Asymmetrical SSL Tunnel Based VPN

  • Jingli Zhou
  • Hongtao Xia
  • Jifeng Yu
  • Xiaofeng Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4330)


Asymmetric SSL Tunnel (AST) based Virtual Private Network is presented as a cheap solution for large scale SSL VPNs. In this solution, portion of SSL/TLS computational load is transferred to disengaged internal application servers, so that VPN server is no more the bottleneck of VPN system. This paper analyzes the performance advantage of asymmetric SSL tunnel over traditional SSL tunnel, and discusses the secret management scheme for AST, which can meet enhanced security requirement and synchronize cipher specs of multipoint. Finally, a kernel optimization algorithm was introduced. AST is implemented in OpenVPN, which is originally a stable traditional SSL VPN solution. Experiment shows that the overall throughput of OpenVPN can be greatly improved after AST adopted.


Application Server Response Packet Internal Server Outgoing Packet Virtual Network Interface 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gartner Company,
  2. 2.
    Freier, A.O., Karlton, P.: The SSL Protocol Version 3.0 [EB/OL] (2004),
  3. 3.
    Dierks, T., Allen, C.: RFC2246: The TLS Protocol Version 1.0 (January 1999),
  4. 4.
    Khanvilkar, S., Khokhar, A.: Virtual private networks: an overview with performance evaluation. Communications Magazine, IEEE 42(10), 146–154 (2004)CrossRefGoogle Scholar
  5. 5.
    Khanvilkar, S., Khokhar, A.: Experimental evaluations of Open-Source Linux-based VPN solutions. In: ICCCN 2004 (2004)Google Scholar
  6. 6.
    Apostolopoulos, G., Peris, V., Saha, D.: Transport layer security: how much does it really cost? In: INFOCOM 1999. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings., vol. 2, pp. 717–725. IEEE, Los Alamitos (1999)CrossRefGoogle Scholar
  7. 7.
    Di Santo, M., Ranaldo, N., Zimeo, E.: Kernel implementations of locality-aware dispatching techniques for Web server clusters. In: Proceedings of IEEE International Conference on Cluster Computing (CLUSTER 2003), pp. 154–162 (2003)Google Scholar
  8. 8.
    Kobayashi, M., Murase, T.: Asymmetric TCP splicing for content-based switches. In: Proceedings of IEEE International Conference on Communications (ICC 2002), vol. 2, pp. 1321–1326 (2002)Google Scholar
  9. 9.
  10. 10.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jingli Zhou
    • 1
  • Hongtao Xia
    • 1
  • Jifeng Yu
    • 1
  • Xiaofeng Wang
    • 1
  1. 1.Huazhong University of Science and TechnologyWuhanChina

Personalised recommendations