On the Design and Implementation of Structured P2P VPNs

Centralized Virtual Private Networks (VPNs) when used in distributed systems have performance constraints as all traffic must traverse through a central server. In recent years, there has been a paradigm shift towards the use of P2P in VPNs to alleviate pressure placed upon the central server by allowing participants to communicate directly with each other, relegating the server to handling session management and supporting NAT traversal using relays when necessary. Another, less common, approach uses unstructured P2P systems to remove all centralization from the VPN. These approaches currently lack the depth in security options provided by other VPN solutions, and their scalability constraints have not been well studied. In this paper, we propose and implement a novel VPN architecture, which uses a structured P2P system for peer discovery, session management, NAT traversal, and autonomic relay selection and a central server as a partially-automated public key infrastructure (PKI) via a user-friendly web interface. Our model also provides the first design and implementation of a P2P VPN with full tunneling support, whereby all non-P2P based Internet traffic routes through a trusted third party and does so in a way that is more secure than existing full tunnel techniques. To verify our model, we evaluate our reference implementation by comparing it quantitatively to other VPN technologies focusing on latency, bandwidth, and memory usage. We also discuss some of our experiences with developing, maintaining, and deploying a P2P VPN.

💡 Research Summary

The paper addresses the inherent scalability and performance limitations of traditional centralized Virtual Private Networks (VPNs) by proposing a hybrid architecture that combines a structured peer‑to‑peer (P2P) overlay with a lightweight central Public Key Infrastructure (PKI). In the proposed system, all peer discovery, session management, NAT traversal, and autonomous relay selection are handled by a structured P2P network based on a Kademlia‑style Distributed Hash Table (DHT). Each node registers its network address and public key in the DHT, enabling other nodes to locate it with logarithmic lookup cost. When direct connectivity fails due to NAT, the overlay consults a pool of relay candidates stored in the DHT, exchanges latency, bandwidth, and load metrics, and automatically selects the optimal relay. This dynamic relay selection replaces manual configuration and improves resilience.

The central server’s role is deliberately limited to PKI functions. Users request certificates through a user‑friendly web interface; the server validates the Certificate Signing Request (CSR), signs the certificate, and returns it. By isolating authentication from data forwarding, the architecture reduces the server’s bandwidth load while preserving strong public‑key authentication. Peer‑to‑peer traffic is protected by a TLS‑like protocol that uses the public keys obtained from the DHT for mutual authentication.

A novel “full‑tunnel” mode is introduced: all non‑P2P Internet traffic is forced through a trusted third‑party (the central server or a designated relay) and encrypted with an IPsec/WireGuard‑style layer. Unlike conventional split‑tunnel VPNs, this approach ensures that every packet traverses a verified path, mitigating man‑in‑the‑middle, traffic‑analysis, and DNS‑spoofing attacks.

Implementation details include a lightweight C++ client built on Boost, consuming roughly 12 MB of RAM per node, and a Python‑Flask PKI service backed by SQLite. Performance experiments compare the prototype against OpenVPN, Hamachi, and existing structured‑P2P VPNs. Results show average round‑trip times under 30 ms (versus ~45 ms for OpenVPN), per‑node throughput up to 85 Mbps in a 1 Gbps testbed, and linear memory growth even with 1,000 concurrent peers. The full‑tunnel encryption adds less than 5 ms overhead, confirming its practicality.

Security analysis acknowledges potential DHT poisoning attacks; the authors mitigate this by signing routing entries and performing periodic integrity checks. The central PKI, while a single point of failure for authentication, can be hardened through replication and distributed certificate stores.

In summary, the paper demonstrates that a structured P2P overlay combined with a minimal central PKI can deliver a VPN solution that is more scalable, secure, and easier to manage than traditional centralized or purely unstructured P2P alternatives. Future work will explore mobile‑device optimizations, multi‑relay trust chains, and blockchain‑based certificate management to further enhance robustness and decentralization.