DOCSLIB.ORG

Performance Comparison of VPN Solutions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Performance Comparison of VPN Solutions View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Publikationsserver der Universität Tübingen Performance Comparison of VPN Solutions Lukas Osswald, Marco Haeberle, and Michael Menth University of Tuebingen, Chair of Communication Networks, Tuebingen, Germany Email: [email protected], fmarco.haeberle,[email protected], I. INTRODUCTION Overlay network 192.168.0.1 192.168.0.2 Virtual Private Networks (VPN) is the state-of-the-art method to build secure connections between remote hosts over public networks. In times of high-speed connections to the 10.0.0.2 10.0.1.2 internet, a need for personal information security and business cases, like cloud computing, high data throughput and a stable connection are increasingly important. Virtual server 1 Virtual server 2 OpenVPN [9] is an open source VPN solution which can be Figure 1. Testbed setup. deployed on a wide range of platforms, including common op- erating systems and public cloud platforms. For cryptography, OpenVPN relies on OpenSSL which enables TLS support. Both virtual hosts are running Ubuntu 18.04 with Linux IPsec is a protocol suite consisting of two protocols (Encapsu- kernel 5.3.5. Unfortunately for us, WireGuard will be upstream lated Security Payload, Authentication Header) and two modes only starting with kernel 5.6, thus we use the kernel module (Tunnel, Transport). Depending on configuration, IPsec offers with version 0.0.20190913 [5]. For configuring IPsec, we use confidentiality and authenticity [2]. WireGuard [6] describes strongSwan in version 5.6.2. OpenVPN is used in version itself as a modern, fast, and secure VPN tunnel because 2.4.7. The network cards, Intel X710 with 10 Gb/s, are passed it uses modern cryptographic algorithms and implements a through directly to the virtual hosts. The host system is new cryptographic API called Zinc. The developer puts big equipped with an Intel(R) Xeon(R) Gold 6134 CPU @ 3.20 emphasis on minimalism which manifests in its small code GHz, the virtual machines use 4 cores and 16 GB RAM. Our base, easy configuration, lack of a key distribution mechanism, tool set consists of nuttcp 8.1.4 for measuring throughput, and a fixed cipher suite. It is frequently covered by media [8] ping for measuring ping time and mpstat 11.6.1 for measuring because of its upcoming merge into Linux Kernel 5.6 and its detailed CPU utilization. performance claims [7]. Benchmarks of VPN solutions have been discussed in related work, but the data is quite old or uses other se- tups [1][4][3]. Furthermore, we noticed that the benchmarks from the WireGuard whitepaper seem unrealistic, even if we III. RESULTS AND DISCUSSION take protocol overhead into account [7]. In this work, we have decided to conduct VPN benchmarks ourselves. In the following paragraphs we describe our setup and look at three We test the VPN systems in different configurations. For heavily used VPN solutions: OpenVPN, IPsec and WireGuard. IPsec, we test all combinations of protocols and modes as well as various cryptographic algorithms. We also collect data which shows that route-based IPsec processing is equal to the policy-based processing in terms of throughput. For Open- VPN, we use the same cipher suites except for ChaCha20- II. TEST SETUP Poly1305 because it is not supported in the currently available version of OpenVPN. Furthermore, we test several methods to increase throughput as suggested by OpenVPN [10]. Wire- The testbed is shown in Figure 1. It consists of two virtual Guard only offers one cipher suite for configuration, thus there hosts which are connected directly via a 10 Gb/s link. They is only one test case. For AES-based encryption, we also have are configured to be in different subnets. We measure network a look at the performance gain from hardware acceleration throughput, ping time, and retransmission count of TCP traffic through AES-NI. At last, we look at the effect of CPU pinning with and without CPU pinning. on network throughput. IPsec/AES-128_AES-NI_TRN_PB 3776.9096 IPsec/AES-128_AES-NI_TRN_PB 3440.5988 IPsec/AES-128_AES-NI_TUN_PB 3716.5202 IPsec/AES-128_AES-NI_TUN_PB 3352.1761 IPsec/AES-128_TRN_PB 1261.9964 IPsec/AES-128_TRN_PB 1089.1608 IPsec/AES-128_TUN_PB 1215.3741 IPsec/AES-128_TUN_PB 1062.7542 IPsec/AES-256_AES-NI_TRN_PB 3659.4616 IPsec/AES-256_AES-NI_TRN_PB 3337.5392 IPsec/AES-256_AES-NI_TUN_PB 3597.1829 IPsec/AES-256_AES-NI_TUN_PB 3172.7567 IPsec/AES-256_TRN_PB 1072.3199 IPsec/AES-256_TRN_PB 1078.2479 IPsec/AES-256_TUN_PB 718.5759 IPsec/AES-256_TUN_PB 1059.5369 IPsec/CHAPOLY_TRN_PB 2683.6437 IPsec/CHAPOLY_TRN_PB 2333.7271 IPsec/CHAPOLY_TUN_PB 2650.1884 IPsec/CHAPOLY_TUN_PB 2227.3481 OpenVPN/AES-128 607.1265 OpenVPN/AES-128 540.2972 OpenVPN/AES-128_AES-NI 752.6029 OpenVPN/AES-128_AES-NI 632.4011 OpenVPN/AES-256 577.2823 OpenVPN/AES-256 495.9365 OpenVPN/AES-256_AES_NI 731.1624 OpenVPN/AES-256_AES_NI 751.3413 OpenVPN/No_cipher 812.5908 OpenVPN/No_cipher 702.814 OpenVPN/Optimized_AES-128_AES-NI 838.8096 OpenVPN/Optimized_AES-128_AES-NI 729.9893 OpenVPN/Optimized_no_cipher 862.2184 OpenVPN/Optimized_no_cipher 776.2278 Wireguard/CHAPOLY 3213.0385 Wireguard/CHAPOLY 4489.2696 0 500 1000 1500 2000 2500 3000 3500 0 1000 2000 3000 4000 Bandwidth in Mb/s Bandwidth in Mb/s Figure 2. Network throughput without CPU pinning, CPU turbo boost Figure 3. Network throughput with CPU pinning enabled and CPU turbo enabled, and 4 CPU cores. boost disabled, and 3 CPU cores. Figure 2 shows the benchmark results of tests without CPU pinning. All IPsec variants with hardware accelerated REFERENCES AES-based encryption surpass WireGuard’s throughput. The [1] C.J.C. Pena and J. Evans. “Performance evaluation of importance of using AES-NI for AES-based encryption is software virtual private networks (VPN)”. In: Proceed- also shown well by the data, as well as a small superiority ings 25th Annual IEEE Conference on Local Computer of AES-128 compared to AES-256. Also, there is a small, Networks. LCN 2000 (2000). but visible throughput difference in favor of transport mode [2] S. Kent and K. Seo. Security Architecture for the because of the smaller protocol overhead. OpenVPN does Internet Protocol. RFC4301. 2005. not compete with both systems in any configuration we [3] Shaneel Narayan ; Kris Brooking ; Simon de Vere. tested. Even deactivating encryption has no large effect on “Network Performance Analysis of VPN Protocols: performance. This shows that encryption of data is not the An Empirical Comparison on Different Operating Sys- bottleneck for OpenVPN. The throughput of WireGuard is tems”. In: 2009 International Conference on Networks significantly larger than the ChaCha20-Poly1305 variants of Security, Wireless Communications and Trusted Com- IPsec, presumably because WireGuard uses parallel workers puting (2009). to encrypt and decrypt data [7]. IPsec is implemented in the [4] P. Rybar´ I. Kotuliak and P. Truchly.´ “Performance xfrm part of the Linux kernel and does not take advantage of comparison of IPsec and TLS based VPN technolo- parallelism. Thus, WireGuard’s performance is correlated to gies”. In: 2011 9th International Conference on Emerg- CPU performance. ing eLearning Technologies and Applications (ICETA) Next we pin the cores of the virtual machines to physical (2011). cores. The results are shown in Figure 3. CPU pinning enables [5] Jason A. Donenfeld. Wireguard is now in Linus’ tree. WireGuard to increase its throughput by about 40 percent 2020. URL: https://lists.zx2c4.com/pipermail/wireguard/ because it can use the CPU more efficiently (less context 2020-January/004906.html. switches) even though we have to decrease the number of CPU [6] Jason A. Donenfeld. WireGuard website. 2020. URL: cores by one and disable turbo boost. The disabled turbo boost https://www.wireguard.com/. can be noticed in an overall drop in performance of IPsec and [7] Jason A. Donenfeld. WireGuard Whitepaper. 2020. OpenVPN test cases. URL: https://www.wireguard.com/papers/wireguard.pdf. [8] Sebastian Gruner.¨ Wireguard in Linux-Kernel IV. CONCLUSION eingepflegt. 2020. URL: https : / / www . golem . de / We conclude that IPsec with AES-based encryption is a very news / vpn - technik - wireguard - in - linux - kernel - good choice regarding performance in a virtualised environ- eingepflegt-1912-145437.html. ment without CPU pinning. In non virtualised environments, [9] OpenVPN Inc. OpenVPN website. 2020. URL: https : WireGuard surpasses IPsecs performance by about 30 percent. //openvpn.net/. In general, it should be noted that the choice of the right VPN [10] OpenVPN Inc. Optimizing performance on gigabit net- system should be multifactorial, resulting in use cases for all works. 2020. URL: https : / / community. openvpn . net / three systems. openvpn/wiki/Gigabit Networks Linux..
Load more

Recommended publications
  • Flexgw Ipsec VPN Image User Guide
    FlexGW IPsec VPN Image User Guide Zhuyun Information Technology Co.,Ltd. www.cloudcare.cn Zhuyun Information Technology Co.,Ltd. Contents .......................................................................................................... .................................................................................................................. 1 Introduction 4 1.1 Software Compon.e..n..t.s................................................................................................................... 4 1.2 Login Description ................................................................................................................... 4 1.3 Function Description ....................................................................................................5 1.4 Typical Scenarios Des..c..r..i.p..t..i.o..n......................................................................................................5 1.5 Program Description .................................................................................6 1.6 Software Operation Command Summary ............................... 7 ............................................................................................................... 2 IPSec Site-to-Site VPN User Guide (VPC network scenario) 8 2.1 Start IPSec VPN.s..e..r..v..i.c..e.................................................................................................................8 2.2 Add new tunnel .................................................................................................................
    [Show full text]
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Openvpn with Two-Factor Authentication (2FA)
    Portal > Knowledgebase > VPN > OpenVPN > OpenVPN with Two Factor Authentication (2FA) OpenVPN with Two Factor Authentication (2FA) Dmitriy Eshenko - 2021-09-21 - 0 Comments - in OpenVPN Using DUO 2fa with OpenVPN requires to install an additional plugin. Upload tar archive to your router then unarchive required plugins and helper files curl http://dev.packages.vyos.net/tmp/openvpn-plugin-duo_2.4_amd64.deb -O sudo dpkg -i openvpn-plugin-duo_2.4_amd64.deb Following documentation from DUO site, configure OpenVPN instance https://duo.com/docs/openvpn Get integration key, secret key, and API hostname from DUO control panel and add to VyOS the next commands for activating the plugin. set interfaces openvpn vtunX openvpn-option '--plugin /usr/lib/openvpn/duo/duo_openvpn.so IKEY SKEY HOST' set interfaces openvpn vtunX openvpn-option 'reneg-sec 0' Where: IKEY - integration key, SKEY - secret key, HOST - API hostname Full OpenVPN configuration: set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/duo/duo_openvpn.so XXX YYY api-zzz.duosecurity.com' set interfaces openvpn vtun10 openvpn-option 'reneg-sec 0' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server push-route '100.64.0.0/24' set interfaces openvpn vtun10 server subnet '10.23.1.0/24' set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt' set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/central.crt' set interfaces openvpn vtun10 tls crl-file '/config/auth/ovpn/crl.pem' set interfaces openvpn vtun10 tls dh-file '/config/auth/ovpn/dh.pem' set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/central.key' How to generate cryptographic materials described by the following link https://support.vyos.io/en/kb/articles/using-easy-rsa-to-generate-x-509-certificates-and-keys -2.
    [Show full text]
  • Enabling TPM Based System Security Features
    Enabling TPM based system security features Andreas Fuchs <[email protected]> Who am I ? ● 13 year on/off TPMs ● Fraunhofer SIT: Trustworthy Platforms ● TCG-member: TPM Software Stack WG ● Maintainer – tpm2-tss: The libraries – tpm2-tss-engine: The openssl engine – tpm2-totp: Computer-to-user attestation (mjg’s tpm-totp reimplemented for 2.0) 2 The hardware stack ● Trusted Platform Module (TPM) 2.0 – Smartcard-like capabilities but soldered in – Remote Attestation capabilities – As separate chip (LPC, SPI, I²C) – In Southbridge / Firmware – Via TEEs/TrustZone, etc – Thanks to Windows-Logos in every PC ● CPU – OS, TSS 2.0, where the fun is... 3 The TPM Software Stack 2.0 ● Kernel exposes /dev/tpm0 with byte buffers ● tpm2-tss is like the mesa of TCG specs ● TCG specifications: – TPM spec for functionality – TSS spec for software API ● tpm2-tss implements the glue ● Then comes core module / application integration – Think GDK, but OpenSSL – Think godot, but pkcs11 – Think wayland, but cryptsetup 4 The TSS APIs System API (sys) Enhanced SYS (esys) Feature API (FAPI) • 1:1 to TPM2 cmds • Automate crypto for • Spec in draft form HMAC / encrypted • TBimplemented • Cmd / Rsp sessions • No custom typedefs U serialization • Dynamic TCTI • JSON interfaces s • No file I/O loading • Provides Policy e • No crypto • Memory allocations language r • No heap / malloc • No file I/O • Provides keystore S p TPM Command Transmission Interface (tss2-tcti) p a Abstract command / response mechanism, • No crypto, heap, file I/O a Decouple APIs
    [Show full text]
  • Master Thesis
    Master's Programme in Computer Network Engineering, 60 credits MASTER Connect street light control devices in a secure network THESIS Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Network security, 15 credits Halmstad 2015-02-16 “Connect street light control devices in a secure network” Master’s Thesis in Computer Network engineering 2014 Authors: Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Supervisor: Alexey Vinel Examiner: Tony Larsson Preface This thesis is submitted in partial fulfilment of the requirements for a Master’s Degree in Computer Network Engineering at the Department of Information Science - Computer and Electrical Engineering, at University of Halmstad, Sweden. The research - implementation described herein was conducted under the supervision of Professor Alexey Vinel and in cooperation with Greinon engineering. This was a challenging trip with both ups and downs but accompanied by an extend team of experts, always willing to coach, sponsor, help and motivate us. For this we would like to thank them. We would like to thank our parents and family for their financial and motivational support, although distance between us was more than 1500 kilometres. Last but not least we would like to thank our fellow researchers and friends on our department for useful discussions, comments, suggestions, thoughts and also creative and fun moments we spend together. i Abstract Wireless communications is a constantly progressing technology in network engineering society, creating an environment full of opportunities that are targeting in financial growth, quality of life and humans prosperity. Wireless security is the science that has as a goal to provide safe data communication between authorized users and prevent unauthorized users from gaining access, deny access, damage or counterfeit data in a wireless environment.
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments
    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.
    [Show full text]
  • Xmind ZEN 9.1.3 Crack FREE Download
    1 / 4 XMind ZEN 9.1.3 Crack FREE Download Download XMind ZEN 9.2.1 Build Windows / 9.1.3 macOS for free at ... Version 9.2.1 is cracked, then install the program and click Skip in the Login window.. Adobe Premiere Pro CC 2019 13.1.2 – For macOS Cracked With Serial Number.. Free Download XMind ZEN 9.1.3 Build. 201812101752 Win / macOS Cracked .... 3 Crack + Serial Key Free Download. Malwarebytes 4.2.3 Crack Real-time safety of all threats very effectively. This is a .... ZW3D 2019 SP2 Download 32-64 Bit For Windows. The Powerful engineering ... XMind ZEN 9.1.3 Download. Free Download Keysight .... With this app, you can download online maps, digital maps and even ... Tableau Desktop Pro 2019.4.0 Win + Crack · XMind ZEN 9.2.0 Build .... Download Free XMind: ZEN 9.1.3 Build 201812101752 for Mac on Mac Torrent Download. XMind: ZEN 9.1.3 Build 201812101752 is a .... XMind 8 Pro 3 7 6 Mac Crack Full version free download is the latest version of the most advanced and Popular Mind ... XMind ZEN for Mac 9.1.3 Serial Key ... Download Nero KnowHow for PC - free download Nero KnowHow for ... The full version comes in single user and a family variant with the former costing ... Download XMind ZEN 9.2.1 Build Windows / 9.1.3 macOS for free at .... XMind ZEN Crack 10.3.0 With Keygen Full Torrent Download 2021 For PC · XMind Crack 9.1.3 With Keygen Full Torrent Download 2019 For PC.
    [Show full text]
  • Openvpn® Settings Page - Simple Mode
    Grandstream Networks, Inc. WP820 Enterprise Portable Wi-Fi Phone OpenVPN® Guide Table of Contents OVERVIEW ..................................................................................................................... 3 ENABLE OPENVPN® FEATURE ................................................................................... 4 OPENVPN® MODES ...................................................................................................... 4 Simple Mode ........................................................................................................................4 Professional Mode (Expert Mode) ........................................................................................6 Table of Figures Figure 1: VPN Architecture Overview ....................................................................................................... 3 Figure 2: OpenVPN® Settings Page - Simple Mode ................................................................................. 4 Figure 3: OpenVPN® Settings Page - Expert Mode ................................................................................. 6 Figure 4: Expert Mode ZIP file ................................................................................................................. 6 Table of Tables Table 1: OpenVPN® Settings – Simple Mode ........................................................................................... 5 P a g e | 2 WP820 OpenVPN® Guide OVERVIEW VPN (Virtual Private Network) is a network that communicates by creating a dedicated and
    [Show full text]
  • Wireguard in Eduvpn Report
    WireGuard in eduVPN Report Nick Aquina SURF, Utrecht Fontys University of Applied Sciences, Eindhoven INTERNSHIP REPORT FONTYS UNIVERSITY OF APPLIED SCIENCES HBO-ICT Data student: Family name, initials: Aquina, N Student number: project period: (from – till) 31 August 2020 – 22 January 2021 Data company: Name company/institution: SURF Department: Team Security Address: Kantoren Hoog Overborch, 3511 EP Utrecht, Moreelsepark 48 Company tutor: Family name, initials: Spoor, R Position: (Tech) Product Manager University tutor: Family name, initials: Vos, A Final report: Title: WireGuard in eduVPN Date: 12 January 2021 Approved and signed by the company tutor: Date: 12 January 2021 Signature: Preface This report is written for my internship for Fontys. The internship was done at SURF for the eduVPN project. My task was to build a proof of concept in which WireGuard is integrated into eduVPN. This internship took place from September 2020 until January 2021. I would like to thank Arno Vos for his guidance and feedback throughout this internship. I would also like to thank Rogier Spoor for guiding me throughout this internship and inviting me to meetings which gave me a valuable insight into cyber security and technological issues facing members of SURF. And last, but not least, I would like to thank François Kooman for all technical support, advice and code reviews which helped improve the project. All blue text can be clicked to open a hyperlink. 1 Contents Preface . .1 Summary 4 Introduction 5 Free software . .5 The company (SURF) 6 Project 7 Context / Initial situation . .7 Project goal . .7 Assignment . .7 Constraints . .8 Development strategy .
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Comparison of Virtual Networks Solutions for Community Clouds
    KTH Royal Institute of Technology Bachelor Thesis Comparison of Virtual Networks Solutions for Community Clouds Examiner: Vladimir Vlassov Author: Albert Avellana Supervisors: Paris Carbone, Hooman Peiro Information and Communication Technology School February 2014 KTH Royal Institute of Technology Abstract Information and Communication Technology School Bachelor Thesis Comparison of Virtual Networks Solutions for Community Clouds by Albert Avellana Cloud computing has a huge importance and big impact nowadays on the IT world. The idea of community clouds has emerged recently in order to satisfy several user expectations. Clommunity is a European project that aims to provide a design and implementation of a self-configured, fully distributed, decentralized, scalable and robust cloud for a community of users across a commmunity network. One of the aspects to analyze in this design is which kind of Virtual Private Network (VPN) is going to be used to interconnect the nodes of the community members interested in access cloud services. In this thesis we will study, compare and analyze the possibility of using Tinc, IPOP or SDN-based solutions such as OpenFlow to establish such a VPN. Acknowledgements I would like to express my gratitude to all those who gave me the possibility to do this thesis in KTH. Firstly, I would like to thank Vlad for the opportunity he gave me to do this thesis and for his support. Secondly, thanks to my thesis supervisors: Paris Carbone and Hooman Peiro, who guided me through the research, helped me and gave me recommendations during this period. Also, I would like to thank F´elixFreitag and Leandro Navarro from Universitat Polit`ecnica de Catalunya for supporting me from Barcelona and make this stay in Stockholm possi- ble.
    [Show full text]