Data Security

Building a VPN for Mobile Devices at the Network Level

In 2019, there is still surprisingly little information about such an old, simple, convenient, and secure technology, as mobile VPN – Virtual Private Network).

In this article, I will describe how you can provide access to your virtual private network to any device with a SIM card without having to install and configure any additional software.

Tasks and problems

To begin with, let’s answer the question “why?”. VPN as a technology is used to solve a variety of network tasks, united by a common feature – isolated (tunneled) data transfer between two devices through one of several intermediate nodes.

Usually, mobile carrier’s network is used to build a VPN utilizing many different network protocols IPSec, L2TP, GRE, and also software products that work with them like OpenVPN, TOR, Cisco AnyConnect.  But when you start building it on a specific device, a number of requirements appear that lead to certain restrictions. Due to major vulnerabilities in numerous devices, building a best VPN service that fulfills all requirements is a pretty hard job. But it isn’t impossible yet.

The first serious problem is that the device should be able to work with at least one of the mentioned protocols at the hardware and software levels. Most often this can be resolved by installing additional software that is easy to find for a laptop or smartphone. But there are cases when a simple from a hardware point of view device is involved like the water meter that needs to use a VPN to transfer its two bytes of information once a month.

Another important problem is the need for fine-tuning customization. This issue has to do with both simple devices and modern smartphones or computers. And if with the first class of devices everything is relatively easy, then with the second class you may come across many issues and options.

Organizations use VPNs mostly for security purposes. They want to protect the device from connecting to the public network without proper corporate protection or from transferring secret data through public channels. End users may, for whatever reason, disable or forget to enable VPN and many company security systems may get “overboard”.

The above-mentioned problems can be easily evaded if access to the VPN is provided at the network level. In the case of mobile communications, this can be implemented using a “mobile VPN” where any device is capable of transmitting data to the correct network using correct protocols. No matter what settings are used on the device, with a properly configured network settings, data passes to the right place and stays always protected. The device receives its own IP address that is remotely configured. It is possible to access the device only from within the network.

How it works

PS Core

It seems like a trivial thing to talk about mobile VPNs as it is a classic service offered by all telecos to the B2B segment. Why should we focus on this? The question is – how the data network connected via HSPA, GPRS, LTE or other technology is arranged. Here, there are no usual things that all network administrators are used to like VLAN, switches, routers. But there is a radio access network (RAN) and packet core (PS Core).

In general, each device with a SIM card registered in the network (which passed the GPRS attach procedure or similar), before starting to transfer any data, must initiate the creation of a data transfer session (PDP context) on the Gateway GPRS Support Node – GGSN.

There are some important things here. When initiating a session, in a request going to the GGSN, among others, there are parameters that you may have seen in your phone or even dealt with when setting up, for example, USB modems. These are three fields: APN, login, and password.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.” – Tim Cook, Apple’s CEO

APN – Access Point Name is a very important entity influencing the logic of the GGSN. GGSN acts differently depending on which APN the session is initiated. As a result of successful processing of the user’s request, the GGSN must activate the data transfer session and inform the device of its parameters, in particular, the IP address and DNS addresses issued to the device.

There are a number of very important features here:

  • In a request to initiate a session, the mobile device never requests what exactly IP address it would like to receive.
  • In addition to the APN, login, and password fields specified in the device settings, the GGSN request also sends the subscriber’s phone number (MSISDN). Hereinafter “subscriber” is the end user, one device with a SIM card. Hereinafter “client” – is the organization, which has several subscribers.
  • When you activate a session, the GGSN creates an entry in its routing table that includes a new IP address. All subscribers have personal entries in the routing table – 1 subscriber = 1 entry in the table. GGSN is a very productive type of router.
  • The mobile operator’s network may, at different stages (on both SGSN and GGSN), for various reasons, change the APN field in the session initiation request. This allows in some cases to reduce, and in some cases, even eliminate the need to configure the network parameters.

Reading the first three points above, you can raise the following question: “What kind of IP address is given to the subscriber?” IP is determined by the settings of the APN which requested to activate the session. About 99% of data transfer users in mobile networks use regular Internet access.

In the case of Internet access, GGSN issues IP addresses according to the classic DHCP principle – using subnets already set in the settings. When they enter the public network, they are closed by the classic NAT.

But GGSN actually can be used for many other things. To select an IP address, it can make an AAAA request to the authorization server (for example Radius). Such logic is configured for individual APNs depending on their purpose. The easiest case is when a mobile carrier provides a permanent public IP address to the subscriber. Such addresses, as a rule, are assigned to subscribers and kept in the billing system (BSS) of the mobile carrier. Depending on the IT architecture, they are stored in a different database.

Due to the fact that GGSN knows the MSISDN (telephone number) of the subscriber, (contained in the request), such a database will be quite simple and can contain only a bunch of numbers and addresses.

In addition, if the client plans to use one SIM card to connect several devices (for example if the SIM card is inserted in the Wi-Fi router of the remote office), the table may also contain the so-called “framed route”. This is the prefix of the network located “behind” the SIM card. This prefix will be announced to all devices on the network using dynamic routing protocols.

But GGSN is not the only solution

In addition to issuing IP addresses, you also need to deliver subscriber traffic to customer networks. Everything works much more traditionally here. On GGSN, traffic intended for working with a VPN APN is routed to a separate operator’s network router (it can be called differently, sometimes a “VPN router”), which in turn performs the function of a classic PE in L3VPN scheme. It adds the necessary labels, headers, and sends all this traffic flow through the routers of the transport network to the pre-configured tunnels of the client’s network.

Taking into consideration the above information, there can be several ways to build a mobile VPN. They will differ from each other by a combination of the following features:

  • IP addresses, as already described, can be issued dynamically (each time a different IP address is provided) and statically (each time the same IP address is provided to a particular subscriber). This rule is determined by APN settings, and/or Radius settings.
  • IP addresses can be issued by a Radius server under the mobile provider’s control or under the client’s control.
  • Devices connected to a mobile VPN can communicate either only with each other or have access to the client’s regular L3VPN network through a direct interface (VPN port).
  • In some cases, the use of a login and password for successful activation of the session may be necessary. Sometimes it is not necessary to fill in the “APN” field.

There are several dozens of such combinations with different types of tunneling and different principles of issuing IP addresses. As a result, after a fairly quick network registration process and obtaining an IP address, the device gets access to the client’s network, and the client’s network gets access to the device.

At the same time, the subscriber is isolated from all other subscribers who are not related to a particular client. Subscribers do not need any additional settings, all traffic is sent to the client’s network, where it is processed in accordance with the client’s internal policies.

To Top

Pin It on Pinterest

Share This