Network Diagram
The TUN0 interfaces have been configured in both the VPN client and VPN server with an IP address of 192.168.53.99 and 192.168.53.2 respectively.
Assuming host A’s VPN client is mutually authenticated with the VPN server using the TLS protocol:
- A VPN bound packet (a packet that is going to the private network) will go to the TUN0 interface first and then it is sent to the eth0 interface. There is an SSL tunnel between eth0 interface and ens33 interface of the VPN server. So, any data passed is encrypted (the IP packet shown in table 1 will be encrypted, then encapsulated with eth0 interface’s IP address as shown in table 2).
At the TUN0 interface of Host A (VPN client)
| Source IP | Destination IP | |
|---|---|---|
| 192.168.53.99 (Host A, TUN0) | 192.168.1.120 (host B, eth0) | Data |
| Table 1: IP packet at the TUN0 interface |
At the eth0 interface of Host A
| Source IP | Destination IP | Source IP | Destination IP | |
|---|---|---|---|---|
172.16.186.134 (Host A, eth0) |
172.16.186.132 (VPN server, ens33) |
192.168.53.99 (Host A, TUN0) |
192.168.1.120 (Host B, eth0) |
Data |
| Table 2: IP packet at the eth0 interface |
- Since there is an SSL tunnel created between the VPN client and server, the packet is routed to the ens33 interface of the VPN server.
- At the VPN server, since the packet is a VPN bound packet, it is given to the TUN0 interface of the VPN server for decapsulation and decryption.
- After the TUN0 interface finishes the decapsulation and decryption process, it forwards the packet to the ens37 interface (private network).
- Finally, it is routed to the destination using the destination IP information in the packet.
Under normal scenario i.e., without using the VPN tunnel, any host from outside the LAN can’t be connected to hosts inside the private network (LAN). But if the host has a VPN client which is authorized and authenticated (using password) by the VPN server, it can be connected to hosts inside the LAN.
Connection to the private network without using a VPN client
Figure: ICMP packets from host A to host B (unsuccessful)
Since a Virtual machine is used for this Lab, packet filtering takes place in the host in the private network (think of it as a host-based firewall). So, the firewall rules are:
Connection to the private network using a VPN client
- VPN client and VPN server are mutually authenticated using a shared password.
Figure: Authentication password for VPN client
Figure: Authentication password for VPN server
By inputting the correct shared password, the VPN client and server are authenticated, and they create an SSL/TLS socket to encrypt communication.
Figure: TLS handshake
- Connection to the private network after authentication
Figure: ICMP packets from host A to host B (successful)
Let’s capture the ICMP packet before it reaches the destination with Wireshark.
At the TUN0 interface of host A
Figure: Wireshark packet capture at TUN0 interface of host A
At the ens33 interface of host A
Figure: Wireshark packet capture at ens33 interface of host A
At the ens33 interface of the VPN server
Figure: Wireshark packet capture at ens33 interface of the VPN server
At the ens37 interface of the VPN server (gateway for the LAN)
Figure: Wireshark packet capture at ens37 interface of the VPN server