For my work I use Cisco Anyconnect VPN client in a mac, which to my understanding is an SSL VPN.
When I am connected to the VPN I see the default route in mac gets changed to point to a tunnel interface.
I am trying to understand the internals of how the Anyconnect VPN client work, what is the significance of the tunnel interface in this process and how does it help in steering the required traffic to go through the TLS connection that has been setup with the VPN Gateway.
I understand most SSL VPN clients/servers operate in a similar manner. If there is any good resource to understand the network level setup and packet flow for SSL VPN clients that will be very helpful.
Thanks.
When an application creates an IP packets it fills in the destination IP address and hands it over to the kernel for delivery. The kernel will perform a route lookup for the destination address and will find out that it should be handed over to the tunnel interface for further processing. It will also fill in the source address (if its not already set) according to its source address selection algorithm which is normally your local tunnel endpoint address.
Behind that tunnel interface your VPN application is listening. When it receives traffic it creates a new UDP packet (payload = the received packet), encrypts it and places it into a new IP packet. Source ip address is empty again. Destination IP address is the VPN server. Then it hands over the packet to the kernel again for further delivery.
The kernel does a routing table lookup again, finds the route towards the VPN server over the regular network interface, fills in your LAN IP address (because that’s what its source address selection algorith spit out) as source address and routes it out of your LAN interface where it travels from router to router until it reaches the VPN server.
Traffic from the VPN server is processed in reverse order.
The tunnel interface is basically an encryption engine. Its a virtual network adapter that encrypts the payload and reencapsulates the packets with new headers, then hands the packet off to the physical adapter to put on the wire.
Basically the reverse is happening on the other side, the vpn server takes the packet, strips the new header, decrypts the payload, and puts the original packet back on the wire on the internal side of the network.
Thanks. Do all SSL VPN applications send the client/inner packet over UDP using Datagram TLS ?
I only know OpenVPN in depth. There you can choose if you want an UDP or TCP based transport. Apparently AnyConnect can also use both.
Is there any info available on the pros/cons of using TCP vs UDP for the SSL VPN ?
My understanding is TCP over TCP has a bunch of complications because of retransmissions etc. I guess that would apply in this case as well and thus make UDP the preferred option ?