Want to implement a VPN for just one application

bratao picture bratao · Feb 12, 2011 · Viewed 13.7k times · Source

I looking for add support to a VPN for my software,

I known PPTP and OpenVPN , the two makes a system-wide binding, installing a TAP driver so all applications route their traffic to then.

How could i implement a VPN support for just my application ? There´s any library, example, hint or way to do it ?

My software is actually made in C++ /MFC. Using the standard CAsyncSocket.

Answer

thkala picture thkala · Feb 19, 2011

Forwading incoming connections to your application is relatively easy:

  • stunnel allows you to forward traffic to specific ports through an an SSL tunnel. It requires that you run it on both ends, though.

  • Most decent SSH clients, such as OpenSSH or PuTTY also support port forwarding, with the added advantage that any remote SSH server can usually act as the other end of the tunnel without any modifications.

  • You can also use OpenVPN and other VPN solutions, but this requires specific forwarding rules to be added to the remote server.

Forwarding outgoing connections, though, is trickier without modifying your application. The proper way to do it is to implement the SOCKS protocol, preferrably SOCKS5. Alternatively, you can use an external application, such as FreeCap, to redirect any connections from your application.

After you do that, you can forward your connections to any SOCKS server. Most SSH clients, for example, allow you to use the SOCKS protocol to route outgoing connections through the remote server.

As a sidenote, OpenVPN servers do not necessarily become the default gateway for all your traffic. Some do push such a route table entry to the clients, but it can be changed. In my own OpenVPN setup I only use the VPN to access the private network and do not route everything through it.

If you can force your application to bind all outgoing sockets to one or more specific ports, you could use IP filtering rules on your system to route any connections from those ports through the VPN.

EDIT:

Tunneling UDP packets is somewhat more difficult. Typically you need a proxy process on both the remote server and the local client that will tunnel incoming and outgoing connections through a persistent TCP connection.

Your best bet would be a full SOCKS5 client implementation in your application, including the UDP-ASSOCIATE command for UDP packets. Then you will have to find a SOCKS5 proxy that supports tunnelling.

I have occasionally used Delegate which seems to be the Swiss pocket-knife of proxies. As far as I know, it supports the UDP-ASSOCIATE command in its SOCKS5 implementation and it also supports connecting two Delegate processes through a TCP connection. It is also available for both Linux and Windows. I don't remember if it can also encrypt that TCP connection, but you could always tunnel that one through stunnel or SSH if you need to.

If you have system administrator rights on a remote VPN server, however, you could probably have a simpler set-up:

  • Have your P2P application bind it's outgoing UDP sockets to the client VPN interface. You many need to setup a secondary default route for that interface. This way your application's outgoing packets will go through the remote server.

  • Have the remote server forward incoming UDP packets to specific ports through the VPN connection back to you.

This should be a simpler set-up, although if you really care about anonymity you might be interested in ensuring your P2P application does not leak DNS or other requests that can be tracked.