Load testing of the ruVPN project, IPSec VPN-on-Demand technology for iPhone, iPad
A week ago, functional beta testing of the IPSec VPN-on-Demand service was launched on the ruvpn.net website. I will tell you about the results at the end of the article, but for now some information about the project as a whole. Now the very first stage is underway - IPSec VPN for Apple iOS devices.
There are many such decisions, what's the point of doing another? Everything is quite simple - similar decisions were made by network specialists. This solution is implemented by network security experts and digital certificates. Experience with very large financial companies was used, corporate technologies in the field of information security were studied in detail.
')
This knowledge prompted the idea - what if we take all the best from the corporate sector and try to implement for ordinary users? In particular, you can use corporate VPN technologies when deploying a new service.
As a result, you can get all the benefits of such decisions:
Private keys are generated and stored directly on the device, the profile with VPN parameters is encrypted, certificates are issued via SCEP protocol. An ideal solution for users who are seriously concerned about the security of their mobile device connections.
The price for all these advantages is quite high. In addition to the network component of the solution, namely the VPN server with an authorization module, it was necessary to deploy a full-fledged public key infrastructure (PKI). This includes the creation of profiles for root and publishing certificate authorities, for server and client certificates; deploy certification authorities; Configure OCSP and issue revocation sheets (CRL); connection to the issuing certification center through the API.
For the automatic delivery of profiles to devices running Apple iOS, a special application server has been developed that interacts with the device via XML over https.
We had to work so that the eyes could not stand, and the head was buzzing. Planning, development and implementation took almost half a year. By the time I will answer right away - the project did not have investors, everything had to be carried out personally or ordered with its own funds. The project moved from paycheck to paycheck. He also had to work on the current job, so the development went mainly at night. It is hard, but tolerable. Feelings from the results of their own work are worth it. In the end, something happened, called ruVPN. That is Russian VPN. This is against Internet censorship, against absurd bans and lists, just for security.
Apple iOS-based devices were chosen as the platform for the first stage of the project, these are iPhone, iPad, iPod touch. They fully support the technology of loading profiles and automatic VPN connection.
As I wrote in the beginning of the article, a week ago functional testing of the service was announced. All thirty free invitations were used within the first ten minutes. Thanks to all the participants in the testing, several small errors were found and fixed. Now we need the help of the community again. Read load testing service. This means that it is necessary to verify the ability of the solution to withstand heavy loads. Classic Habraeffect is needed !
I ask all owners of iPhone, iPad to take part. Follow the link and register in the system. The VPN profile will be installed on the device in the VPN-on-Demand configuration. After that, you can use your mobile device as usual, while all traffic will be transmitted via a secure channel to the servers in Norway, and then to the requested resource. At the time of testing, profile delivery via SMS is disabled, the link can only be received by email. The link to the profile is valid 24 hours must be opened in the Safari browser, otherwise the system will not pick up the file with the profile.
It is advisable not to turn off the VPN until Monday, May 27, try to use the channel completely, watch the video, for example. On Monday night, the profile will be automatically deleted from the mobile device.
If you need to temporarily disable VPN, go to the Settings — General — VPN — ruVPN IPSec menu and move the On-Demand slider to Off .
The number of registrations for this invitation code ( HabrHLtest ) is limited to 500 . Any participant will be able to invite up to ten friends to join the testing from the Personal Cabinet .
Join the testing!
There are many such decisions, what's the point of doing another? Everything is quite simple - similar decisions were made by network specialists. This solution is implemented by network security experts and digital certificates. Experience with very large financial companies was used, corporate technologies in the field of information security were studied in detail.
')
This knowledge prompted the idea - what if we take all the best from the corporate sector and try to implement for ordinary users? In particular, you can use corporate VPN technologies when deploying a new service.
As a result, you can get all the benefits of such decisions:- automatic setup of VPN on the device
- authorization based on digital certificates
- Automatic VPN connection for any network activity of the device (VPN-on-Demand).
Private keys are generated and stored directly on the device, the profile with VPN parameters is encrypted, certificates are issued via SCEP protocol. An ideal solution for users who are seriously concerned about the security of their mobile device connections.
The price for all these advantages is quite high. In addition to the network component of the solution, namely the VPN server with an authorization module, it was necessary to deploy a full-fledged public key infrastructure (PKI). This includes the creation of profiles for root and publishing certificate authorities, for server and client certificates; deploy certification authorities; Configure OCSP and issue revocation sheets (CRL); connection to the issuing certification center through the API.
For the automatic delivery of profiles to devices running Apple iOS, a special application server has been developed that interacts with the device via XML over https.
Used software and hardware solutions
The result was a fairly voluminous solution using the following components:
- Nginx as Front-End,
- PostgreSQL DBMS,
- Authorization server FreeRadius,
- EJBCA Certificate Authority,
- IPSec VPN server StrongSWAN,
- Full text search Sphinx.
- Virtualization is based on the Proxmox cluster,
- The application server is written in Java,
- Web server developed on Scala.
Additionally configured mail servers, DNS, everything is controlled by the monitoring system Zabbix.
Operating systems: Debian 6.0 and FreeBSD 9.0.
A typical choice of software for modern startups.
Uses HP Proliant DL360 and DL380 servers, the fifth generation, in the maximum configuration. All Cisco networking equipment. The cluster has 100% hardware duplication, virtual machines are configured in High-Avaliability mode using iLO fencing.
- Nginx as Front-End,
- PostgreSQL DBMS,
- Authorization server FreeRadius,
- EJBCA Certificate Authority,
- IPSec VPN server StrongSWAN,
- Full text search Sphinx.
- Virtualization is based on the Proxmox cluster,
- The application server is written in Java,
- Web server developed on Scala.
Additionally configured mail servers, DNS, everything is controlled by the monitoring system Zabbix.
Operating systems: Debian 6.0 and FreeBSD 9.0.
A typical choice of software for modern startups.
Uses HP Proliant DL360 and DL380 servers, the fifth generation, in the maximum configuration. All Cisco networking equipment. The cluster has 100% hardware duplication, virtual machines are configured in High-Avaliability mode using iLO fencing.
We had to work so that the eyes could not stand, and the head was buzzing. Planning, development and implementation took almost half a year. By the time I will answer right away - the project did not have investors, everything had to be carried out personally or ordered with its own funds. The project moved from paycheck to paycheck. He also had to work on the current job, so the development went mainly at night. It is hard, but tolerable. Feelings from the results of their own work are worth it. In the end, something happened, called ruVPN. That is Russian VPN. This is against Internet censorship, against absurd bans and lists, just for security.
Apple iOS-based devices were chosen as the platform for the first stage of the project, these are iPhone, iPad, iPod touch. They fully support the technology of loading profiles and automatic VPN connection.
As I wrote in the beginning of the article, a week ago functional testing of the service was announced. All thirty free invitations were used within the first ten minutes. Thanks to all the participants in the testing, several small errors were found and fixed. Now we need the help of the community again. Read load testing service. This means that it is necessary to verify the ability of the solution to withstand heavy loads. Classic Habraeffect is needed !
I ask all owners of iPhone, iPad to take part. Follow the link and register in the system. The VPN profile will be installed on the device in the VPN-on-Demand configuration. After that, you can use your mobile device as usual, while all traffic will be transmitted via a secure channel to the servers in Norway, and then to the requested resource. At the time of testing, profile delivery via SMS is disabled, the link can only be received by email. The link to the profile is valid 24 hours must be opened in the Safari browser, otherwise the system will not pick up the file with the profile.
It is advisable not to turn off the VPN until Monday, May 27, try to use the channel completely, watch the video, for example. On Monday night, the profile will be automatically deleted from the mobile device.
If you need to temporarily disable VPN, go to the Settings — General — VPN — ruVPN IPSec menu and move the On-Demand slider to Off .The number of registrations for this invitation code ( HabrHLtest ) is limited to 500 . Any participant will be able to invite up to ten friends to join the testing from the Personal Cabinet .
Join the testing!
Source: https://habr.com/ru/post/180817/
All Articles