🥇VPN for mobile devices at the network level | ProHoster (2024)

In Runet, there is still surprisingly little material about such an old and simple, but convenient, safe and especially relevant technology in connection with the development of the Internet of Things, such as mobile VPN (virtual private network). In this article, I will describe how and why you can configure access to your private network to any device with a SIM card without the need to configure specialized software on it.

Tasks and restrictions

To begin with, I will answer the question “why?”. VPN as a technology is used to solve a variety of network problems, united by a common feature - isolated data transfer between two devices through a large number of intermediate nodes. On the basis of this, more complex solutions are already being built and those very different tasks are being solved. In the usual, familiar to all case, a fixed-line operator's network is used to build a VPN (for those who wish, there is wonderful stuff) or many different network protocols (GRE, IPSec, L2TP and others - the same author about it) and software products that work with them (Cisco AnyConnect, OpenVPN, TOR - well, you yourself know), but their use on a specific end device immediately puts forward a number of requirements for it, the failure of which leads to certain restrictions.

The first serious limitation is that the device must be able to work with at least one of these protocols at the hardware and software levels. Most often this is determined by software that is easy to find for a laptop or smartphone, but there are cases when the task is facing a device that is too simple from a hardware point of view, or its software has limitations: the water meter wants to use a VPN to transmit its unfortunate byte of readings once a month no less than you want to use the VPN to edit your LinkedIn profile.

Another important limitation is the need for customization. It works both for "stupid" devices from the first point, and for classic smartphones and computers, which are not aware of the previous limitation. And if with the first everything is relatively simple and rests on the amount of time spent on setting up, then with the second there are options. Organizations often use VPNs for security purposes, to prevent a business endpoint from accessing a public network without proper corporate protection or from transmitting service data over public channels. End users may, for their own reasons, disable or forget to enable VPN, as a result of which many company security systems may be “overboard”.

Both of these restrictions are easily removed if VPN access is provided at the network level. In the case of mobile communications, this can be implemented using a "mobile VPN". A device of any complexity capable of transmitting data will transmit it to the correct network. It doesn't matter what settings are made on the device, with a properly configured network, it will in any case transmit them to the right place and nowhere else.

And as a nice bonus, the device will receive an address from the internal network, configured remotely, and it will be possible to access it only from within this network (or physically). For a certain class of devices, this is very important.

How it works

PS Core

It would seem that VPN is a classic service of all telecom operators for the B2B segment, and why, in this case, focus on this? It's all about how the data network is arranged for devices connected via GPRS, HSPA, LTE or other mobile communication technology. There are no vlans familiar to all network administrators, there are no switches, there are not even routers in their usual meaning. But there is a radio access network (RAN) and a packet core (PS Core).

A simplified diagram of a mobile operator's packet network. It is slightly different for LTE, but the general meaning remains the same.

In general, each device with a SIM card registered in the packet network (passed through the GPRS attach procedure or similar), before starting to transfer data somewhere, must initiate the creation of a data transfer session (PDP context) on the packet network core router, GGSN . The details and purpose of these processes are very nicely described here in this article. What is important for us: when initiating a session in a request to GGSN, among others, there are parameters that many have seen in their phones or even dealt with them when setting up, for example, usb modems. These are three fields: APN, login and password. APN (access point) is a very important entity in the logic of the GGSN: depending on which APN the session is initiated from, the GGSN acts differently. As a result of successful processing of the user's request, the GGSN must activate a data transfer session and inform the device of its parameters, in particular, the IP address issued to the device and DNS addresses. There are a number of very important features here:

• In a session initiation request, the device never asks what IP address it would like to receive;
• In addition to the “APN”, “login” and “password” fields specified in the device settings, the request to the GGSN also transmits the phone number (MSISDN) of the subscriber (hereinafter, the “subscriber” is the end user, one device with a SIM card, and "client" - the organization-customer of the service, which includes subscribers);
• When a session is activated, the GGSN creates a new IP address entry in its routing table. All subscribers on the GGSN are identified by entries in the routing table with the /32 prefix, i.e. 1 subscriber - 1 entry in the table. GGSN is a very capable router;
• The operator's network can change the APN field in the session initiation request at different stages (both on the SGSN and on the GGSN) for various reasons. This allows, in some cases, to reduce, and in some cases, completely eliminate network settings on devices with a SIM card.

For the first three points, the question immediately arises: what kind of IP address is issued to the subscriber?
This is determined by the settings of the APN from which the request to activate the session came. About 99% of data users in mobile networks use regular Internet access. These are known to all access points internet.mts.ru, internet.beeline.ru and so on. In the case of Internet access, GGSN issues addresses according to the classic DHCP principle from the gray subnets specified in the settings. When entering the public network, they are closed by the classic NAT (or rather, by its version, which is PAT).

But GGSN is capable of more. To select an IP address, it can make an AAA request to the authorization server (Radius, for example). This logic is configured for individual APNs depending on their purpose. The simplest case is the service of providing a permanent public IP address. Such addresses, as a rule, are assigned to subscribers in the billing (BSS) of the operator, and, depending on the IT architecture, they fall into one or another database, to which the GGSN requests it. Due to the fact that he knows the MSISDN (phone number) of the subscriber, which will be contained in the request, such a database will be quite simple and can only contain a bunch of numbers and addresses. Additionally, if the client plans to use one SIM card to connect several devices (if the SIM card is located in the WiFi router of the remote office, for example), this table may also contain the so-called "framed route" - the prefix of the network located " behind" SIM card, which will be announced to all devices on the network using dynamic routing protocols.

Not GGSN alone

In addition to issuing addresses, it is also required to deliver subscriber traffic to client networks, each to its own. Here everything works much more traditionally. On GGSN, traffic specialized for working with VPN APN is routed to a separate router of the operator's network (it can be called differently, sometimes - VPN router), which in turn performs the function of a classic PE in the L3VPN scheme. It adds the necessary labels, headers, and that's it, and sends all this traffic through the transport network routers to pre-configured junctions or tunnels to the client's network. This part is already much more traditional and has been described many times in other places, so I will not focus on it in this material.

Given all these details, there can be several ways to organize a mobile VPN, and they will differ from each other by a combination of the following features:

• IP addresses, as already described, can be issued dynamically (each time a different address from a given subnet) and statically (each time the same address for a specific subscriber), which is determined by both APN settings and / or Radius server settings ;
• IP addresses can be issued by the Radius server under the control of the operator or under the control of the client;
• Devices connected to a mobile VPN can interact either only with each other, or have access to the client's regular L3VPN network through a direct interface (VPN port) with the operator or through tunneling over the Internet;
• In some cases, the use of a login and password for successful session activation may be mandatory, and sometimes it is not even required to fill in the “APN” field.