VPN with the ability to pass through the firewall / NAT

    NAT ( Network Address Translation ) has a lot of advantages, but it is not without drawbacks, for example, the need to configure port forwarding in case we want to have access to the server located behind the NAT router. There are several ways to go through NAT ( NAT traversal ). In this article I will try to consider one of them, which is based on UDP hole punching (literally - punching a hole using UDP, I apologize for a bunch of terms in English, but I just don’t know how to reproduce them harmoniously in Russian).

    UDP hole punching

    Many have met or worked with services like Hamachi , Skype, or TeamViewer . Their work is precisely based on the hole punching algorithm using UDP packets.

    The principle of operation of UDP hole punching is quite simple, and here, for example, how Hamachi works:

    PC A and Notebook B are two computers located each behind a private network, Hamachi service is a server accessible by public IP address.
    1. A and B establish a UDP connection to the Hamachi server, routers assign external ports to each connection, and at the same time a “tunnel” (hole) is created in the router
    2. Hamachi server reports A and B public IP addresses and ports of each other
    3. A and B, using the information received from the server, establish a connection with each other

    This technique is based on the fact that the UDP packet contains only the IP address and port, unlike the TCP packet.

    N2N

    N2N is a virtual private network ( VPN ) with the ability to go through a firewall / NAT with a secure connection. The N2N architecture is based on two components:
    • edge node: An application installed on a user's computer that allows you to build a virtual private network. Each node creates a virtual network card, which is used to create the network.
    • supernode: A server with a public IP address that is used to establish a connection between remote nodes, and is also used as a packet router between nodes that cannot communicate directly.




    Remote nodes communicate with each other through virtual network interfaces (tap interfaces). Each computer can belong to many virtual networks (one virtual network interface per virtual private network).


    Install and use N2N

    • Download n2n:
      svn co svn.ntop.org/svn/ntop/trunk/n2n
    • Collect:
      make
    • Run a super host on a computer with public IP, or behind NAT, but wherever port forwarding can be configured:
      supernode$ supernode -l xyw
      where xyw is the port on which the superuser is waiting for a connection
    • Run two nodes on different computers behind NAT:
      node-1$ edge -a 10.1.2.1 -c mynetwork -k encryptme -l a.b.c.d:xyw
      node-2$ edge -a 10.1.2.2 -c mynetwork -k encryptme -l a.b.c.d:xyw
      where mynetwork is the name of the VPN, encryptme is the password for accessing the VPN, abcd: xyw is the public IP address and port of the super node
    • Check how VPN works:
      node-1$ ping 10.1.2.2and
      node-2$ ping 10.1.2.2


    Little things

    For OS X, you need to install a tap device, I installed this one - TUNTAP .

    Building n2n for Windows is also quite easy, the project file is in the source code, but 1) the paths are not correct in the project, you will need to copy the files to a subdirectory and 2) the version.c file is missing, you can simply create an empty one and paste it there:
    char *version = "2.03";
    char *osName = "Windows";
    char *buildDate = "today";

    Also popular now: