This document proposes a VPN system with user authentication and bandwidth control. It discusses using OpenVPN with PAM authentication against a MySQL database for user verification. Bandwidth usage would be logged on connect/disconnect and users could be locked out if exceeding limits. The system would have a distributed structure with a control panel for management. It aims to provide secure remote access while allowing access control and throttling bandwidth.
1. OpenSalon
Conference 2
A VPN System
with User Authentication
and Bandwidth Control
董淑照
Dong Shuzhao
Harbin Institute of Technology at Weihai
dongshuzhao@gmail.com
Oct. 9, 2010
4. What is VPN?
A virtual private
network (VPN) is a
computer network
that uses a public
telecommunication
infrastructure such as
the Internet to provide
remote offices or
individual users with
secure access to their
organization's
network.
5. What is VPN?
An IP tunnel between hosts or routers to extend
the reach of a subnet.
The tunnel may be encrypted.
Tunnel creation may need authentication process.
Traffic may be subject to accounting, logging and
firewalling.
6. Use of VPN
Remote intranet access
For companies, schools
Data encryption
Public networks, Wi-fi
Access control within intranet
Network authentication
27. User Authentication
saslauthd
pam-mysql
/etc/pam.d/openvpn
DB Fields: username, password, active
OpenVPN
PAM plugin
PPTP VPN
pppd-sql
http://freshmeat.net/projects/pppd-sql
28. Logging
Script hook
connect.sh
Create a new record with begin time, ip, port, etc.
disconnect.sh
Fill back previous record with end time,
bandwidth usage, etc.
29. Bandwidth Control
disconnect.sh
Check log and set active to 0 if bandwidth limit
exceeded
Lock expired users
cron
/etc/cron.hourly/openvpn
Unlock users whose bandwidth roll back
Lock expired users
31. Mailing System
DNS MX Record
Sendmail (or Exim, Qmail...)
Sending in Shell
login alerts, bandwidth alerts, expiration alerts
Sending in PHP
password alerts, invitations, password reset
mail() function in PHP
32. Further Improvements
P2P Prevention
Kernel modules
Real-time User Management
Killing an online user
Disconnect immediately after bandwidth run out
Billing System
Paypal Interface
Alipay Interface