255 lines
10 KiB
TeX
255 lines
10 KiB
TeX
\chapter{Introduction} % Main chapter title
|
|
|
|
\label{Introduction}
|
|
|
|
Peer-to-peer overlay VPNs promise to restore genuine decentralization
|
|
by enabling direct connectivity between nodes regardless of NAT or
|
|
firewall restrictions. Yet practitioners choosing among the growing
|
|
number of mesh VPN implementations must rely largely on anecdotal
|
|
evidence: systematic, reproducible comparisons under realistic
|
|
conditions are scarce.
|
|
|
|
This thesis addresses that gap. We benchmark ten peer-to-peer VPN
|
|
implementations across seven workloads and four network impairment
|
|
profiles, yielding over 300 unique measurements. We complement these
|
|
performance benchmarks with a source code analysis of each
|
|
implementation, verified through direct engagement with the respective
|
|
maintainers. The entire experimental framework is built on Nix, NixOS,
|
|
and the Clan deployment system, making every result independently
|
|
reproducible.
|
|
|
|
\section{Motivation}
|
|
|
|
Peer-to-peer architectures promise censorship-resistant, fault-tolerant
|
|
infrastructure by eliminating single points of failure
|
|
\cite{shukla_towards_2021}.
|
|
These architectures underpin a growing range of systems---from IoT
|
|
edge computing
|
|
and content delivery networks to blockchain platforms like Ethereum.
|
|
Yet realizing these benefits requires distributing nodes across
|
|
genuinely diverse hosting entities.
|
|
|
|
In practice, this diversity remains illusory.
|
|
Amazon, Hetzner, and OVH collectively host 70\% of all Ethereum nodes
|
|
(see Figure~\ref{fig:ethernodes_hosting}),
|
|
concentrating nominally decentralized infrastructure
|
|
within a handful of cloud providers.
|
|
More concerning, these providers operate under overlapping regulatory
|
|
jurisdictions,
|
|
predominantly the United States and the European Union.
|
|
This concentration undermines technical sovereignty:
|
|
a single governmental action could compel service termination,
|
|
data disclosure, or traffic manipulation across a majority of the network.
|
|
|
|
\begin{figure}[H]
|
|
\centering
|
|
\includegraphics[width=1\textwidth]{Figures/ethernodes_hosting.png}
|
|
\caption{Distribution of Ethereum nodes hosted by various providers
|
|
\cite{noauthor_isps_nodate}}
|
|
\label{fig:ethernodes_hosting}
|
|
\end{figure}
|
|
|
|
Why does this centralization persist despite the explicit goals of
|
|
decentralization?
|
|
The answer lies in the practical barriers to self-hosting.
|
|
Cloud providers offer static IP addresses and publicly routable endpoints,
|
|
eliminating the networking complexity that plagues residential and
|
|
small-office deployments.
|
|
Most internet-connected devices sit behind Network Address Translation (NAT),
|
|
which prevents incoming connections without explicit port forwarding
|
|
or relay infrastructure.
|
|
Combined with dynamic IP assignments from ISPs, maintaining stable
|
|
peer connectivity
|
|
from self-hosted infrastructure traditionally required significant
|
|
technical expertise.
|
|
|
|
Overlay VPNs offer a solution to this fundamental barrier.
|
|
By establishing encrypted tunnels that traverse NAT boundaries,
|
|
mesh VPNs enable direct peer-to-peer connectivity without requiring
|
|
static IP addresses or manual firewall configuration.
|
|
Each node receives a stable virtual address within the overlay network,
|
|
regardless of its underlying network topology.
|
|
This capability is transformative:
|
|
it allows a device behind consumer-grade NAT to participate
|
|
as a first-class peer in a distributed system,
|
|
removing the primary technical advantage that cloud providers hold.
|
|
|
|
The Clan deployment framework builds on this foundation.
|
|
Clan leverages Nix and NixOS to eliminate entire classes of
|
|
configuration errors prevalent in contemporary infrastructure deployment,
|
|
reducing operational overhead to a degree where a single administrator
|
|
can reliably self-host complex distributed services.
|
|
Overlay VPNs are central to Clan's architecture,
|
|
providing the secure peer connectivity that enables nodes
|
|
to form cohesive networks regardless of their physical location or
|
|
NAT situation.
|
|
As illustrated in Figure~\ref{fig:vision-stages}, Clan envisions
|
|
a web interface that enables users to design and deploy private P2P networks
|
|
with minimal configuration, assisted by an integrated LLM
|
|
for contextual guidance and troubleshooting.
|
|
|
|
During the development of Clan, a recurring challenge became apparent:
|
|
practitioners held divergent preferences for mesh VPN solutions,
|
|
each citing different edge cases where their chosen VPN
|
|
proved unreliable or lacked essential features.
|
|
These discussions were largely grounded in anecdotal evidence
|
|
rather than systematic evaluation.
|
|
This observation revealed a clear need for rigorous,
|
|
evidence-based comparison of peer-to-peer overlay VPN implementations.
|
|
|
|
Existing research on this topic remains sparse.
|
|
One notable work from 2024, ``Full-mesh VPN performance evaluation
|
|
for a secure edge-cloud continuum'' \cite{kjorveziroski_full-mesh_2024},
|
|
benchmarks a subset of mesh VPNs but focuses primarily
|
|
on solutions with a central point of failure.
|
|
In contrast, this thesis evaluates more widely adopted mesh VPNs
|
|
with an emphasis on fully decentralized architectures.
|
|
Furthermore, that study relied exclusively on iperf3 for performance
|
|
measurement,
|
|
whereas our benchmark suite includes real-world workloads
|
|
to better reflect practical usage patterns.
|
|
|
|
A further motivation was to create a fully automated benchmarking framework
|
|
capable of generating a public leaderboard,
|
|
similar in spirit to the js-framework-benchmark
|
|
(see Figure~\ref{fig:js-framework-benchmark}).
|
|
By providing an accessible web interface with regularly updated results,
|
|
we hope to encourage P2P VPN developers to optimize their implementations
|
|
in pursuit of top rankings.
|
|
|
|
\begin{figure}[H]
|
|
\centering
|
|
\includegraphics[width=1\textwidth]{Figures/krause-js-framework.png}
|
|
\caption{js-framework-benchmark results for Chrome 144.0
|
|
\cite{krause_krausestjs-framework-benchmark_2026}}
|
|
\label{fig:js-framework-benchmark}
|
|
\end{figure}
|
|
|
|
\begin{figure}[h]
|
|
\centering
|
|
|
|
% Row 1
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage1.png}
|
|
\caption{Stage 1}
|
|
\end{subfigure}
|
|
\hfill
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage2.png}
|
|
\caption{Stage 2}
|
|
\end{subfigure}
|
|
|
|
\vspace{1em} % Add spacing between rows
|
|
|
|
% Row 2
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage3.png}
|
|
\caption{Stage 3}
|
|
\end{subfigure}
|
|
\hfill
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage4.png}
|
|
\caption{Stage 4}
|
|
\end{subfigure}
|
|
|
|
\vspace{1em} % Add spacing between rows
|
|
|
|
% Row 3
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage5.png}
|
|
\caption{Stage 5}
|
|
\end{subfigure}
|
|
\hfill
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage6.png}
|
|
\caption{Stage 6}
|
|
\end{subfigure}
|
|
|
|
\vspace{1em} % Add spacing between rows
|
|
|
|
% Row 4
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage7.png}
|
|
\caption{Stage 7}
|
|
\end{subfigure}
|
|
\hfill
|
|
\begin{subfigure}{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{Figures/vision/stage8.png}
|
|
\caption{Stage 8}
|
|
\end{subfigure}
|
|
|
|
\caption{Visionary Webinterface to Setup a Clan Family Network}
|
|
\label{fig:vision-stages}
|
|
\end{figure}
|
|
|
|
\section{Research Contribution}
|
|
|
|
This thesis makes the following contributions:
|
|
|
|
\begin{enumerate}
|
|
\item A comprehensive benchmark of ten peer-to-peer VPN
|
|
implementations across seven workloads. Including real-world
|
|
video streaming and package downloads; and four network
|
|
impairment profiles, producing over 300 unique measurements.
|
|
\item A source code analysis of all ten VPN implementations,
|
|
combining manual code review with LLM-assisted analysis,
|
|
followed by verification through direct engagement with the
|
|
respective maintainers on GitHub.
|
|
\item A fully reproducible experimental framework built on
|
|
Nix, NixOS, and the Clan deployment system, with pinned
|
|
dependencies, declarative system configuration, and
|
|
deterministic cryptographic material generation, enabling
|
|
independent replication of all results.
|
|
\item A performance analysis demonstrating that Tailscale
|
|
outperforms the Linux kernel's default networking stack under
|
|
degraded conditions, and that kernel parameter tuning; Reno
|
|
congestion control in place of CUBIC, with RACK
|
|
disabled; yields measurable throughput improvements.
|
|
\item The discovery of several security vulnerabilities across
|
|
the evaluated VPN implementations.
|
|
\item An automated benchmarking framework designed for public
|
|
leaderboard generation, intended to encourage ongoing
|
|
optimization by VPN developers.
|
|
\end{enumerate}
|
|
|
|
\section{Related Work}
|
|
|
|
\subsection{A Comparative Study on Virtual Private Networks}
|
|
|
|
Lackorzynski et al.\ \cite{lackorzynski_comparative_2019} evaluate
|
|
VPN protocols in the context of industrial communication systems (Industry 4.0),
|
|
benchmarking OpenVPN, IPSec, Tinc, Freelan, MACsec, and WireGuard.
|
|
Their analysis focuses on point-to-point protocol performance; throughput,
|
|
latency, and CPU overhead; rather than overlay network behavior.
|
|
In contrast, this thesis evaluates VPNs that provide a full data plane
|
|
with peer-to-peer connectivity, NAT traversal, and dynamic peer discovery.
|
|
|
|
\subsection{Full-Mesh VPN Performance Evaluation}
|
|
|
|
Kjorveziroski et al.\ \cite{kjorveziroski_full-mesh_2024} provide a
|
|
comprehensive evaluation of full-mesh VPN solutions for distributed
|
|
systems. Their benchmarks analyze throughput, reliability under packet
|
|
loss, and relay behavior for VPNs including ZeroTier.
|
|
|
|
This thesis extends their work in several ways:
|
|
\begin{itemize}
|
|
\item Broader VPN selection with emphasis on fully decentralized
|
|
architectures
|
|
\item Real-world workloads (video streaming, package downloads)
|
|
beyond synthetic iperf3 tests
|
|
\item Multiple impairment profiles to characterize behavior under
|
|
varying network conditions
|
|
\item Fully reproducible experimental framework via Nix/NixOS/Clan
|
|
\end{itemize}
|
|
|
|
\subsection{Performance Evaluation of TCP over QUIC Tunnels}
|
|
TODO \cite{guo_implementation_2025}
|