Weble VPN is a secure networking solution that enables users to establish encrypted connections over the internet. It functions by creating a virtual network tunnel between multiple devices or networks, ensuring secure communication and data transfer.
The security of Weble VPN is achieved through several important mechanisms:
- Encryption: Weble VPN utilizes encryption algorithms to safeguard the data transmitted between devices. It employs robust encryption protocols, such as AES (Advanced Encryption Standard), to guarantee the confidentiality and integrity of the data.
- Authentication: Weble VPN employs authentication mechanisms to verify the identity of the devices connecting to the network. It utilizes public-key cryptography and digital certificates to ensure that only trusted devices can establish a connection.
- Tunneling: Weble VPN encapsulates network traffic within a secure tunnel, effectively shielding the data from unauthorized access or interception. The encapsulation process makes the transmitted data incomprehensible to anyone attempting to intercept it.
- Key Exchange: Weble VPN utilizes secure key exchange protocols, such as Diffie-Hellman, to establish a shared secret key between devices. This key is used for encrypting and decrypting the data exchanged during the VPN session.
- Firewall and Access Controls: Weble VPN often incorporates firewall functionalities and access controls to further enhance security. These features allow administrators to define rules and restrictions on network traffic, limiting access to authorized devices and preventing unauthorized access attempts.
By integrating these security mechanisms, Weble VPN ensures that data transmitted between devices remains confidential, protected from unauthorized access, and secure from potential threats or attacks. It provides users with a private and secure network environment, particularly useful when accessing sensitive information or connecting to remote networks over untrusted networks such as the internet.
¶ Encryption
Weble VPN utilizes encryption algorithms to secure data transmission. It supports various encryption methods, including symmetric and asymmetric encryption.
For symmetric encryption, Weble VPN commonly employs the Advanced Encryption Standard (AES) algorithm. AES is widely recognized as a strong encryption standard and is commonly used for secure communication. It uses a symmetric key, which means the same key is used for both encryption and decryption.
In addition to symmetric encryption, Weble VPN also utilizes asymmetric encryption for certain tasks, such as key exchange and authentication. It often employs public-key cryptography algorithms like RSA or Elliptic Curve Cryptography (ECC). Asymmetric encryption uses a pair of mathematically related keys: a public key for encryption and a private key for decryption.
By combining symmetric and asymmetric encryption, Weble VPN ensures the confidentiality and integrity of data transmitted through the VPN tunnel. Symmetric encryption provides efficient and fast encryption for the actual data, while asymmetric encryption facilitates secure key exchange and authentication processes.
¶ Compression
Weble VPN supports various compression methods to optimize data transmission over the VPN network. These compression techniques aim to reduce the size of the data being transmitted, resulting in improved network performance and reduced bandwidth usage.
Here are some of the compression methods supported by Weble VPN:
LZO Compression: Weble VPN often incorporates LZO (Lempel-Ziv-Oberhumer) compression, which is a fast compression algorithm designed for speed rather than maximum compression ratios. It provides efficient compression and decompression of data, allowing for faster transmission across the VPN network.
LZ4 Compression: Weble VPN also supports LZ4 compression, which is a high-speed compression algorithm that offers a good balance between compression ratio and performance. LZ4 compression achieves fast compression and decompression speeds, making it suitable for real-time data transmission.
Zlib Compression: Weble VPN may utilize Zlib compression, which is a widely-used compression library that provides good compression ratios. Zlib compression is known for its versatility and compatibility across various platforms and systems.
By incorporating these compression methods, Weble VPN optimizes the transmission of data across the VPN network by reducing the size of the transmitted data. This results in improved network performance, reduced bandwidth usage, and more efficient utilization of network resources.
¶ TAP interface
A TAP (Ethernet Tap) interface, also known as a virtual Ethernet adapter, is a network device driver that emulates a traditional Ethernet network interface card (NIC). It is commonly used in virtual private network (VPN) setups and virtualization environments.
The TAP interface operates at the data link layer (Layer 2) of the network stack and enables communication between the host operating system and virtual machines or VPN clients. It allows virtual machines or VPN clients to connect to a virtual Ethernet network, forming a virtual LAN (VLAN) or bridged network environment.
Unlike a TUN (network TUNnel) interface, which operates at the network layer (Layer 3) and is used for routing purposes, the TAP interface emulates a full Ethernet NIC. This means that it can transmit Ethernet frames with MAC addresses, allowing for more seamless integration with existing network infrastructure.
TAP interfaces are often used in scenarios where virtual machines or VPN clients need to appear as if they are connected directly to a physical network. They provide a way to extend the network connectivity of the host system to virtual machines or VPN clients, enabling them to communicate with other devices on the network.
In summary, a TAP interface is a virtual Ethernet adapter that facilitates network communication between the host system and virtual machines or VPN clients, allowing them to participate in a virtual LAN or bridged network environment.
¶ Layer 2/3 support
Weble VPN supports both Layer 2 and Layer 3 network protocols, offering flexibility in terms of network connectivity options. Let's explore the difference between these two layers:
¶ Layer 2 (Data Link Layer):
At Layer 2, Weble VPN operates by creating a virtual bridged network. It emulates a local area network (LAN) environment, allowing devices to communicate with each other as if they were connected directly through a physical LAN. This layer primarily deals with MAC addresses and frames. By supporting Layer 2 networking, Weble VPN enables the extension of a LAN across a wider geographic area, connecting devices in different locations as if they were in the same network segment.
¶ Layer 3 (Network Layer):
At Layer 3, Weble VPN functions as a virtual router. It establishes connections between networks, allowing devices to communicate across different subnets or even different networks altogether. This layer primarily deals with IP addresses and routing. By supporting Layer 3 networking, Weble VPN enables secure communication and data transfer between geographically dispersed networks. It allows organizations to connect remote offices or provide secure access to resources hosted on different networks.
In summary, Weble VPN's support for both Layer 2 and Layer 3 networking provides versatility in network connectivity options. Layer 2 support enables devices to communicate within the same virtual LAN, while Layer 3 support facilitates secure communication between different networks or subnets. This flexibility allows Weble VPN to cater to various network architectures and requirements, offering a comprehensive solution for secure and private communication across different network layers.
¶ Host connection
To establish a connection between an host and a VPN, the following procedure is followed:
Initial Connection Attempt (TCP 655): The host initiates the VPN connection by attempting to connect to the VPN server's IP address using TCP port 655. This initial connection is made to establish the basic communication link between the host and the server.
Connection Check (TCP 655): If the host successfully establishes a connection using TCP port 655, it proceeds with the VPN connection over this open channel. Data is then encrypted and transmitted between the host and the server using this connection.
Fallback to SSH or HTTPS Tunnel (If TCP 655 Fails): If the host is unable to reach the VPN server through TCP port 655, it employs an alternative method to establish the connection. In this scenario, the host creates a tunnel using either the SSH (Secure Shell) protocol or the HTTPS (Hypertext Transfer Protocol Secure) protocol. This tunneling process encapsulates the VPN connection within the chosen protocol's encryption.
SSH Tunneling: The host establishes an SSH connection to the VPN server over the standard SSH port (TCP 22). This connection acts as a secure tunnel through which the VPN traffic is routed. The VPN connection is then set up within this tunnel, ensuring data confidentiality and security.
HTTPS Tunneling: Alternatively, the host can create an HTTPS tunnel by connecting to a web server running on the VPN server using TCP port 443. The VPN traffic is then encapsulated within the SSL/TLS encryption used by HTTPS, allowing secure communication between the host and the VPN server.
In summary, the host attempts to connect to the VPN server through TCP port 655. If successful, the VPN connection is established directly. If connection via TCP port 655 fails, the host creates a secure tunnel using either SSH or HTTPS, and within this tunnel, the VPN connection is established to ensure encrypted communication with the server.
To summarize, for the host to be able to connect to the server and establish a VPN, at least one of these ports must be open (outgoing):
655 TCP (best performance)
443 TCP for HTTPS tunnel
22 TCP for SSH tunnel
¶ VPN Connection encapsulation
In the case that the VPN client cannot reach the server through the default port (TCP 655), it will attempt to establish an SSH/HTTP/HTTPS tunnel with the server.
¶ Over SSH port 22 TCP
Client firewall must allow outgoing connection on TCP port 22 and SSH service.
Encapsulating a Connection in an SSH Tunnel:
When we talk about encapsulating a connection in an SSH (Secure Shell) tunnel, we are referring to the process of securing and transmitting data through a secure channel over an insecure network, such as the internet. This is particularly useful when you want to ensure the confidentiality and integrity of the information being exchanged between two systems.
Here's how the encapsulation process works:
- Initiating the SSH Connection:
Host initiates an SSH connection to a remote server using an SSH client.
The SSH protocol is responsible for creating a secure connection between the local machine and the remote server.
Creating the Secure Tunnel:
Within the established SSH connection, a secure tunnel is created. This tunnel acts as a conduit for other types of traffic.
The tunneling process involves encapsulating the data in a secure, encrypted format. This ensures that the information is protected from potential eavesdropping or tampering while traversing the insecure network.
Transporting Different Types of Traffic:
- Once the SSH tunnel is established, VPN connection to the server can be etabilished.
The encapsulation ensures that the data is secure throughout its journey through the tunnel.
- Decapsulation at the Destination:
Upon reaching the destination (remote server), the encapsulated data is decrypted and presented in its original form.
This ensures that the communication remains confidential and secure, even if it passes through potentially insecure networks.
In summary, encapsulating a connection in an SSH tunnel involves using the secure and encrypted capabilities of the SSH protocol to create a protected pathway for different types of data. This process enhances the security of communications, making it particularly valuable in scenarios where sensitive information needs to be transmitted over networks that may not be entirely trustworthy.
¶ Over HTTP (TCP 80) and HTTPS (TCP 443)
Client firewall must allow outgoing connection on TCP port 80 or TCP port 443 and Websocket service.
¶ Questions
¶ Which outgoing ports need to be open to establish a VPN connection?
| Direction | Protocol | Port | Service | Description |
|---|---|---|---|---|
| Outgoing | TCP | 655 | TINC | For direct VPN connection (best VPN performance) |
| Outgoing | TCP | 22 | SSH | For SSH tunneling |
| Outgoing | TCP | 80 | HTTP | For WS Tunneling |
| Outgoing | TCP | 443 | HTTPS | For WSS Tunneling |