Social VPN

Last updated February 22, 2019

A social VPN is a virtual private network that is created among individual peers, automatically, based on relationships established by them through a social networking service. A social VPN aims at providing peer-to-peer (P2P) network connectivity between a user and his or her friends, in an easy to set up manner that hides from the users the complexity in setting up and maintaining authenticated/encrypted end-to-end VPN tunnels.

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.

A social networking service is an online platform which people use to build social networks or social relations with other people who share similar personal or career interests, activities, backgrounds or real-life connections.

Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the application. They are said to form a peer-to-peer network of nodes.

Architecture

An architecture of a social VPN is based on a centralized infrastructure where users authenticate, discover their friends and exchange cryptographic public keys, and a P2P overlay which is used to route messages between VPN endpoints.^[1] For example, this allows an organization to have routed connections with separate offices, or with other organizations, over the Internet. A routed VPN connection across the Internet logically operates as a dedicated Wide Area Network (WAN) link.^[2]^[3]

Packet capture and injection

A social VPN uses a virtual network interface (such as TUN/TAP devices in Windows and Unix systems) to capture and inject IP packets from a host. Once captured, packets are encrypted, encapsulated, and routed over an overlay network.

A virtual network interface (VIF) is an abstract virtualized representation of a computer network interface that may or may not correspond directly to a network interface controller.

In computer networking, TUN and TAP are virtual network kernel interfaces. Being network devices supported entirely in software, they differ from ordinary network devices which are backed up by hardware network adapters.

An overlay network is a computer network that is built on top of another network.

Security

A social VPN uses online social networks to distribute public keys and advertise node address to friends. The acquired public keys are used to establish encrypted communication between two endpoints. Symmetric keys are exchanged during the process of establishing an end-to-end link by two social VPN peers.

Public-key cryptography cryptographic system requiring two separate keys, one of which is secret and one of which is public

Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.

Routing

Routing in the social VPN is peer-to-peer. One approach that has been implemented uses a structured P2P system for sending IP packets encapsulated in overlay messages from a source to destination.

Private IP address space

A social VPN uses dynamic IP address assignment and translation to avoid collision with existing (private) address spaces of end hosts, and to allow the system to scale to the number of users that today's successful online social network services serve (tens of millions). Users are able to connect directly only to a small subset of the total number of users of such a service, where the subset is determined by their established relationships.

Naming

A social VPN uses names derived from the social network service to automatically assign host names to endpoints. These names are translated to virtual private IP addresses in the overlay by a loop-back DNS virtual server.

Related systems

The MIT Unmanaged Internet Architecture^[4] (UIA)provides ad hoc, zero-configuration routing infrastructure for mobile devices, but the ad hoc connections are not established through a social networking infrastructure.^[5]
"Friend Net" is a similar concept put forth in a 2002 blog entry.^[6]
Hamachi is a zero-configuration VPN which uses a security architecture different from that of social VPN.^[7] The leafnetworks VPN also supports the creation of networks using the Facebook API.

Software

An open-source social VPN implementation based on the Facebook social network service and the Brunet P2P overlay is available for Windows and Linux systems under MIT license. It creates direct point-to-point secure connections between computers with the help of online social networks, and supports transparent traversal of NATs. It uses the P2P overlay to create direct VPN connections between pairs of computers (nodes). To establish a connection, two nodes advertise their P2P node address (as well as public keys for secure communication) to each other through an online social network. Once each node acquires the node address (and public keys) of the other node, an IP-to-nodeAddress mapping is created and IP packets can be routed through the VPN tunnel.

Related Research Articles

Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS can encapsulate packets of various network protocols, hence the "multiprotocol" reference on its name. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. It is used in virtual private networks (VPNs).

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

GNUnet is a software framework for decentralized, peer-to-peer networking and an official GNU package. The framework offers link encryption, peer discovery, resource allocation, communication over many transports and various basic peer-to-peer algorithms for routing, multicast and network size estimation.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.

An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routing overlay networks that hide the physical location of each node from other participants.

In telecommunications networks, a node is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an active electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communications channel. A passive distribution point such as a distribution frame or patch panel is consequently not a node.

In computer networks, a tunneling protocol is a communications protocol that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network, such as the Internet, through a process called encapsulation. A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4. Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate network address to a remote user whose physical network address is not part of the corporate network. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, it can hide the nature of the traffic that is run through a tunnel.

LogMeIn Hamachi is a virtual private network (VPN) application written by Alex Pankratov in 2004. It is capable of establishing direct links between computers that are behind Network address translation ("NAT") firewalls without requiring reconfiguration ; in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network ("LAN").

A computer network is a digital telecommunications network which allows nodes to share resources. In computer networks, computing devices exchange data with each other using connections between nodes. These data links are established over cable media such as wires or optic cables, or wireless media such as Wi-Fi.

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

The Secure Real-Time Media Flow Protocol (RTMFP) is a protocol suite developed by Adobe Systems for encrypted, efficient multimedia delivery through both client-server and peer-to-peer models over the Internet. The protocol was originally proprietary, but was later opened up and is now published as RFC 7016

Locator/ID Separation Protocol (LISP) is a "map-and-encapsulate" protocol which is developed by the Internet Engineering Task Force LISP Working Group. The basic idea behind the separation is that the Internet architecture combines two functions, routing locators and identifiers in one number space: the IP address. LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme. In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

VPN blocking is a technique used to block the encrypted protocol tunneling communications methods used by virtual private network (VPN) systems. Often used by large organizations such as national governments or corporations, it can act as a tool for computer security or Internet censorship by preventing the use of VPNs to bypass network firewall systems.

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

IPOP (IP-Over-P2P) is an open-source user-centric software virtual network allowing end users to define and create their own virtual private networks (VPNs). IPOP virtual networks provide end-to-end tunneling of IP or Ethernet over “TinCan” links setup and managed through a control API to create various software-defined VPN overlays.

References

↑ R. Figueiredo, P. O. Boykin, P. St. Juste, D. Wolinsky, "SocialVPNs: Integrating Overlay and Social Networks for Seamless P2P Networking", in Proceedings of IEEE WETICE/COPS, Rome, Italy, June 2008.
↑ Technet Microsoft, Inc. "How VPN Works".
↑ Best Social VPN. "Social vpn review".
↑ Unmanaged Internet Architecture
↑ Bryan Ford, Jacob Strauss, Chris Lesniewski-Laas, Sean Rhea, Frans Kaashoek, and Robert Morris, "Persistent Personal Names for Globally Connected Mobile Devices", in Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI '06), Seattle, WA, November 2006.
↑ Lucas Gonze "Friendnet", blog entry (2002-12-15). Retrieved on 2008-09-23.
↑ LogMeIn Hamachi Security Architecture Archived 2007-09-27 at Archive.is .

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] R. Figueiredo, P. O. Boykin, P. St. Juste, D. Wolinsky, "SocialVPNs: Integrating Overlay and Social Networks for Seamless P2P Networking", in Proceedings of IEEE WETICE/COPS, Rome, Italy, June 2008.

[2] Technet Microsoft, Inc. "How VPN Works".

[3] Best Social VPN. "Social vpn review".

[4] Unmanaged Internet Architecture

[5] Bryan Ford, Jacob Strauss, Chris Lesniewski-Laas, Sean Rhea, Frans Kaashoek, and Robert Morris, "Persistent Personal Names for Globally Connected Mobile Devices", in Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI '06), Seattle, WA, November 2006.

[6] Lucas Gonze "Friendnet", blog entry (2002-12-15). Retrieved on 2008-09-23.

[7] LogMeIn Hamachi Security Architecture Archived 2007-09-27 at Archive.is .

v t e Virtual private networking
Communications protocol	SSTP IPsec L2TP L2TPv3 PPTP Split tunneling SSL/TLS (Opportunistic: tcpcrypt)
Free software	Cloudvpn FreeLAN FreeS/WAN Libreswan n2n OpenConnect OpenIKED Openswan OpenVPN Social VPN SoftEther VPN strongSwan tcpcrypt tinc VTun WireGuard Shadowsocks
Vendor-driven protocols	Layer 2 Forwarding Protocol DirectAccess
Proprietary software	Avast SecureLine VPN Check Point VPN-1 Cisco Systems VPN Client LogMeIn Hamachi Microsoft Forefront Unified Access Gateway Hola Tunnelbear NordVPN SaferVPN ExpressVPN ProtonVPN PureVPN VPN.ht Private Internet Access AzireVPN AceVPN
Risk Vectors	Content-control software Deep content inspection Deep packet inspection IP address blocking Network enumeration Stateful firewall TCP Reset VPN blocking