On the design of autonomic, decentralized VPNs

Decentralized and P2P (peer-to-peer) VPNs (virtual private networks) have recently become quite popular for connecting users in small to medium collaborative environments, such as academia, businesses, and homes. In the realm of VPNs, there exist centralized, decentralized, and P2P solutions. Centralized systems require a single entity to provide and manage VPN server(s); decentralized approaches allow more than one entity to share the management responsibility for the VPN infrastructure, while existing P2P approaches rely on a centralized infrastructure but allow users to bypass it to form direct low-latency, high-throughput links between peers. In this paper, we describe a novel VPN architecture that can claim to be both decentralized and P2P, using methods that lower the entry barrier for VPN deployment compared to other VPN approaches. Our solution extends existing work on IP-over-P2P (IPOP) overlay networks to address challenges of configuration, management, bootstrapping, and security. We present the first implementation and analysis of a P2P system secured by DTLS (datagram transport layer security) along with decentralized techniques for revoking user access.