tunnels and vpn scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · tunnels and vpn *s...
TRANSCRIPT
![Page 1: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/1.jpg)
Tunnels and VPNTunnels and VPN**ss
November 6, 2020
*virtual private networks*virtual private networks
![Page 2: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/2.jpg)
Administrative Administrative –– submittal instructionssubmittal instructions
� answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please)
� deadline is start of your lab session the following week
� reports not accepted (zero for lab) if late
� submit via D2L
![Page 3: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/3.jpg)
Administrative Administrative –– script files reminderscript files reminder� re-download the script files' zip
� to obtain the new vmconfigure scripts for this "sniffing" exercise
![Page 4: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/4.jpg)
Administrative Administrative –– employmentemployment
� CS530 will be next offered Fall 2020
� lab graders will be needed– you are the automatically ideal candidates
– you must remain a student in Fall 2020
– contact me with expression of interest now, or subsequently
– hiring can only take place next August-September
![Page 5: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/5.jpg)
WhatWhat’’s a tunnel?s a tunnel?
� encapsulation of data packets in data packets
� inner packets opaque to outer packets’ network
� may or may not be encrypted– that’s outside “tunnel” definition
![Page 6: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/6.jpg)
Lab experiment topologyLab experiment topology
eth0? eth2? eth3?
interface names enumerated unpredictably,
must be determined every swap-in session;
Script “nicaddressing” provided
![Page 7: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/7.jpg)
TcpdumpTcpdump of of ipipipip –– packet becomes payloadpacket becomes payload
in one side of tunnel endpoint…and out the other
a ping shoots…
IP header starts
IP payload starts
node3’s red incoming-packet & outgoing-payload are IP-identical**allowing for TTL decrement and checksum recalc
(simultaneous)
![Page 8: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/8.jpg)
Lab tunnels you will buildLab tunnels you will build
encrypted
unencrypted
non-tunnel channel
truetunnel
ssh
stunnel
OpenVPN
IP over IP
![Page 9: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/9.jpg)
Tunnels spawn new interfacesTunnels spawn new interfaces
�tunl0 (ip-ip)
�tap0 (OpenVPN)
�ipsec0 (IPSec)
�ppp0 (ppp-ssh)
�vmnet8 (VMware)
�eth0
�eth1
Virtual (software)Physical (hardware)
![Page 10: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/10.jpg)
Using hardware interfacesUsing hardware interfaces
App
eth1
eth0
(Technical note: the choice of interface by an app is indirect. App source code expresses only an IP address.
Downstream, IP software in network stack maps the address into an interface via the routing table.)
![Page 11: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/11.jpg)
Using software interfacesUsing software interfaces
App
eth1
eth0
cipcb1 •looks like an interface to an app
•looks like an app to an interface
•gets to massage traffic passing through
![Page 12: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/12.jpg)
WhatWhat’’s a VPNs a VPN
� a virtual net overlaid on an underlying net
� a private net retaining exclusivity through confidentiality
– implemented by encryption
– applying cryptographic methods you have
studied
![Page 13: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/13.jpg)
TUNNELSTUNNELS
![Page 14: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/14.jpg)
Tunnel within a networkTunnel within a network
A
B
C
D
E
F
G
H I
- Packet stream of protocol X
- Packet stream of protocol Y
- Packet stream: “X over Y” or “X tunneled in/through Y”
![Page 15: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/15.jpg)
A packet to be tunneledA packet to be tunneled
Source Address Destination Address
Data Payload
![Page 16: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/16.jpg)
Tunnel packetTunnel packet
Tunnel
Source Address
Tunnel
Destination Address
Source Address Destination Address
Data Payload
Tunnel
packet’s
payload is
a(nother)
packet
Tunnel
Header
![Page 17: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/17.jpg)
X over Y tunnelingX over Y tunneling
Tunnel
Source Address
Tunnel
Destination Address
Source Address Destination Address
Data Payload
Tunnel
Header
Packet of protocol X
Packet of protocol Y
![Page 18: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/18.jpg)
Another way to draw it Another way to draw it ……
low-levelheader
mid-levelheader
high-levelheader
payload/cargo/freight protocol X
protocol Y
protocol Z
![Page 19: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/19.jpg)
Uses of tunnelingUses of tunneling
� carry payloads over domains where otherwise illegal
– carry protocols that are illegal
– carry addresses that are illegal
� apply common services to multiple traffic flows
![Page 20: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/20.jpg)
‘‘IllegalIllegal’’ protocols over IPprotocols over IP
IPX and/or IPv6 Network A IPX and/or IPv6 Network B
IP Network C
(e.g. the internet)
e.g.,
Netware and/or
IPv6
e.g.,
Netware and/or
IPv6
![Page 21: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/21.jpg)
‘‘IllegalIllegal’’ addresses over IPaddresses over IP
IP Network C
(e.g. the internet)
Private IP Network A Private IP Network B
e.g.,
192.168….
172.16…. and/or
10….
e.g.,
192.168….
172.16…. and/or
10….
![Page 22: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/22.jpg)
Applying common servicesApplying common services
IPX Network A IPX Network B
IP Network C
(e.g. the internet)
crypto and/or
compression applied
(to entire tunnel)
by e.g. ssh or stunnel (ssl) or OpenVPN or IPSec
crypto and/or
compression applied
![Page 23: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/23.jpg)
Layer 3 tunnelingLayer 3 tunneling
example: IP over IPexample: IP over IP
IPheader 2
IP
header 1
payload
layer 3
layer 3
![Page 24: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/24.jpg)
IPheader 2
IP
header 1
payload
layer 3extra
“security”header
Layer 3 tunnelingLayer 3 tunneling
example: example: IPsecIPsec
layer 3
![Page 25: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/25.jpg)
VPNSVPNS
![Page 26: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/26.jpg)
PlacementPlacement--based Architecturesbased Architectures
� Site-to-site Intranet VPN
� Remote access VPN
![Page 27: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/27.jpg)
SiteSite--toto--site VPN via internetsite VPN via internetNetwork A Network B
![Page 28: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/28.jpg)
Network A
Remote access VPNRemote access VPN
via internet connectionvia internet connection
VPN
gateway
Home
telecommuter
Road warrior
ISP/hotel
![Page 29: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/29.jpg)
lab exercise product 1lab exercise product 1
IPIPIPIP
![Page 30: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/30.jpg)
What is it?What is it?
� Conveys an IP packet between machines… not as a packet
… but as cargo in another packet
� Destination shucks carrier packet, releases cargo as packet into local networking machinery
� “Tunnel” since one packet “passes through” another
� Implemented in linux by module ipip.o
![Page 31: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/31.jpg)
� Conveys a car between states
– … not as a car/motor-vehicle
– … but as cargo in a boat
� Destination throws away boat, releases car as a motor vehicleonto local roadways
� “Tunnel” since one vehicle “passes through” another
� Implemented by Lake Michigan Carferry Service
S.S. BadgerS.S. Badger
![Page 32: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/32.jpg)
IP itself is an IP IP itself is an IP subprotocolsubprotocol
IP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 for IP
(6 for TCP
17 for UDP
50 for ESP, etc)
![Page 33: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/33.jpg)
Sample LANSample LAN
Local Network – 192.168.1.0 Remote Network – 192.168.2.0
192.168.1.1192.168.2.1
100.1.1.1 200.2.2.2
192.168.2.2
192.168.1.2
A
B D
E
Workstations – A and E
Gateways – B and D
Some
connection
![Page 34: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/34.jpg)
““Some connectionSome connection””
� Could be the internet
� Could be a single intermediate machine
� Equivalent, for the 2 gateways
![Page 35: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/35.jpg)
Sample LANSample LAN
Local Network – 192.168.1.0 Remote Network – 192.168.2.0
192.168.1.1192.168.2.1
100.1.1.1 200.2.2.2
192.168.2.2
192.168.1.2
A
B D
E
Workstations – A and E
Gateways – B and D
Internet surrogate – C (B’s ISP; D’s ISP)
C
100.1.1.254 200.2.2.254eth0 eth1eth1 eth1
eth0
eth0
eth0
eth0
![Page 36: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/36.jpg)
Wanted: a 2Wanted: a 2ndnd bridge to crossbridge to cross
Local Network – 192.168.1.0 Remote Network – 192.168.2.0
192.168.1.1192.168.2.1
100.1.1.1 200.2.2.2
192.168.2.2
192.168.1.2
A
B D
E
eth0eth0
tunl0 tunl0
192.168.1.1 192.168.2.1
![Page 37: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/37.jpg)
lab exercise product 2lab exercise product 2
sshssh
![Page 38: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/38.jpg)
A clientA client--server pair of programsserver pair of programs
� ssh - client
– /usr/bin/ssh
� sshd - server
– /usr/sbin/sshd
– assigned port number 22
![Page 39: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/39.jpg)
sshssh –– why secure?why secure?
� all session/command traffic passes through ssh/sshd (sshd runs on port 22)
� encrypted going out/decrypted coming in
� for duration of session/command
� uses RSA (public-key) authentication
� then strong-key symmetrical encryption
![Page 40: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/40.jpg)
sshssh feature: port forwardingfeature: port forwardingPrivate Network – 192.168.1.0
192.168.1.1
206.170.218.30 64.54.209.204
ssh port forwarding:
correspond some port on the client (e.g., 3000) to
some port (e.g., 80) on a machine reachable thru the server….
Example: http://127.0.0.1:3000 in client’s browser gets served from 192.168.1.111
ssh
server 192.168.1.111:80
http (web)
server
ssh
client
![Page 41: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/41.jpg)
sshssh syntaxsyntax
Normal log in
ssh remote-user@remote-IP
e.g., ssh [email protected]
Adding a tunnel
ssh -L local-port:target-IP:remote-port remote-user@remote-IP
e.g., ssh -L 3000:192.168.1.111:80 [email protected]
![Page 42: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/42.jpg)
puTTYpuTTY
![Page 43: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/43.jpg)
puTTYpuTTY
![Page 44: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/44.jpg)
lab exercise product 3lab exercise product 3
stunnelstunnel
![Page 45: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/45.jpg)
Encrypt the talk between clients Encrypt the talk between clients
and servers who donand servers who don’’tt
“The stunnel program is designed to work as SSL encryption
wrapper between remote clients and local (inetd-startable) or
remote servers. The concept is that having non-SSL aware
daemons running on your system you can easily set them up
to communicate with clients over secure SSL
channels.
stunnel man page
![Page 46: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/46.jpg)
Ordinary Ordinary ssl/tlsssl/tls--unaware applicationsunaware applications
network
transport
data link
client application
physical
socket API
network
transport
data link
server application
physical
socket API
not encrypted
![Page 47: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/47.jpg)
SSL/TLSSSL/TLS--aware applicationsaware applications
network
transport
data link
client application
physical
network
transport
data link
server application
physical
ssl/tls ssl/tls
crypto
here
encrypted
![Page 48: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/48.jpg)
stunnelstunnel –– 3 TCP conversations3 TCP conversations
network
transport
data link
stunnel
physical
ssl/tls
encrypted
network
transport
data link
stunnel
physical
network
transport
data link
ssl-unaware
client
physical
network
transport
data link
ssl-unaware
server
physicalnot
encrypted
not
encrypted
a client machine a server machine
ssl/tls
![Page 49: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/49.jpg)
app viewpoint: app viewpoint: stunnelstunnel--obliviousoblivious
encrypted
ssl-unaware
client
ssl-unaware
server
not encrypted
ssl-unaware
client
ssl-unaware
server
without stunnel with stunnel
![Page 50: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/50.jpg)
Ports: nonPorts: non--stunnelstunnel scenarioscenario
client application server application
talk to
remote:60000
listen to
60000
![Page 51: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/51.jpg)
stunnelstunnel –– 3 TCP conversations3 TCP conversations
stunnel stunnelssl-unaware
client
ssl-unaware
server
talk to
local:2000
listen to
60000
listen to
local:2000
talk to
remote:30000
listen to
30000
talk to
60000
![Page 52: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/52.jpg)
Vanilla Vanilla configconfig filesfiles
# stunnel client
client=yes
[stunnel service name]
accept = 127.0.0.1:2000
connect = 192.168.3.12:30000
# stunnel server at 192.168.3.12
cert = /etc/stunnel/stunnel.pem
[example service name]
accept = 30000
connect = 60000
![Page 53: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/53.jpg)
stunnelstunnel –– genlgenl case topologycase topology
encrypted
network
transport
data link
ssl-unaware
client
physical
network
transport
data link
ssl-unaware
server
physical
not
encrypted
not
encrypted
network
transport
data link
stunnel
physical
ssl
LAN with client LAN with server
network
transport
data link
stunnel
physical
ssl
a router a router
untrusted net
![Page 54: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/54.jpg)
stunnelstunnel server needs certificateserver needs certificate
� create it with
� reference it in stunnel server’s config file
cd /etc/stunnel
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
![Page 55: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/55.jpg)
stunnelstunnel’’ss not really a tunnelnot really a tunnel
� stunnel is a conversation endpoint
� and a (different) conversation startpoint
� arriving packets are stripped of header at endpoint
� their content repackaged, new header, at startpoint
� headers do not nest/accumulate as in tunnels
![Page 56: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/56.jpg)
True tunnelingTrue tunneling
header 2
header 1 payload
headers accumulate
![Page 57: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/57.jpg)
Payload forward/relay/proxyPayload forward/relay/proxy
header 2
header 1 payload
payload
headers replace each other
![Page 58: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/58.jpg)
lab exercise product 4lab exercise product 4
OpenVPNOpenVPN
![Page 59: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/59.jpg)
LabLab’’s s OpenVPNOpenVPN tunnel scenariostunnel scenarios
� a routed tunnel, unencrypted
� a routed tunnel, encrypted using static, preshared secret keys
� a bridged tunnel, encrypted using SSL/TLS
![Page 60: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/60.jpg)
hub hub
Given this setupGiven this setup……
eth0 eth1 eth0 eth0
LEFT MIDDLE RIGHT
![Page 61: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/61.jpg)
hub/switch hub/switch
…… 2 2 configsconfigs could make could make ‘‘emem pingping
eth0 eth1 eth0 eth0
1. Routingmake 2 LANs out of it (2 broadcast domains)end-to-end connection achieved by routing the IP packets
2. Bridgingmake 1 consolidated LAN out of it (single broadcast domain)end-to-end by bridging the ethernet frames
![Page 62: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/62.jpg)
InfoInfo’’s usual transs usual trans--layer itinerarylayer itinerary
network
transport
data link
application
physical
network
transport
data link
application
physical
![Page 63: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/63.jpg)
Signals via hub Signals via hub ((““layer 1 devicelayer 1 device””))
physical
network
transport
data link
app
physical
network
transport
data link
app
physical
computer A computer Bhub
![Page 64: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/64.jpg)
Frames via bridge Frames via bridge ((““layer 2 devicelayer 2 device””))
data link
physical
network
transport
data link
app
physical
network
transport
data link
app
physical
computer A computer Bbridge
![Page 65: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/65.jpg)
Packets via router Packets via router ((““layer 3 devicelayer 3 device””))
network
data link
physical
network
transport
data link
app
physical
network
transport
data link
app
physical
computer A computer Brouter
![Page 66: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/66.jpg)
Note, bridge scenario:Note, bridge scenario:
frameframe’’s contained packet untoucheds contained packet untouched
data link
physical
network
transport
data link
app
physical
network
transport
data link
app
physical
computer A computer Bbridge
![Page 67: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/67.jpg)
OpenVPNOpenVPN featuresfeatures
� unique certificate/key-pair for every client
� choice of ciphers
� bridged case– extends LAN-local IP to remote joiner
– allows broadcast-dependent apps (e.g. printer sharing)
– makes remoteness transparent� routing does it mostly
� bridging does it entirely
![Page 68: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/68.jpg)
Info Info –– IP over IPIP over IP
� IP in IP Tunneling– http://www.rfc-editor.org/rfc/rfc1853.txt
� IP Encapsulation within IP– http://www.rfc-editor.org/rfc/rfc2003.txt
![Page 69: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/69.jpg)
Info Info -- sshssh
� Getting Started with sshhttps://www.whoishostingthis.com/resources/ssh/
� free clients for Windows
�puTTY
http://www.chiark.greenend.org.uk/~sgtatham/putty/
�OpenSSH for Windows
http://sshwindows.sourceforge.net/
(built in to command box by Microsoft in Windows 10)
![Page 70: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/70.jpg)
Info Info -- stunnelstunnel
� http://www.stunnel.org/
![Page 71: Tunnels and VPN scsci530l/slides/lab-tunnels-individual... · 2020. 11. 6. · Tunnels and VPN *s November 6, 2020 *virtual private networks. Administrative – submittal instructions](https://reader035.vdocument.in/reader035/viewer/2022081619/60ebbd1fbdd1cf15a67a43aa/html5/thumbnails/71.jpg)
Info Info OpenVPNOpenVPN
� https://openvpn.net/
� http://en.wikipedia.org/wiki/OpenVPN
� https://github.com/OpenVPN/openvpn
� client for Windows (commercial)
– https://openvpn.net/