通过TCP连接创建VPN
[英]Create VPN over TCP connection
问题描述
I need to create a virtual IP network over TCP connection. 
我需要通过TCP连接创建一个虚拟IP网络。 The hosting system is Linux, with the TUN/TAP kernel driver, it's quite easy to receive & re-inject IP packets of the virtual network. 托管系统是Linux,带有TUN / TAP内核驱动程序,很容易接收和重新注入虚拟网络的IP数据包。
The difficult part is to transmit the received IP packets to another host. 困难的部分是将接收到的IP数据包传输到另一个主机。 For some non-technical reasons, I can only transmit the packets over TCP protocol but not UDP. 由于某些非技术原因,我只能通过TCP协议传输数据包,而不能通过UDP传输数据包。 Transmit IP packets over UDP is easy, but with TCP it becomes tricky, here's the reason: 通过UDP传输IP数据包很容易,但是使用TCP则很棘手,原因如下:
UDP protocol doesn't support retransmission/reordering, just like IP. UDP协议不像IP一样支持重传/重排序。 So, if one UDP packet is sent for every received virtual IP packet, the kernel TCP/IP protocol stack would still see virtual IP packet loss/duplication/reordering(those are required for TCP/IP to work well, if those "features" are missing, the TCP connection speed on the virtual network would suffer). 因此,如果为每个接收到的虚拟IP数据包发送一个UDP数据包,则内核TCP / IP协议栈仍会看到虚拟IP数据包丢失/重复/重新排序(如果这些“功能”有效,则TCP / IP必须具备这些功能)丢失,虚拟网络上的TCP连接速度将受到影响)。 If IP packets are transmitted over TCP all required "features" will be missing, unless they are simulated some how. 如果IP数据包通过TCP传输,则所有必需的“功能”都将丢失,除非对其进行了模拟。
It seems I have to fake some kind of packet duplication/loss/reordering on TCP connection, or patch the kernel TCP/IP protocol stack. 看来我必须在TCP连接上伪造某种数据包重复/丢失/重新排序,或修补内核TCP / IP协议栈。 Both options aren't easy. 这两种选择都不容易。
Is there any other simpler solution to my problem ? 还有其他更简单的解决方案吗? or did I just go into a completely wrong direction ? 还是我只是走错了方向? I'm all ears. 我全是耳朵。
==== UPDATE ==== ====更新====
I'm thinking about using raw IP socket (which could get rid of all the TCP retransmission/reordering stuff on the physical network easily while still using TCP packets) to transmit the received virtual network IP packets. 我正在考虑使用原始IP套接字(可以在仍然使用TCP数据包的情况下轻松摆脱物理网络上所有TCP重新传输/重新排序的内容)来传输接收到的虚拟网络IP数据包。 But on the receiving host, how can I only receive the packets I'm interested in and return all other IP packets to the kernel TCP/IP stack ? 但是,在接收主机上,我如何只接收我感兴趣的数据包,并将所有其他IP数据包返回到内核TCP / IP堆栈?
1 个解决方案
解决方案1
3 2015-01-13 11:14:19
First of all, you do not want to make a VPN over TCP because you would end up with tcp-over-tcp eventually. 首先,您不想建立基于TCP的VPN,因为最终最终将导致tcp-over-tcp。 The main issue is that the timers of your inner TCP and outer TCP might differ significantly which negatively impacts your TCP session reliability. 主要问题是内部TCP和外部TCP的计时器可能会大不相同,这会对TCP会话的可靠性产生负面影响。 You can find a bit longer explanation here . 您可以在这里找到更长的解释。
UDP protocol doesn't support retransmission/reordering, just like IP.
This does not make sense, if your outer layer uses TCP as a transport mechanism, nothing stops your inner layer to still use the full ip/tcp stack, including those features. 这没有任何意义,如果您的外层使用TCP作为传输机制,则没有什么可以阻止您的内层仍然使用完整的ip / tcp堆栈,包括那些功能。 They can conflict badly like I said, but it's not that this functionality disappears or breaks completely. 它们可能会像我说的那样发生严重冲突,但这并不是该功能消失或完全中断。
It seems like you actually want to use TCP just to have the headers and ignore the actual protocol, this would indeed avoid the issues with tcp over tcp. 似乎您实际上实际上只是想使用TCP来获得标头,而忽略实际的协议,这确实可以避免tcp超过tcp的问题。 However, once again this is a very bad idea. 但是,这又是一个非常糟糕的主意。 Flow processing for firewalls, NAT, DPI, tcp boosters, becomes more and more common, if you fake TCP packets you might up stressing those boxes, possibly detoriating your own connection once again. 防火墙,NAT,DPI,tcp增强程序的流处理变得越来越普遍,如果您伪造TCP数据包,可能会使这些设备承受压力,从而可能再次破坏您自己的连接。
So you should ask yourself why you can't use UDP, and if no alternative protocol (header) is okay, like GRE or L2TP. 因此,您应该问自己为什么不能使用UDP,以及是否没有其他协议(标头)可以使用,例如GRE或L2TP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.