Due to kinds of reasons, users may be blocked or unable to access certain service through certain path, for example, ISP blocking, intermediate network failure, etc. In order to allow users to continue using services as usual, we need to redirect the traffic before they reach these broken/failure node in the path.
openvpn is a good choice for this purpose. It works in two modes, one is TAP which relays ethernet packets, one is TUN which relays IP packets. You can take a look at here to find more inforation about the difference between these two modes. https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
To do emergent traffic redirection, TUN mode is enough, because we only want to handle certain IP where our services are running. Here is the system execute flow chart.
The coordinator server is in charge of controlling clients’ behavior.
1. detecting client ip to decide whether it should skip using vpn
2. checking the running program and services which is reported by the client, we also should skip using vpn if any incompatible factor is found
3. generate vpn config to ensure vpn servers are used evenly. a. return multi ‘remote’ setting in config file, b. different ‘remote’ order according client info hash.
In order to auto install openvpn tap driver, we did following optimizations.
1. because winxp is using a different tap driver from win7, we extract both drivers from two official tap installers, and build them into one tap installer
2. auto import digital certificates and set system security setting to avoid popup security warning during installation
3. use nsis silent installer to perform the installation.
In order to reduce openvpn main exe file, we did following optimizations.
1. use static library to avoid depending on microsoft VC runtime
2. use polarssl to replace openssl to reduce the final binary size
Our existing clients don’t support vpn tunneling, however, our antihack system supports dynamic code delivery, so the final client code is assembled by:
1. convert our repacked tap installer and recompiled openvpn exe into C++ array, so that they become part of the final dynamic code.
2. the code will extract tap installer and openvpn exe when needed.
Thanks all above work, we can redirect client traffic, and stop redirection without updating client application or changing final services.