuration to think so that each node can make connection to another node so that they are all part of this big TPM but it doesn't matter in which way you connect note the topology is up to you but then think exchange information between notes about where everybody is and think will create direct connections for each node every other node but it uses connection as UDP for this this is efficient and skills well even if you have 100 or more nodes but the reality on the internet is not so nice I've drawn a few red lines here these red red arcs here for example are Network arrest and translators which are very common these days and the problem with those is you can make outgoing connections with incoming connections Phil another problem is that some ISPs tend to block certain kinds of traffic for example they can block UDP or only allow port 80 communications and that's the
red line here now you see that most of
the lines the solid lines from previous slides have disappeared and some nomes example behind metaphysis cannot connect directly with each other anymore you can still go via another path but more problematic is that if a node connects to another node we have a net and that's the initial connection it makes then it does not receive information about where the rest is so it is completely disconnected from the VPN now I will describe most of these problems in some more detail the fall of nav is that the source address importunes and incoming connections are blocked even if you make an outgoing connection to the same to the other side because they don't know what Newport is there are few solutions you can route via third node but that's inefficient of course you can do port forwarding but the user has to set up on this NAT
device and it's manual work and maybe your notifies doesn't support it or you cannot you're not the administrator 35 there is a protocol called UPnP which allows you to discover NAT devices on your network you can find out which ports they map your connections to and even open up connections and there is this protocol called session traversal universe utilities for net or inside connectivity establishments which are ITF protocols which allow you to puncture holes through native through a net and in some cases it can allow you to establish direct connections but this is a complex protocol and it's also not always possible some that device is just do not allow any form of direct communication to put it in pictures we have to lure nodes behind the NAT device and they want to make a direct connection but the outgoing connection works but here ends up being blocked by the net the other one tries to connect back and it also feels but they can I change the information via third node now the idea is that the third node knows because it can see the port and address that notifies maps the internal connections to which port and adversity other nodes should use and connect them to the first node so if both nodes know this information they can adjust their connection to use the right port to go through the networks another problem that we encountered is that packets are fragmented on VPNs because if your VPN is already the maximum size that your network allows then you capsulate it in a new packet then this will be larger than your original packet and it will be fragmented by your operating system now this is a bit bad for performance but more importantly some ISPs or firewalls broke fragments and so this would work for most of your VPN a traffic solution that we implemented is to determine the path maximum transfer units between nodes and then when one now responds to send a packet to another node and it has to fragment it instead the thing demon will generate an ICMP fragmentation needed packet which tells the original sender hey your packet is too large you have to make it small and this is an ideal of a mechanism so this shooting principle work for all ipv4 and ipv6 traffic and for other kinds of traffic which thing can also support it will fall back to TCP encapsulation but the problem is that there's also some firewalls and ISPs block ICMP packets because ten years ago you could still crash computers by sending a large ping packets so they decided Oh what all ICP but yeah the problem is then that when tink can write I think be packets and they somehow relief the VPN they go to the Internet this can happen if you have your default gateway on the VPN and have road warriors connect to that yeah VPN then host on the internet prices and packets to the VPN but these packets are too large to be transferred via the VPN to all the notes and then thing generates item P packets back but if ya the some post behind the Internet does not see these ICP packets will never adjust the effects that are too large now there's all the solution and this is to clamped MSS field and peace be back it which is another mechanism which does not use item defects with just a TCP packets itself and that will also instruct the other side to reduce the size of the packet but a limitation here that it's only working for TCP now a few other things we encountered is house with frequently changing IP addresses if you have a cheap ice P sample then you can use dynamic DNS services for example or you could have other notes on the PPM remember and forward known addresses all the notes and that's all already implemented in thing for some years there are ice peace that only allow certain types of traffic for example you only allow web traffic so you have to encapsulate everything into HTTP or HTTPS and some case you can use ICMP if it's not blocked or DNS I think does not implement that but there are some 50 on solution speed to allow it and there are also lots of utilities around which can encapsulate any tcp stream into using ICT or be in a spoon and then there's a more difficult problem is piece at art warping or the in small UDP packets this is a commercial motivation because voice over IP also looks like small UDP packets and if they offer telephony services or if you have to pay much more than for your internet connection then they want to disallow voice over IP make it difficult the problem is if you drop packets then these P streams inside those tunnels think it's because of congestion and they will reduce their Vantage for this it's a really hard problem I don't know ok the Internet is hostile but you that's probably the reason that you want to set up a VPN in the first place but how do you trust your notes general authorization the authentication is proving who you are and you can do that by using a passport for example in real life it's a document that shows you I am asleep and notes on your VPN also should do that you don't want to allow any note but proving who you are is not the same we're saying okay you are allowed to use this range of IP addresses on my VM or are you f you are allowed to use this much bandwidth for my video and the problem is that these days a lot of authorization is actually authentication for example you are allowed to access a web server if your client certificate which is just a way to authenticate you isn't a list but that does not this is not a method of doing proper cryptographic authorization but to well-known and it's mostly
authentication methods already x.509 certificates that's you know it from HTTP connections it's a centralized approach so there's very sign at top and some other companies and see a few middleman which all want to extort money from you you can get it certificates but it focuses on identities and websites because it's made for for that so you can only put some information like an LDAP identity like my organization is called this and I'm from this country into a certificate and maybe limited to a certain URL open pitch pts there are icing therefore in articles you have a decentralized approach but it also has this limitation it was meant for email so it is limited to email address so we want something different we want something that has some HP features like decentralized workings about rest that you can build up which we want more we want to authorize anything not just email addresses you want to add remove authorizations very quickly we do not want to go through verification methods we want to forbid things as well you want to make group decisions that every notes for something the VPN that's the same way of allowing or disallowing other nodes so I created a library for this it's a lightweight its framework to do authorization you can create many small certificates say somebody said all the notes was we can for example at a certain time that another note is allowed to access the VPN and new more certifications so just overall along so you don't have a verification certificates no we have system updated authorization and likely makes it very easy to query these stored authorization and we do move on to just a list of the certificates now we just want to know is this person allowed to go on the VPN and
the library okay anyway you can find more about the website and there's a verse with a feather session at five o'clock


  350 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)