This document proposes a VPN system with user authentication and bandwidth control. It discusses using OpenVPN with PAM authentication against a MySQL database for user verification. Bandwidth usage would be logged on connect/disconnect and users could be locked out if exceeding limits. The system would have a distributed structure with a control panel for management. It aims to provide secure remote access while allowing access control and throttling bandwidth.

1. OpenSalon
Conference 2
A VPN System
with User Authentication
and Bandwidth Control
董淑照
Dong Shuzhao
Harbin Institute of Technology at Weihai
dongshuzhao@gmail.com
Oct. 9, 2010

2. Introduction to VPN

3. What is VPN?

4. What is VPN?
 A virtual private
network (VPN) is a
computer network
that uses a public
telecommunication
infrastructure such as
the Internet to provide
remote offices or
individual users with
secure access to their
organization's
network.

5. What is VPN?
 An IP tunnel between hosts or routers to extend
the reach of a subnet.
 The tunnel may be encrypted.
 Tunnel creation may need authentication process.
 Traffic may be subject to accounting, logging and
firewalling.

6. Use of VPN
 Remote intranet access
 For companies, schools
 Data encryption
 Public networks, Wi-fi
 Access control within intranet
 Network authentication

7. VPN Solutions
 PPTP
 Point-to-Point Tunneling Protocol
 Security vulnerabilities
 L2TP
 Layer 2 Tunneling Protocol
 Improvement of PPTP
 SSL VPN
 OpenVPN
 Totally application layer protocol

8. Principles of GFW

9. Principles of GFW
 IP Block
 DNS Tampering
 DNS Pollution
 Content Filtering
 ...

10. IP Block
twitter.com 128.242.240.20

11. IP Block
 Weakness
 Change of IP address
 Dynamic IP
 Solution
 Change a secure DNS server
 Modify 'hosts' file

12. DNS Tampering

13. DNS Tampering
 Weakness
 Only control of DNS servers in Chinese mainland
 Solution
 Change to a foreign DNS server

14. DNS Pollution

15. DNS Pollution

16. DNS Pollution
 Weakness
 ?
 Solution
 ?

17. Content Filtering

18. Content Filtering
 Weakness
 ?
 Solution
 ?

19. VPN & GFW

20. VPN & GFW

21. VPN with Routing Table

22. VPN with Routing Table
 chnroutes
 http://code.google.com/p/chnroutes/
 Distinguishing lines
 Chinese (mainland) IPs: original route
 Foreign Ips: via VPN

23. Implementation of
VPN System

24. System Overview

25. Distributed Structure

26. Database Schema

27. User Authentication
 saslauthd
 pam-mysql
 /etc/pam.d/openvpn
 DB Fields: username, password, active
 OpenVPN
 PAM plugin
 PPTP VPN
 pppd-sql
 http://freshmeat.net/projects/pppd-sql

28. Logging
 Script hook
 connect.sh
 Create a new record with begin time, ip, port, etc.
 disconnect.sh
 Fill back previous record with end time,
bandwidth usage, etc.

29. Bandwidth Control
 disconnect.sh
 Check log and set active to 0 if bandwidth limit
exceeded
 Lock expired users
 cron
 /etc/cron.hourly/openvpn
 Unlock users whose bandwidth roll back
 Lock expired users

30. VPN Control Panel
 PHP
 jQuery
 flexigrid

31. Mailing System
 DNS MX Record
 Sendmail (or Exim, Qmail...)
 Sending in Shell
 login alerts, bandwidth alerts, expiration alerts
 Sending in PHP
 password alerts, invitations, password reset
 mail() function in PHP

32. Further Improvements
 P2P Prevention
 Kernel modules
 Real-time User Management
 Killing an online user
 Disconnect immediately after bandwidth run out
 Billing System
 Paypal Interface
 Alipay Interface

33. THE END