A VPN Systemwith User Authenticationand Bandwidth Control

董淑照Dong Shuzhao

Harbin Institute of Technology at Weihaidongshuzhao@gmail.com

Oct. 9, 2010

OpenSalonConference 2

Introduction to VPN

What is VPN?

What is VPN?

A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network.

What is VPN?

An IP tunnel between hosts or routers to extend the reach of a subnet. The tunnel may be encrypted. Tunnel creation may need authentication process. Traffic may be subject to accounting, logging and

firewalling.

Use of VPN

Remote intranet access For companies, schools

Data encryption Public networks, Wi-fi

Access control within intranet Network authentication

VPN Solutions

PPTP Point-to-Point Tunneling Protocol Security vulnerabilities

L2TP Layer 2 Tunneling Protocol Improvement of PPTP

SSL VPN OpenVPN Totally application layer protocol

Principles of GFW

Principles of GFW

IP Block DNS Tampering DNS Pollution Content Filtering ...

IP Block

twitter.com 128.242.240.20

IP Block

Weakness Change of IP address Dynamic IP

Solution Change a secure DNS server Modify 'hosts' file

DNS Tampering

DNS Tampering

Weakness Only control of DNS servers in Chinese mainland

Solution Change to a foreign DNS server

DNS Pollution

DNS Pollution

DNS Pollution

Weakness ?

Solution ?

Content Filtering

Content Filtering

Weakness ?

Solution ?

VPN & GFW

VPN & GFW

VPN with Routing Table

VPN with Routing Table

chnroutes http://code.google.com/p/chnroutes/

Distinguishing lines Chinese (mainland) IPs: original route Foreign Ips: via VPN

Implementation of VPN System

System Overview

Distributed Structure

Database Schema

User Authentication

saslauthd pam-mysql /etc/pam.d/openvpn DB Fields: username, password, active

OpenVPN PAM plugin

PPTP VPN pppd-sql http://freshmeat.net/projects/pppd-sql

Logging

Script hook connect.sh

Create a new record with begin time, ip, port, etc. disconnect.sh

Fill back previous record with end time, bandwidth usage, etc.

Bandwidth Control

disconnect.sh Check log and set active to 0 if bandwidth limit

exceeded Lock expired users

cron /etc/cron.hourly/openvpn Unlock users whose bandwidth roll back Lock expired users

VPN Control Panel

PHP jQuery

flexigrid

Mailing System

DNS MX Record Sendmail (or Exim, Qmail...)

Sending in Shell login alerts, bandwidth alerts, expiration alerts

Sending in PHP password alerts, invitations, password reset mail() function in PHP

Further Improvements

P2P Prevention Kernel modules

Real-time User Management Killing an online user Disconnect immediately after bandwidth run out

Billing System Paypal Interface Alipay Interface

THE END