added empty chapter for structure
This commit is contained in:
@@ -97,25 +97,64 @@ rather than systematic evaluation.
|
||||
This observation revealed a clear need for rigorous,
|
||||
evidence-based comparison of peer-to-peer overlay VPN implementations.
|
||||
|
||||
Existing research on this topic remains sparse.
|
||||
One notable work from 2024, ``Full-mesh VPN performance evaluation
|
||||
for a secure edge-cloud continuum'' \cite{kjorveziroski_full-mesh_2024},
|
||||
benchmarks a subset of mesh VPNs but focuses primarily
|
||||
on solutions with a central point of failure.
|
||||
In contrast, this thesis evaluates more widely adopted mesh VPNs
|
||||
with an emphasis on fully decentralized architectures.
|
||||
Furthermore, that study relied exclusively on iperf3 for performance
|
||||
measurement,
|
||||
whereas our benchmark suite includes real-world workloads
|
||||
to better reflect practical usage patterns.
|
||||
\subsection{Related Work}
|
||||
|
||||
A further motivation was to create a fully automated benchmarking framework
|
||||
capable of generating a public leaderboard,
|
||||
similar in spirit to the js-framework-benchmark
|
||||
(see Figure~\ref{fig:js-framework-benchmark}).
|
||||
By providing an accessible web interface with regularly updated results,
|
||||
we hope to encourage P2P VPN developers to optimize their implementations
|
||||
in pursuit of top rankings.
|
||||
Existing research offers only partial coverage of this space.
|
||||
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} benchmark
|
||||
OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard in the context
|
||||
of industrial communication systems, measuring point-to-point
|
||||
throughput, latency, and CPU overhead. Their work does not address
|
||||
overlay network behavior such as NAT traversal or dynamic peer discovery.
|
||||
The most closely related study by Kjorveziroski et al.\
|
||||
\cite{kjorveziroski_full-mesh_2024} evaluates full-mesh VPN solutions
|
||||
for distributed systems, analyzing throughput, reliability under packet
|
||||
loss, and relay behavior for VPNs including ZeroTier. However, it
|
||||
focuses primarily on solutions with a central point of failure and
|
||||
limits its workloads to synthetic iperf3 tests. This thesis extends
|
||||
that foundation by evaluating a broader set of VPN implementations
|
||||
with emphasis on fully decentralized architectures, exercising them
|
||||
under real-world workloads such as video streaming and package
|
||||
downloads, applying multiple network impairment profiles, and
|
||||
providing a fully reproducible experimental framework built on
|
||||
Nix, NixOS, and Clan.
|
||||
|
||||
Beyond filling this research gap, a further goal was to create a fully
|
||||
automated benchmarking framework capable of generating a public
|
||||
leaderboard, similar in spirit to the js-framework-benchmark
|
||||
(see Figure~\ref{fig:js-framework-benchmark}). By providing an
|
||||
accessible web interface with regularly updated results, we hope to
|
||||
encourage P2P VPN developers to optimize their implementations in
|
||||
pursuit of top rankings.
|
||||
|
||||
\section{Research Contribution}
|
||||
|
||||
This thesis makes the following contributions:
|
||||
|
||||
\begin{enumerate}
|
||||
\item A comprehensive benchmark of ten peer-to-peer VPN
|
||||
implementations across seven workloads. Including real-world
|
||||
video streaming and package downloads; and four network
|
||||
impairment profiles, producing over 300 unique measurements.
|
||||
\item A source code analysis of all ten VPN implementations,
|
||||
combining manual code review with LLM-assisted analysis,
|
||||
followed by verification through direct engagement with the
|
||||
respective maintainers on GitHub.
|
||||
\item A fully reproducible experimental framework built on
|
||||
Nix, NixOS, and the Clan deployment system, with pinned
|
||||
dependencies, declarative system configuration, and
|
||||
deterministic cryptographic material generation, enabling
|
||||
independent replication of all results.
|
||||
\item A performance analysis demonstrating that Tailscale
|
||||
outperforms the Linux kernel's default networking stack under
|
||||
degraded conditions, and that kernel parameter tuning; Reno
|
||||
congestion control in place of CUBIC, with RACK
|
||||
disabled; yields measurable throughput improvements.
|
||||
\item The discovery of several security vulnerabilities across
|
||||
the evaluated VPN implementations.
|
||||
\item An automated benchmarking framework designed for public
|
||||
leaderboard generation, intended to encourage ongoing
|
||||
optimization by VPN developers.
|
||||
\end{enumerate}
|
||||
|
||||
\begin{figure}[H]
|
||||
\centering
|
||||
@@ -190,65 +229,3 @@ in pursuit of top rankings.
|
||||
\label{fig:vision-stages}
|
||||
\end{figure}
|
||||
|
||||
\section{Research Contribution}
|
||||
|
||||
This thesis makes the following contributions:
|
||||
|
||||
\begin{enumerate}
|
||||
\item A comprehensive benchmark of ten peer-to-peer VPN
|
||||
implementations across seven workloads. Including real-world
|
||||
video streaming and package downloads; and four network
|
||||
impairment profiles, producing over 300 unique measurements.
|
||||
\item A source code analysis of all ten VPN implementations,
|
||||
combining manual code review with LLM-assisted analysis,
|
||||
followed by verification through direct engagement with the
|
||||
respective maintainers on GitHub.
|
||||
\item A fully reproducible experimental framework built on
|
||||
Nix, NixOS, and the Clan deployment system, with pinned
|
||||
dependencies, declarative system configuration, and
|
||||
deterministic cryptographic material generation, enabling
|
||||
independent replication of all results.
|
||||
\item A performance analysis demonstrating that Tailscale
|
||||
outperforms the Linux kernel's default networking stack under
|
||||
degraded conditions, and that kernel parameter tuning; Reno
|
||||
congestion control in place of CUBIC, with RACK
|
||||
disabled; yields measurable throughput improvements.
|
||||
\item The discovery of several security vulnerabilities across
|
||||
the evaluated VPN implementations.
|
||||
\item An automated benchmarking framework designed for public
|
||||
leaderboard generation, intended to encourage ongoing
|
||||
optimization by VPN developers.
|
||||
\end{enumerate}
|
||||
|
||||
\section{Related Work}
|
||||
|
||||
\subsection{A Comparative Study on Virtual Private Networks}
|
||||
|
||||
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} evaluate
|
||||
VPN protocols in the context of industrial communication systems (Industry 4.0),
|
||||
benchmarking OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard.
|
||||
Their analysis focuses on point-to-point protocol performance; throughput,
|
||||
latency, and CPU overhead; rather than overlay network behavior.
|
||||
In contrast, this thesis evaluates VPNs that provide a full data plane
|
||||
with peer-to-peer connectivity, NAT traversal, and dynamic peer discovery.
|
||||
|
||||
\subsection{Full-Mesh VPN Performance Evaluation}
|
||||
|
||||
Kjorveziroski et al.\ \cite{kjorveziroski_full-mesh_2024} provide a
|
||||
comprehensive evaluation of full-mesh VPN solutions for distributed
|
||||
systems. Their benchmarks analyze throughput, reliability under packet
|
||||
loss, and relay behavior for VPNs including ZeroTier.
|
||||
|
||||
This thesis extends their work in several ways:
|
||||
\begin{itemize}
|
||||
\item Broader VPN selection with emphasis on fully decentralized
|
||||
architectures
|
||||
\item Real-world workloads (video streaming, package downloads)
|
||||
beyond synthetic iperf3 tests
|
||||
\item Multiple impairment profiles to characterize behavior under
|
||||
varying network conditions
|
||||
\item Fully reproducible experimental framework via Nix/NixOS/Clan
|
||||
\end{itemize}
|
||||
|
||||
\subsection{Performance Evaluation of TCP over QUIC Tunnels}
|
||||
TODO \cite{guo_implementation_2025}
|
||||
|
||||
Reference in New Issue
Block a user