VPN, a term that usually is not well understood, means the access of a remote network like if it were local. A VPN is archived using a tunnelling technique which consists of passing one protocol within another. There are several ways to do a tunnel:
- IP over IP like the old good times,
- Through another protocol such as GRE like PPTP does,
- Using a Layer-4 protocol such as TCP or UDP like OpenVPN does,
- Passing within a Layer-5 protocol such as DNS like Iodine does, or
- Using a Layer 7 protocol like HTTP.
Security is an add-on that has been per defacto in the VPN's implementations but that doesn't mean it is part of the concept.
In this article, we are going to talk about the OpenVPN and Iodine (DNS) approaches.
Within its VPN servers, OKay offers OpenVPN Tunneling VPN. OpenVPN has proven to be an excellent option and it is almost the per default selection when discussing VPN's.
In the following diagram, we can see the basic use of an OpenVPN VPN. One or more users will connect to the OpenVPN server. By default, the well-known port of OpenVPN is 1194/udp, however, some networks may block it. OpenVPN allows changing the port, maybe to some others where non-deep-inspection firewall can't block such as 53/udp, 443/tcp, or 80/tcp.
The web servers do not see the original IP from the VPN users, they see the VPN's Server's IP.
OpenVPN servers are very versatile, depending on your needs you can do some of the following:
- Use a single username and password to access, (OKay's default configuration)
- Use a self-managed CA to do authentication through certificates
- Access from OSI Layer-2 protocols (tap interface) (OKay's default configuration)
- Access from OSI Layer-3 protocols (tun interface)
- Route only some specific networks when connecting (OKay's default configuration)
- Route all the traffic through the tunnel
DNS Tunneling is another technique that OKay's VPN servers are ready to work. Its complexity makes it harder to block, but it makes it harder to configure: users need to have more tech knowledge to make it work and the software is not available in all the platforms. Also, this technique needs a domain name (or subdomain).
The DNS Tunneling uses the local user's DNS server as a mule. By asking legit DNS requests, the DNS local server will reach the internet and reach the DNS tunnelling server. The DNS tunnelling server then reaches a public web server and get the information on behalf of the user. Then, the DNS tunnelling servers returns the information to the local DNS server in the form of a DNS answer which it is forwarded to the final user device.
Why is this technique difficult to block? Well, without entering in too many tech details, for starters the DNS protocol is one of the eldest protocols on the Internet, it lacks security by design. Therefore, if a legit DNS query arrives, it needs to be answered. Second, this technique uses a trusted server as a mule, the user's device never tries to reach the Internet by its own, in its place, this technique uses the DNS server which it is almost impossible to block the access to the internet (unless everybody works offline).
However, there is a drawback. DNS tunnelling is slow if you compare against other techniques. A TCP packet usually is 1500 bytes long, a UDP packet (DNS uses UDP) is usually 512 bytes long. So, a TCP packet needs to be fragmented and sent back in three DNS requests which makes it way slower.