Network Engineering Guide

Network engineering documentation covering OpenConnect protocol, network topology, firewall configuration, and troubleshooting.

Overview

This section is designed for network engineers who need to:

Understand the OpenConnect protocol in depth
Design network topologies for VPN deployments
Configure firewalls, routing, and NAT
Optimize DNS and DHCP integration
Tune performance and troubleshoot issues
Analyze network traffic and protocols

Network Engineering Topics

1. Protocol Deep Dive

Understand OpenConnect protocol internals:

OpenConnect Overview - Protocol architecture and flow
TLS Handshake - HTTPS authentication phase
DTLS Tunnel - UDP tunnel establishment
Authentication Flow - Auth methods and flows
Cryptography - Cipher suites and key exchange
NVM Telemetry - Network Visibility Module

2. Network Topology

Design VPN network architectures:

Deployment Scenarios - Common deployment patterns
Split Tunneling - Route only specific traffic through VPN
Full Tunneling - Route all traffic through VPN
Site-to-Site - Connect entire networks

3. Firewall & Routing

Configure network infrastructure:

Port Requirements - Required ports and protocols
NAT Traversal - Work behind NAT/firewalls
iptables Configuration - Linux firewall setup
Routing Configuration - Route tables and policies

4. DNS & DHCP

Configure name resolution and addressing:

DNS Configuration - DNS server setup
Split DNS - Different DNS for internal/external
DHCP Integration - Dynamic IP assignment

5. Performance Tuning

Optimize VPN performance:

DPD Timers - Dead Peer Detection tuning
MTU Optimization - Maximum transmission unit
Quality of Service - Traffic prioritization
Bandwidth Management - Throttling and shaping

6. Troubleshooting

Diagnose and resolve network issues:

Connectivity Issues - Cannot connect
Packet Capture - Analyze traffic with tcpdump/Wireshark
Protocol Analysis - Debug protocol issues
Common Problems - FAQ and solutions

OpenConnect Protocol Overview

The OpenConnect protocol (also known as AnyConnect protocol) uses:

Phase 1: HTTPS Authentication (TCP 443)

Client                          Server
  |                               |
  |--- TLS ClientHello ---------->|
  |<-- TLS ServerHello -----------|
  |--- Certificate Auth --------->|
  |<-- Authentication Response ---|
  |--- Username/Password -------->|
  |<-- CONNECT Response ----------|
  |<-- XML Configuration ---------|

Phase 2: DTLS Tunnel (UDP 443)

Client                          Server
  |                               |
  |--- DTLS ClientHello --------->|
  |<-- DTLS ServerHello ----------|
  |--- DTLS Master Secret ------->|
  |<-- DTLS Connected ------------|
  |                               |
  |<====== IP Traffic ==========>|
  |    (Encrypted UDP tunnel)     |

Network Requirements

Minimum Requirements

Component	Requirement
Bandwidth	1 Mbps per user (minimum)
Latency	< 100ms (recommended)
Ports	TCP/UDP 443 (standard)
IP Range	/24 network minimum (254 addresses)
DNS	Internal DNS server or forwarding

Firewall Rules

Inbound (Server):

TCP 443 (HTTPS authentication)
UDP 443 (DTLS tunnel)

Outbound (Client):

TCP 443 to VPN server
UDP 443 to VPN server

Internal (VPN Network):

Allow forwarding between VPN and LAN
Configure NAT for internet access

Common Network Topologies

1. Simple Remote Access

[Remote Clients] ---> [WolfGuard] ---> [Corporate LAN]
                       (Split Tunnel)

2. Hub-and-Spoke

[Branch Office 1] ─┐
                    ├─> [WolfGuard Hub] ---> [Data Center]
[Branch Office 2] ─┘

3. Multi-Region HA

[Clients] ---> [Load Balancer]
                   ├─> [WolfGuard US-East]
                   ├─> [WolfGuard US-West]
                   └─> [WolfGuard EU]

Quick Start for Network Engineers

1. Understand the Protocol

Start with OpenConnect Overview to understand the protocol flow, then review:

TLS Handshake - How authentication works
DTLS Tunnel - How data tunnel is established

2. Plan Your Network

Choose your topology:

Remote access → Split Tunneling
All traffic through VPN → Full Tunneling
Connect offices → Site-to-Site

3. Configure Firewall

Set up your firewall:

Review Port Requirements
Configure iptables or your firewall
Set up NAT Traversal if needed
Configure Routing

4. Set Up DNS

Configure name resolution:

DNS Configuration for basic setup
Split DNS for internal/external separation

5. Optimize Performance

Tune for your environment:

Adjust MTU for your network
Configure DPD Timers
Set up QoS if needed

Protocol Analysis Tools

Packet Capture

# Capture VPN traffic
tcpdump -i any -w vpn-capture.pcap \
  'port 443 and host vpn.example.com'

# Analyze with Wireshark
wireshark vpn-capture.pcap

Connection Testing

# Test TCP connectivity
nc -zv vpn.example.com 443

# Test UDP connectivity
nc -zvu vpn.example.com 443

# Test TLS handshake
openssl s_client -connect vpn.example.com:443

# Test DTLS (if supported by tool)
openssl s_client -dtls -connect vpn.example.com:443

DNS Testing

# Test DNS resolution
dig vpn.example.com

# Test reverse DNS
dig -x 192.0.2.1

# Test split DNS from VPN client
nslookup internal.corp.com

Performance Benchmarks

Metric	Expected Value
Throughput	1-10 Gbps (depends on hardware)
Latency	+1-5ms (VPN overhead)
Handshake Time	100-500ms
Reconnect Time	< 2 seconds
Concurrent Users	1000+ (per server)

Troubleshooting Quick Reference

Symptom	Likely Cause	Solution
Cannot connect	Firewall blocking	Check Port Requirements
Slow performance	MTU issues	Review MTU Optimization
Frequent disconnects	DPD timeout	Adjust DPD Timers
DNS not working	Split DNS misconfigured	Check Split DNS
Some sites unreachable	Routing problem	Review Routing Config

Advanced Topics

IPsec vs OpenConnect

Feature	IPsec	OpenConnect
Transport	ESP/UDP	HTTPS/DTLS
Firewall Friendly	No	Yes
NAT Traversal	Complex	Built-in
Setup Complexity	High	Medium
Client Support	Native	Requires client

OpenConnect vs SSL VPN

OpenConnect is an SSL VPN protocol. It uses:

TLS for authentication and control
DTLS for high-performance data tunnel
Fallback to TLS if UDP is blocked

Security Considerations

Use TLS 1.3 - Disable older versions
Strong cipher suites - See Cryptography
Perfect Forward Secrecy - Use ephemeral key exchange
Certificate pinning - Pin server certificates
Network segmentation - Isolate VPN network
Intrusion detection - Monitor for anomalies

Administration - User and policy management
Developer Guide - Protocol implementation details
Reference - Protocol specifications

Standards & RFCs

RFC 5246 - TLS 1.2
RFC 8446 - TLS 1.3
RFC 6347 - DTLS 1.2
OpenConnect Draft RFC - Protocol specification

Need help with network configuration? Start with Protocol Overview or Troubleshooting

Overview​

Network Engineering Topics​

1. Protocol Deep Dive​

2. Network Topology​

3. Firewall & Routing​

4. DNS & DHCP​

5. Performance Tuning​

6. Troubleshooting​

OpenConnect Protocol Overview​

Phase 1: HTTPS Authentication (TCP 443)​

Phase 2: DTLS Tunnel (UDP 443)​

Network Requirements​

Minimum Requirements​

Firewall Rules​

Common Network Topologies​

1. Simple Remote Access​

2. Hub-and-Spoke​

3. Multi-Region HA​

Quick Start for Network Engineers​

1. Understand the Protocol​

2. Plan Your Network​

3. Configure Firewall​

4. Set Up DNS​

5. Optimize Performance​

Protocol Analysis Tools​

Packet Capture​

Connection Testing​

DNS Testing​

Performance Benchmarks​

Troubleshooting Quick Reference​

Advanced Topics​

IPsec vs OpenConnect​

OpenConnect vs SSL VPN​

Security Considerations​

Related Guides​

Standards & RFCs​