Skip to content

AkewakBiru/vpn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

Simple SSL VPN setup, simulation and packet capture (SEC-335)

Network Diagram

image

The TUN0 interfaces have been configured in both the VPN client and VPN server with an IP address of 192.168.53.99 and 192.168.53.2 respectively.

Assuming host A’s VPN client is mutually authenticated with the VPN server using the TLS protocol:

  • A VPN bound packet (a packet that is going to the private network) will go to the TUN0 interface first and then it is sent to the eth0 interface. There is an SSL tunnel between eth0 interface and ens33 interface of the VPN server. So, any data passed is encrypted (the IP packet shown in table 1 will be encrypted, then encapsulated with eth0 interface’s IP address as shown in table 2).

At the TUN0 interface of Host A (VPN client)

Source IP Destination IP
192.168.53.99 (Host A, TUN0) 192.168.1.120 (host B, eth0) Data
Table 1: IP packet at the TUN0 interface

At the eth0 interface of Host A

Source IP Destination IP Source IP Destination IP

172.16.186.134

(Host A, eth0)

172.16.186.132

(VPN server, ens33)

192.168.53.99

(Host A, TUN0)

192.168.1.120

(Host B, eth0)

Data
Table 2: IP packet at the eth0 interface
  • Since there is an SSL tunnel created between the VPN client and server, the packet is routed to the ens33 interface of the VPN server.
  • At the VPN server, since the packet is a VPN bound packet, it is given to the TUN0 interface of the VPN server for decapsulation and decryption.
  • After the TUN0 interface finishes the decapsulation and decryption process, it forwards the packet to the ens37 interface (private network).
  • Finally, it is routed to the destination using the destination IP information in the packet.

Under normal scenario i.e., without using the VPN tunnel, any host from outside the LAN can’t be connected to hosts inside the private network (LAN). But if the host has a VPN client which is authorized and authenticated (using password) by the VPN server, it can be connected to hosts inside the LAN.

Connection to the private network without using a VPN client

image

Figure: ICMP packets from host A to host B (unsuccessful)

Since a Virtual machine is used for this Lab, packet filtering takes place in the host in the private network (think of it as a host-based firewall). So, the firewall rules are:

image

Connection to the private network using a VPN client

  1. VPN client and VPN server are mutually authenticated using a shared password.

image

Figure: Authentication password for VPN client

image

Figure: Authentication password for VPN server

By inputting the correct shared password, the VPN client and server are authenticated, and they create an SSL/TLS socket to encrypt communication.

image

Figure: TLS handshake

  1. Connection to the private network after authentication

image

Figure: ICMP packets from host A to host B (successful)

Let’s capture the ICMP packet before it reaches the destination with Wireshark.

At the TUN0 interface of host A

image

Figure: Wireshark packet capture at TUN0 interface of host A

At the ens33 interface of host A

image

Figure: Wireshark packet capture at ens33 interface of host A

At the ens33 interface of the VPN server

image

Figure: Wireshark packet capture at ens33 interface of the VPN server

At the ens37 interface of the VPN server (gateway for the LAN)

image

Figure: Wireshark packet capture at ens37 interface of the VPN server

Releases

No releases published

Packages

No packages published

Languages