Post on 21-Jan-2015
description
A VPN Systemwith User Authenticationand Bandwidth Control
董淑照Dong Shuzhao
Harbin Institute of Technology at Weihaidongshuzhao@gmail.com
Oct. 9, 2010
OpenSalonConference 2
Introduction to VPN
What is VPN?
What is VPN?
A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network.
What is VPN?
An IP tunnel between hosts or routers to extend the reach of a subnet. The tunnel may be encrypted. Tunnel creation may need authentication process. Traffic may be subject to accounting, logging and
firewalling.
Use of VPN
Remote intranet access For companies, schools
Data encryption Public networks, Wi-fi
Access control within intranet Network authentication
VPN Solutions
PPTP Point-to-Point Tunneling Protocol Security vulnerabilities
L2TP Layer 2 Tunneling Protocol Improvement of PPTP
SSL VPN OpenVPN Totally application layer protocol
Principles of GFW
Principles of GFW
IP Block DNS Tampering DNS Pollution Content Filtering ...
IP Block
twitter.com 128.242.240.20
IP Block
Weakness Change of IP address Dynamic IP
Solution Change a secure DNS server Modify 'hosts' file
DNS Tampering
DNS Tampering
Weakness Only control of DNS servers in Chinese mainland
Solution Change to a foreign DNS server
DNS Pollution
DNS Pollution
DNS Pollution
Weakness ?
Solution ?
Content Filtering
Content Filtering
Weakness ?
Solution ?
VPN & GFW
VPN & GFW
VPN with Routing Table
VPN with Routing Table
chnroutes http://code.google.com/p/chnroutes/
Distinguishing lines Chinese (mainland) IPs: original route Foreign Ips: via VPN
Implementation of VPN System
System Overview
Distributed Structure
Database Schema
User Authentication
saslauthd pam-mysql /etc/pam.d/openvpn DB Fields: username, password, active
OpenVPN PAM plugin
PPTP VPN pppd-sql http://freshmeat.net/projects/pppd-sql
Logging
Script hook connect.sh
Create a new record with begin time, ip, port, etc. disconnect.sh
Fill back previous record with end time, bandwidth usage, etc.
Bandwidth Control
disconnect.sh Check log and set active to 0 if bandwidth limit
exceeded Lock expired users
cron /etc/cron.hourly/openvpn Unlock users whose bandwidth roll back Lock expired users
VPN Control Panel
PHP jQuery
flexigrid
Mailing System
DNS MX Record Sendmail (or Exim, Qmail...)
Sending in Shell login alerts, bandwidth alerts, expiration alerts
Sending in PHP password alerts, invitations, password reset mail() function in PHP
Further Improvements
P2P Prevention Kernel modules
Real-time User Management Killing an online user Disconnect immediately after bandwidth run out
Billing System Paypal Interface Alipay Interface
THE END