use openvpn to do emergent traffic redirection

Due to kinds of reasons, users may be blocked or unable to access certain service through certain path, for example, ISP blocking, intermediate network failure, etc. In order to allow users to continue using services  as usual, we need to redirect the traffic before they reach these broken/failure node in the path.

openvpn is a good choice for this purpose. It works in two modes, one is TAP which relays ethernet packets, one is TUN which relays IP packets. You can take a look at here to find more inforation about the difference between these two modes.

To do emergent traffic redirection, TUN mode is enough, because we only want to handle certain IP where our services are running. Here is the system execute flow chart.


The coordinator server is in charge of controlling clients’ behavior.

1. detecting client ip to decide whether it should skip using vpn

2. checking the running program and services which is reported by the client, we also should skip using vpn if any incompatible factor is found

3.  generate vpn config to ensure vpn servers are used evenly. a. return multi ‘remote’ setting in config file, b. different ‘remote’ order according client info hash.


In order to auto install openvpn tap driver, we did following optimizations.

1. because winxp is using a different tap driver from win7, we extract both drivers from two official tap installers, and build them into one tap installer

2. auto import digital certificates and set system security setting to avoid popup security warning during installation

3. use nsis silent installer to perform the installation.


In order to reduce openvpn main exe file, we did following optimizations.

1. use static library to avoid depending on microsoft VC runtime

2. use polarssl to replace openssl to reduce the final binary size


Our existing clients don’t support vpn tunneling, however, our antihack system supports dynamic code delivery, so the final client code is assembled by:

1. convert our repacked tap installer and recompiled openvpn exe into C++ array, so that they become part of the final dynamic code.

2.  the code will extract tap installer and openvpn exe when needed.


Thanks all above work, we can redirect client traffic, and stop redirection without updating client application or changing final services.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s