search

jedisct1 / dsvpn

A Dead Simple VPN.
MIT License
5.17k stars 395 forks source link

how dsvpn works #77

Closed happyxgang closed 4 years ago

happyxgang commented 4 years ago

thanks for your sharing, I'm learning vpn technologies by reading your dsvpn code. but it's a little bit confusing for me to understand what dsvpn does and how it achieves it's goals.

from the code, i see that. the server and client create a tunnel and add iptables configurations to route traffic to each other. client receives data from tunnel and send data to server directly, and server receives new connection and read data from connection and write to the tunnel. but how client decide which ip is routed by the vpn, and how the server send data to the actual destination?

jedisct1 commented 4 years ago

Your operating system has a routing table; a set of rules that say “in order to reach this network, packets should be sent to that gateway”.

By default the main rule is “by default, send everything to the router”.

A straightforward way to send everything to the VPN would be to change that rule to “by default, send everything to the VPN IP address”.

But then, we have a problem. The VPN server itself would not be accessible. Sending data to it requires going directly through the router.

So dsvpn essentially installs a rule that says “by default, send everything to the VPN IP address” as well as an additional rule “to reach the actual VPN server IP, go through the router IP”.

happyxgang commented 4 years ago

really appreciate for your reply. But is there an actual iptables rule for the additional rule( "to reach the actual VPN server IP, go through the router IP") or just because we set up the client server connection before the iptables rules.

from what I understands, a packet from client to internet will go through a process like this: bussiness process-->iptable-->tun->dsvpn client------>dsvpn server->tun-->iptable-->internet and why ip rule add table main suppress_prefixlength 0 is needed for the client side?

jedisct1 commented 4 years ago

There is an explicit rule to reach the VPN server IP.

The most specific rule "wins" so if you have default routes, as well a rule for a single IP, that last rule will be applied when trying to reach that IP.

ip rule add table main suppress_prefixlength 0 prevents packets for your own local network from going through the VPN. It is not really necessary.

The Linux commands are horribly complicated, just because it is Linux. I'd recommend looking at the commands for other systems instead. They do the same thing but are easier to understand.

happyxgang commented 4 years ago

thanks for your sharing @jedisct1 great work!