<span class="text_page_counter">Trang 1</span><div class="page_container" data-page="1">

Bui Huu Khanh Luu Duc Khanh Ngo Bui Truong Vu

Tran Thi Anh Van

<b>Approved by Mentor:</b>

Name Signature Date

Tinh, Van Le 11 - Jan- 2024

</div><span class="text_page_counter">Trang 2</span><div class="page_container" data-page="2">

PROJECT INFORMATION

<b>PROJECT INFORMATION</b>

<b>Project Acronym</b> VPNSSIP

<b>Project Title</b> VPN Site-to-Site with dynamic IP

<b>URL</b> ^(change) <b>Start Date</b> 11 - Jan - 2024

<b>End Date:</b> 11 - Mar - 2024

<b>Lead Institution</b> International School, Duy Tan University

<b>Project Mentor</b> M.Sc Tinh, Le Van

<b>Project Manager</b> Khanh, Bui Huu 0362.035.022

<b>Team Members</b>

Khanh, Luu Duc 0702.466.297 Vu, Ngo Bui

<b>Role</b> [VPNSSIP] Proposal_v1.2

<b>Date</b> 11 - Mar - 2024 File name [VPNSSIP] Proposal _v1.2

</div><span class="text_page_counter">Trang 3</span><div class="page_container" data-page="3">

Draft H.Khanh, Van 12 - Aug - 2020 Initiate document x 1.0 All members 20 - Sep - 2020 Finish content of document x 1.1 All members 15 - Nov - 2020 Update content x 1.1.1 Đ.Khanh, Vu 16 - Nov - 2020 _Client^{Add C&C, Module View} x

1.1.2 H.Khanh, Vu 16 - Nov - 2020 ^{Add Module View Server,} Low Level Architecture ^x 1.1.3 Đ.Khanh, Van 20 - Nov - 2020 Add Quality Attributes x 1.2 All members 13 - Dec - 2020 ^{Update C&C, Module}

</div><span class="text_page_counter">Trang 4</span><div class="page_container" data-page="4">

6.1. Site-to-Site VPN single and multiple VPN connection examples 13 6.1.1. Single Site-to-Site VPN connection 13 6.1.2. Single Site-to-Site VPN connection with a transit gateway 14 6.1.3. Multiple Site-to-Site VPN connections 14 6.1.4. Multiple Site-to-Site VPN connections with a transit gateway 15

</div><span class="text_page_counter">Trang 5</span><div class="page_container" data-page="5">

6.1.5. Site-to-Site VPN connection with AWS Direct Connect 16 6.1.6. Private IP Site-to-Site VPN connection with AWS Direct Connect 16 6.2. Using redundant Site-to-Site VPN connections to provide failover 17 6.3. Providing secure communication between sites using VPN CloudHub 18

</div><span class="text_page_counter">Trang 6</span><div class="page_container" data-page="6">

<b>1. INTRODUCTION</b>

1.1. PURPOSE

The purpose of the Architecture document is to:

● Define the architecture needs and technology in detail. ● Provide solutions for business needs.

● Provide overview about resources, schedule, solution and budget for the project.

The architecture merely introduces the project to the student development teams, and provides the up-front information necessary for the team to develop a specification.

1.2. DEFINITIONS, ACRONYMS AND ABBREVIATIONS

VPNSSIP VPN Site-to-Site with dynamic IP VCN Virtual Cloud Network

DRG Dynamic Routing Gateway CPE Customer Premise Equipment

1.3. DOCUMENTS REFERENCES

1 Product Backlog Document for VPNSSIP 2 Project Plan Document for VPNSSIP

<b>2. PROBLEM STATEMENT</b>

2.1. PROJECT OVERVIEW

The dynamic nature of our surroundings is a constant. However, the main driving forces causing environmental change, in addition to natural factors, largely come from

</div><span class="text_page_counter">Trang 7</span><div class="page_container" data-page="7">

human activities in the current context of urbanization and industrialization. Factors such as emissions, population explosion and the increase in industrial solid waste are the main culprits, causing negative impacts on the global environment. Addressing these challenges comprehensively requires data analysis and synthesis from the beginning.

However, the process of analyzing and merging data from various sources requires a lot of resources and finances. To respond to this challenge, leveraging our expertise in big data systems, we have developed an intelligent data processing system designed to work seamlessly on a web-based platform has an intuitive and user-friendly dashboard. This innovative system is a promising and valuable tool for environmental experts and policy makers, not only in Vietnam but globally. It is ready to collect, analyze and synthesize data related to all factors affecting the environment, empowering users to quickly come up with accurate and effective solutions to solve challenges. environment.

2.2. BUSINESS DRIVERS

<b>Business problem:</b>

In a business context, a pressing issue is the effective management of vast and complex data. Conventional methods have difficulty handling diverse data sources and real-time analytics. To solve this problem, we have developed a sophisticated solution that leverages advanced analytics capabilities. Our system integrates seamlessly with existing frameworks, providing a centralized platform for streamlined data analysis. This empowers businesses to make informed decisions quickly, turning data challenges into strategic advantages.

<b>Business need:</b>

Businesses urgently require streamlined data management solutions to overcome the challenges posed by growing data volume and complexity. Our solution addresses this need by providing a centralized platform for effective data analysis, enabling fast and informed decision making to stay competitive in a dynamic market landscape .

2.3. PROJECT GOAL

The goal is to establish a secure and encrypted connection between two or more separate networks. This enables the connected networks to communicate with each

</div><span class="text_page_counter">Trang 8</span><div class="page_container" data-page="8">

other as if they were physically connected on the same local network. This type of VPN is commonly used by organizations that have multiple branch offices or remote sites and need to establish secure connectivity between them.

By utilizing dynamic DNS and continuously updating the VPN configuration with the changing IP addresses, the sites can maintain a stable and secure site-to-site VPN connection, regardless of the dynamic nature of their IP addresses. This allows for seamless and secure communication between the connected networks, facilitating data exchange, resource sharing, and other network-dependent activities.

<b>3. ARCHITECTURE DRIVERS</b>

3.1. HIGH-LEVEL REQUIREMENTS

(Refer to the Product Backlog document for VPNSSIP)

3.2. SYSTEM CONTEXT

Figure 1: Context Diagram of System

Besides Remote-access VPN is site-to-site VPN, this is a way to connect many distant headquarters offices through specialized equipment and a large-scale encrypted transmission line operating on the Internet. Site-to-Site VPN includes 2 types: – Intranet-based: if the company has headquarters far apart and wants to connect into a single private network, it can create an intranet VPN and connect Lan-to-Lan.

</div><span class="text_page_counter">Trang 9</span><div class="page_container" data-page="9">

– Extranet-based: when a company has a close relationship with another company (for example a partner, supplier or customer) they can build an extranet VPN to connect Lan-to-Lan and allow allowing these companies to work and exchange in a separate shared environment (of course still on the Internet).

VPN can be developed in many different environments: X.25, Frame Relay, ATM, Internet. However, in different environments, VPN development has different technical characteristics as well as in terms of meeting customer requirements.

3.3. QUALITY ATTRIBUTES

Table 1: Quality Attributes: Performance

<b>Quality Attributes</b> Performance

<b>Stimulus</b> ^{ensuring strong performance and operability of the}

<b>Source(s) of stimulus</b> User

<b>Environment</b> The environment surrounding the system changes

<b>System response</b> ^{The system must handle good performance and}_{maintain operability}

<b>Stability</b> ^{VPNSSIP connection is maintained stably, avoiding}

problems, interruptions, or sudden connection loss

Table 2: Quality Attributes: Availability

<b>Quality Attributes</b> Availability

<b>Stimulus</b> ^{Ratio of the time that the VPN connection is available}

compared to the total time

<b>Source(s) of stimulus</b> Power

<b>Artifact</b> During peak usage load

</div><span class="text_page_counter">Trang 10</span><div class="page_container" data-page="10">

<b>Environment</b> Hardware and software

<b>System response</b> ^{The time it takes the system to recover after a crash or}

lost connection.

The device's reconnection mechanism automatically helps the system to automatically regenerate the connection if it is lost.

<b>4. CONSTRAINTS</b>

4.1. BUSINESS CONSTRAINTS

● Project will be started on: January 18, 2024 ● Project will be finished on: January 24, 2024 ● Duration: 7 days

4.2. TECHNICAL CONSTRAINTS

Environment: Emulator on GNS3, EVE-NG

<b>5. HIGH-LEVEL ARCHITECTURE</b>

5.1. COMPONENT AND CONNECTOR VIEW (C&C VIEW)

The diagram below shows the overview architecture including components and other related components. We have representations and behaviors for import components in the following sections

References C&C View on attached page.

</div><span class="text_page_counter">Trang 11</span><div class="page_container" data-page="11">

Figure 2: C&C View

For forward flows, VPN Connect requires the setting up of CPE, which interfaces with VPN DRG creating an IPSEC Encryption Tunnel over the internet, and securing all information flowing through the tunnel. Once the VPN Connect is set between the external application's data center and your VCN on OCI, communication is routed through the CPE device at the data center of the external application and through the DRG Your OCI VCN is not the same as the VCN that hosts Oracle Utilities Cloud Services. So, an appropriate setup is required to establish networking between your VCN on OCI and Oracle Utilities Cloud Services VCN, which can be done using a service gateway. Service Gateway is one of the available gateways in OCI VCN that allows for traffic to be routed between two VCNs within OCI.

<b>Role & ResponsibilityDescription</b>

Component ^{Components let you split the app into independent,}_{reusable pieces, and think about each piece in isolation.}

Scene The Scene transform represents the app in UI. Container & Higher

Order Component

Pattern that has proven to be very valuable for several React libraries

</div><span class="text_page_counter">Trang 12</span><div class="page_container" data-page="12">

Restful API & Props Provides a data in your API & render in child Navigation Provides an easy to use navigation solution, Theme Defining set of styles.

Images & Utils Storing images or utils library.

Store The Store is the object that brings all together.

Provider ^{Make the store available to all container components in} the application without passing it explicitly.

Actions ^{Actions are payloads of information that send data from} your application to your store.

Actions’s Middlewares

It provides a third-party extension point between dispatching an action, and the moment it reaches the reducer.

Actions describe the fact that something happened, but don't specify how the application's state changes in response. This is the job of reducers.

Third-party Library

GraphDB Server Endpoint

Build and ship our APIs faster and more consistently. Not having to worry about authentication, performance and status monitoring has reduced the time and effort we need to build great APIs

API: ^{Set of functions and procedures that allow the creation of} applications which access the features or data of an operating system, application, or other service.

5.2. MODULE VIEW

<b>5.2.1. User VPN </b>

References Module View on the attached page.

</div><span class="text_page_counter">Trang 13</span><div class="page_container" data-page="13">

Figure 3: User VPN Client

<b>Prose: </b>

The VPNSSIP model with dynamic IP (Multi-site Virtual Private Network with Addressed IP) is a VPN model where other locations connect through a private virtual network, despite having their own IP address. change periodically.

In the model, each location acts like a "site" and there is a device VPN client at each location. The device client VPN connects to the central server VPN or gateway VPN at the organization's data center or headquarters.

The important characteristic of the model is that the IP address of the VPN client device is changed periodically, which may be the public IP address provided by the Internet service provider (ISP). This means that the device's VPN client does not have a static IP and cannot be uniquely identified.

To handle IP address changes, model the Client VPN Site-to-Site with dynamic IP using methods such as Dynamic DNS (DDNS) and IPSec. The devices' client VPNs are configured to use DDNS to update their new IP addresses with the server VPN hub. When a VPN client device changes its IP address, it notifies the central VPN server via DDNS to update the information.

The VPN connection between the device client and the central VPN server is secured using the IPSec protocol. IPSec provides encryption and authentication methods to ensure the privacy and security of data transmitted over a network.

The Site-to-Site client VPN model with dynamic IP allows other locations to connect to each other safely and securely over a private virtual network, even though the client VPN devices have their own IP addresses. change periodically. This makes this model suitable for organizations or businesses that have multiple locations and do not have a static IP address for each location.

</div><span class="text_page_counter">Trang 14</span><div class="page_container" data-page="14">

a remote VPN network

VPN Gateway

An important component in the Site-to-Site VPN model, responsible for creating and managing VPN connections between different networks.

Tunnel ^{A virtual and secure tunnel between different locations,} allowing data to be transferred securely and privately.

Local computer ^{Local computer that the user is using and wants to connect}_{to the Site-to-Site VPN network from that computer.}

Vmwave NIC

Network virtualization component in the VMware environment, providing connectivity and communication of virtual machines with external networks.

<b>6. LOW-LEVEL ARCHITECTURE</b>

6.1. Site-to-Site VPN single and multiple VPN connection examples

<b>6.1.1. Single Site-to-Site VPN connection</b>

The VPC has an attached virtual private gateway, and your on-premises (remote) network includes a customer gateway device, which you must configure to enable the VPN connection. You must update the VPC route tables so that any traffic from the VPC bound for your network goes to the virtual private gateway.

<b>6.1.2. Single Site-to-Site VPN connection with a transit gateway</b>

The VPC has an attached transit gateway, and your on-premises (remote) network includes a customer gateway device, which you must configure to enable the VPN

</div><span class="text_page_counter">Trang 15</span><div class="page_container" data-page="15">

connection. You must update the VPC route tables so that any traffic from the VPC bound for your network goes to the transit gateway.

<b>6.1.3. Multiple Site-to-Site VPN connections</b>

The VPC has an attached virtual private gateway, and you have multiple Site-to-Site VPN connections to multiple on-premises locations. You set up the routing so that any traffic from the VPC bound for your networks is routed to the virtual private gateway.

When you create multiple Site-to-Site VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same

</div><span class="text_page_counter">Trang 16</span><div class="page_container" data-page="16">

external location. For more information, see Using redundant Site-to-Site VPN connections to provide failover.

You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations and provide secure communication between sites. For more information, see Providing secure communication between sites using VPN CloudHub.

<b>6.1.4. Multiple Site-to-Site VPN connections with a transit gateway</b>

The VPC has an attached transit gateway, and you have multiple Site-to-Site VPN connections to multiple on-premises locations. You set up the routing so that any traffic from the VPC bound for your networks is routed to the transit gateway.

When you create multiple Site-to-Site VPN connections to a single transit gateway, you can configure a second customer gateway to create a redundant connection to the same external location.

You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations and provide secure communication between sites.

<b>6.1.5. Site-to-Site VPN connection with AWS Direct Connect</b>

The VPC has an attached virtual private gateway, and connects to your on-premises (remote) network through AWS Direct Connect. You can configure an AWS Direct Connect public virtual interface to establish a dedicated network connection between your network to public AWS resources through a virtual private gateway. You set up the routing so that any traffic from the VPC bound for your network routes to the virtual private gateway and the AWS Direct Connect connection.

</div>