Geekly Articles each Day
📜 ⬆️ ⬇️

A bit about VPN: A brief overview of software implementations



/ photo reynermedia CC

A week ago, in our blog, we touched on the topic of data storage, or rather technologies that can change our understanding of data centers. Today we want to talk about technologies that are directly related to data transfer.

Today, many use VPN to solve corporate or personal tasks and know that there are quite a lot of different VPN implementations - each with its own pros and cons. This post is devoted to a brief comparative analysis of the most common to date software solutions for creating virtual private networks.
')
Before proceeding to the comparison, let us designate the range of tasks that the VPN solves:


Since the VPN technology is primarily intended for corporate use, to assess the implementation of this technology should be taken into account indicators of security, speed and stability.

However, nowadays, VPN is also used to solve simpler, mundane tasks, which makes features such as its cross-platform and easy configuration that are equally important criteria for choosing an implementation.

We will evaluate the flexibility, security, speed and stability of the following implementations:


PPTP (Point-to-Point Tunneling Protocol)


PPTP was created by Microsoft and released back in 1999, but, despite its age, is still used today. It uses TCP to establish a connection and the MPPE protocol (from the same Microsoft) to encrypt the transmitted data. Client authentication is typically provided by the MS-CHAPv2 mechanism.

The prevalence of PPTP VPN is associated with ease of configuration and cross-platform - its support is built into most modern operating systems (including mobile OS and OS for routers) by default. Among other reasons for the popularity of this solution is to highlight the minimum load on computing resources, high speed, stability.

But from the point of view of security, PPTP has compromised itself - today a large number of vulnerabilities have been found in both the MMPE protocol device (for example, the RC4 outgoing stream) and the MS-CHAP authentication element (in 2012, an online service appeared matching key MS-CHAPv2 for 23 hours). Although the latter problem is solved by changing the authentication mechanism from MS-CHAP to PEAP , Microsoft itself now recommends using L2TP or SSTP.

IPsec (IP Security)


IPSec is a group of protocols that ensure the confidentiality of data transmitted over IP networks by checking their authenticity and integrity, as well as encrypting packets. IPsec can work in transport and tunnel modes. If in the first case only the data of the forwarded packet is encrypted and the original header is saved, then the second one encrypts all transmitted traffic, which is then encapsulated in the data field of the new IP packet.

When creating VPNs, IPsec transport mode is used in conjunction with other implementations (usually L2TP), while tunneling itself is a method of creating a VPN tunnel.

IPsec connection encryption is provided by such protocols and algorithms as IKE (Internet Key Exchange Protocol), ISAKMP (Internet Security Association and Key Management Protocol), AH (Authentication Header Protocol), STS (Station-to-protocol protocol), SHA-1 ( Security Hash Algorithm), etc.

The peculiarity of IPsec, which somewhat distributes it from the definition of VPN, is that it does not create an additional virtual network adapter in the system, but uses a standard external interface, and in general is not even the implementation of virtual private network technology, but a tool to protect against IP packets. Deployment of virtual tunnels is rather its “side” property.

IPsec is supported by all modern operating systems (server, desktop, mobile), as well as a number of routers, and when setting up a VPN for the latter, there is no need to carry out any manipulations with the clients behind the routers. Due to the above characteristics, IPsec is considered one of the best solutions for VPN deployment.

However, this was not without vulnerabilities. It is known that when operating in transport mode, this implementation may be subject to attacks directed at the ISAKMP protocol. In addition, when IPsec works without AH headers, an attacker can inject his own data into the transmitted packets, which, of course, will have adverse consequences for the recipient. Also known method of attack, which is replaced by the route of packet transmission. Moreover, there is an exploit to decrypt IPsec traffic through a vulnerability in IKE.

L2TP (Layer 2 Tunneling Protocol)


L2TP is a tunneling protocol for virtual private networks. It is a symbiosis of Layer 2 Forwarding protocol from Cisco and the PPTP described above. Allows you to create a VPN-network with access rights, but it has one drawback - it does not encrypt traffic.

It takes responsibility for the confidentiality and integrity of the L2TP packets inside the tunnel and, at the same time, requires ensuring encryption for all traffic passing through it at the packet level. IPsec is usually used for this task.

L2TP / IPsec is present in all modern operating systems and is easily customizable by the client. However, it is worth remembering that L2TP uses UDP port 500, which is sometimes blocked if you are behind NAT. In this regard, it may be necessary to configure the firewall or router (port forwarding), which is not required for solutions that use the TCP port 443 standard for HTTPS.

LT2P / IPsec is currently considered a very secure solution when using encryption algorithms such as AES, but since it encapsulates data twice, it runs slightly slower than implementations using SSL (for example, OpenVPN or SSTP).

From the point of view of the stability of L2TP / IPsec, it deserves an excellent assessment. The disadvantage of LT2P / IPsec is that it uses almost twice the compute power of the processor to provide double encapsulation.

SSTP (Secure Socket Tunneling Protocol)


The secure socket tunneling protocol is another Microsoft brainchild introduced with the release of Windows Vista. Today, not only Windows 2008/2012, but also a Linux or RouterOS-based machine can act as an SSTP server, although in the latter cases this solution cannot be called full-featured.

With SSL v.3 support, SSTP can work without configuring a router / firewall, and integration with Windows simplifies setup and ensures stable operation. For encryption, strong AES is used.

While SSTP has many advantages and is a young developing technology, it works best in Windows-based networks - in other cases, you may encounter restrictions.

Openvpn


OpenVPN is a relatively young (saw the light in 2002) open implementation of VPN, distributed under the GNU GPL license. The security of the deployed tunnels here is provided by the OpenSSL library, which, in turn, offers a large assortment of encryption tools (Blowfish, AES, Camelia, 3DES, CAST). The speed of the OpenVPN operation depends on the chosen algorithm, but, as a rule, this implementation is faster and consumes less resources than L2TP / IPsec.

Another significant advantage of OpenVPN is the ability to pass through NAT and the firewall without additional configuration on the standard HTTPS port TCP 443 thanks to SSL / TLS encapsulation. Provided and work on the protocol UDP - this option is set by default.

TCP provides better reliability of data transmission, but it has greater delays compared to UDP, which gains in speed due to the lack of confirmation of packet delivery. When using the TCP protocol, OpenVPN is the slowest implementation out of those presented.

OpenVPN also provides an LZO data compression tool. Due to the wide range of configuration options and support for most of the operating systems, OpenVPN has become a very popular solution. The only caveat - you need to install third-party software.

The flexibility of OpenVPN can cause only one problem - to make the configuration very tedious, but this issue is solved by preparing pre-configured installation client packages or, for example, using the OpenVPN Remote Access Server .

Among our manuals you will find step-by-step instructions on the basic configuration of the OpenVPN server on Ubuntu / Debian , CentOS , Windows . To deploy a virtual private network, you can use our cloud - based VPS server . This implementation also provides a number of additional private network security features. An overview of the main ones can be found in our knowledge base .

Conclusion


Let's summarize a little on the materials of the article. PPTP is stable and easy to use, but very vulnerable, so it is suitable for situations in which the privacy of the tunnel does not play a special role. If this is important, then the L2TP + IPsec bundle has all the advantages of PPTP, but at the same time offers a significantly higher level of security.

IPsec can work with a large number of encryption and authentication algorithms for VPN, although by itself it is not an implementation of virtual private network technology, but a protocol stack for protecting IP packets during transmission. At the same time, IPsec is quite suitable for deploying a virtual private network “sharpened” to security.

Previously, for these purposes, as a rule, IPsec was used in conjunction with L2TP, but today the situation is beginning to change . In general, the extensive capabilities of IPsec make it one of the best VPN solutions.

L2TP in conjunction with IPsec shows itself well in terms of security, and in terms of compatibility with popular operating systems. Here, however, may require additional configuration of ports. The second minus is double encapsulation, which leads to a slowdown of the tunnel.

SSTP is convenient in configuration, stable and fairly safe, but it is a product of Microsoft, because its work is strongly tied to Windows. In other systems, the SSTP functionality is often not as attractive.

OpenVPN can be called a very reasonable choice due to the balance of indicators such as speed (due to LZO compression and work through UDP by default), stability (especially when working through TCP), configuration flexibility, cross-platform (availability of client applications for most modern OS), security (thanks to working with all the tools of the OpenSSL library).

However, the wide possibilities cause a drawback - compared to other implementations, the initial configuration may be more difficult. However, this problem is partially offset by the use of standard configurations and the server’s ability to automatically transfer a substantial part of the connection parameters to clients. Anyway, the implementation of OpenVPN seems to us the most balanced software solution.

To integrate VPN into your infrastructure, you can use the services of multiple VPN providers, but this solution is usually expensive, especially if you need to connect a large number of clients to the network. Moreover, you have to entrust your corporate or personal data to the provider.

A more reliable and flexible scenario seems to be setting up a VPN on a physical or virtual server (VPS / VDS) . For example, you can create an OpenVPN virtual private network using one of our step-by-step instructions ( Windows , Linux ) using a cloud-based VPS / VDS server from 1cloud.

For this task, the minimum hardware configuration of the server will be sufficient, and the cost of equipment per month will be lower than the market average for providing VPN for several devices. In addition, this solution is easily scaled under the current load on the virtual private network.

PS We are always happy to share our development experience with the IaaS provider 1cloud , so we have prepared several materials for you:

Source: https://habr.com/ru/post/307280/

More articles:


All Articles