From Tanenbaum's Computer Network
This demand soon led to the invention of VPNs (Virtual Private Networks),
which are overlay networks on top of public networks but with most of the properties of private networks.One popular approach is to build VPNs directly over the Internet. A
common design is to equip each office with a firewall and create
tunnels through the Internet between all pairs of offices. … When
the system is brought up, each pair of firewalls has to negotiate the
parameters of its SA, including the services, modes, algorithms, and
keys. If IPsec is used for the tunneling, it is possible to aggregate
all traffic between any two pairs of offices onto a single
authenticated, encrypted SA, thus providing in- tegrity control,
secrecy, and even considerable immunity to traffic analysis. Many
firewalls have VPN capabilities built in. Some ordinary routers can do
this as well, but since firewalls are primarily in the security
business, it is natural to have the tunnels begin and end at the
firewalls, providing a clear separation between the company and the
Internet. Thus, firewalls, VPNs, and IPsec with ESP in tunnel mode are
a natural combination and widely used in practice. Once the SAs have
been established, traffic can begin flowing. To a router within the
Internet, a packet traveling along a VPN tunnel is just an ordinary
packet. The only thing unusual about it is the presence of the IPsec
header after the IP header, but since these extra headers have no
effect on the forwarding process, the routers do not care about this
extra header.Another approach that is gaining popularity is to have the ISP set up
the VPN. Using MPLS (as discussed in Chap. 5), paths for the VPN
traffic can be set up across the ISP network between the company
offices. These paths keep the VPN traffic separate from other Internet
traffic and can be guaranteed a certain amount of bandwidth or other
quality of service.
-
Is VPN a layer 3 or 5 concept? (seems to me yes?)
-
Do both approaches in the quote to build VPNs are layer 3
approaches? (Seems to me yes, because the technologies involved to built VPNs seem to be layer 3) -
Does openvpn use the server-client model and therefore a layer
5 approach to build VPNs? How do a openvpn server and client work
together to build a VPN? I can't figure it out based on the two
approaches in the book. -
Similar questions for SSH VPN to those for openvpn.
Thanks.
Best Answer
There are layer-2 and layer-3 VPNs. "VPN" is a term used for a tunnel combined with encryption.
A tunneling interface encapsulates an inner packet (or frame) in an outer packet. This inner packet is then transported to the far tunnel end, according to the outer packet, and decapsulated again. For the inner packet the tunnel looks like a direct connection, regardless of the path of the outer packet.
Tunneling somewhat defies the strict OSI layering. Usually, layer-3 packets are tunneled over layer 3 (IPsec) or layer 4 (TCP or UDP). An L3 tunnel routes between two networks.
When layer-2 frames are tunneled, the networks are bridged together.
OpenVPN uses SSL VPN over UDP or TCP (layer 4) with SSL encryption. It can tunnel either L2 or L3. SSH has an inherent tunneling mechanism for arbitrary connections including port forwarding.
[edit] Note that we're using OSI layer numbers here (as far as applicable), so your "layer 5" application layer is usually refered to as layer 7.