Hop Technical Deep Dive
A look behind the scenes at Hop’s inner workings.
Hop automates the series of steps required to set up an Internet-routing home VPN. This isn’t a straightforward task, so Hop needs to jump through a few hoops in order to make things work for you. Below, we’ll explain Hop's process in detail. Perpare to be swimming in acronyms…
Hop was built with security in mind. Wherever appropriate, Hop uses industry-standard X.509 and RSA methods of authentication and cryptography.
Communications with Hop’s server
When you use Hop, the app talks to the central Hop server at hop-api.raynersw.com. This communication happens in RESTful API calls which go over HTTPS. The Hop server manages account information, IP address tracking, and part of the certificate chain (explained below). Hop respects privacy. Hop is not interested in data mining our users.
VPN connections using OpenVPN
Hop servers run two VPN backends simultaneously: OpenVPN and RVPN. Hop configures OpenVPN to use X.509 PKI certificate authentication for login, and a restrictive set of stream ciphers.2 Certificates are issued to permitted clients. You’re allowed to connect to servers on your own account, as well as servers shared with you by other Hop users. The Hop app manages the certificates for you (see "Certifcates and the chain of trust").
VPN connections using RVPN
RVPN is a new VPN backend built for Hop. The server side runs on Mac, and the client side runs on iOS (Mac client to come). OpenVPN has been around since 2001, and with that age comes maturity and time-tested reliability. However, it also tends to mean bloated software with a lot of legacy features. Built in 2018, RVPN is at the opposite end of the age spectrum. It was designed around the latest technologies without any legacy code or legacy compatibility concerns. RVPN's leanness is evident in the size of its compiled binary: 205KB to OpenVPN's 3MB.3
RVPN is tightly integrated with Apple’s NetworkExtension API. When an RVPN client wants to connect to an RVPN server, the first step is to establish a TLS 1.2 connection4. Unlike some TLS-backed protocols such as HTTPS, certificate validation in RVPN is bidirectional. Both ends of the connection must authenticate one another's presented certificate against Hop's chain of trust. Thus, RVPN’s authentication is embedded in the TLS negotiation phase. Once TLS is established, the client and server communicate using a custom binary protocol over TLS. IPv4 and IPv6 packet flow is managed through the utun interfaces5. On the Mac server side, the utun[0-15] devices are accessed directly. On the iOS client side, the NetworkExtension API is the interface to utun.
Certificates and the Chain of Trust
Hop maintains its own PKI chain of trust for authenticating connections between Hop servers and Hop clients. This trust originates with the Hop Root Certificate Authority, which is implicitly trusted. Hop CA root cert
When you create a Hop user account, you become your own intermediate certificate authority. Our root CA generates a new intermediate CA for your account and sends it to you. We keep the private key for this intermediate CA on the server, and send you the certificate.
When you’re on the road and you connect to your Hop server at home, your device generates a private key and a certificate signing request (CSR). You then send that CSR to the Hop server, who decides whether or not you're allowed access. If yes, the Hop server uses your account’s intermediate CA to sign the CSR and sends back the new certificate. If no, the connection attempt is rejected.
One of the key differences between Hop and other home-based VPNs is Internet routing. Hop is meant to be an “access the Internet” kind of VPN, not an “access the devices on my LAN” kind of VPN. To achieve this, Hop manages your Mac’s firewall settings using the built-in pf firewall. Hop creates a virtual LAN for connected users within the 10.0.0.0/8 subnet, and forwards their traffic to the outside Internet.
Since you’re running Hop from a device on your home network, you’re probably on a NAT IP address. In order to get incoming traffic to go to your Mac, Hop needs to configure your router. It does this using either the UPnP or NAT-PMP protocols for router configuration. If these protocols are unsupported or disabled on your router, Hop provides instructions on how to manually set up port forwarding.
Deep Packet Inspection (DPI) is a relatively new trend in global Internet blocking. DPI represents a much more sophisticated approach to VPN-blocking than the decades-old method of simple IP address blacklisting. With DPI, the content of your Internet communication is inspected by software running on routers, and these routers make decisions about whether to block your connection. DPI is already in use within certain restrictive Internet environments.
Hop’s OpenVPN Scrambler
Hop provides an optional “VPN Scrambler” system which makes the OpenVPN protocol practically impossible for a network observer to identify based on network traffic. We use stunnel to wrap OpenVPN inside a TLS tunnel, making the OpenVPN traffic look like generic TLS traffic (i.e. the ubiquitous HTTPS protocol). The downside is that your data is encrypted twice, for no real reason other than to circumvent Deep Packet Inspectors. So Hop prefers straight OpenVPN connections when available, and falls back to stunnel-wrapped connections when necessary.
RVPN and DPI
RVPN was built to resist Deep Packet Inspection. Because RVPN's first step is to open a TLS encrypted tunnel, the particulars of the RVPN protocol are always strongly encrypted by the time they hit the network. And because TLS tunnels are so ubiquitous, it’s difficult or impossible for an observer to distinguish RVPN traffic from other encrypted traffic.
Running a reliable Internet-routing VPN setup from home isn’t as easy as just installing OpenVPN. It’s hard enough to do on actual servers, and harder still in a home environment with NAT, sleeping computers, different router configurations, transparent-proxied IP addresses, and more challenges. Hop tries to take care of all of this for you, and doing that requires a few helper processes.
hopd is a daemon process which runs in the background on your Mac. Think of it as the brain of the Hop system. It’s responsible for configuring your router, setting system parameters such as sleep prevention and auto power on, making OpenVPN config files, starting and stopping OpenVPN, starting and stopping RVPN, talking with the Hop server, etc. When you turn the main switch on or off in Hop, you’re starting and killing the hopd process, respectively.
rvpnd is the daemon process for the RVPN server. It’s lauched by hopd. Unlike hopd, rvpnd is not directly managed by launchd. rvpnd listens for incoming connections on the configured port (default 993). We chose port 993 as the RVPN default becuase it's the same as IMAP-secure, a common encrypted protocol which is unlikely to be hosted on a home Mac. This, in theory, will make RVPN traffic “blend in” with the other traffic (see Obfuscation, above).
The other of Hop’s two VPN backends. This process is either started in server mode by hopd when you activate your server, or invoked in client mode when you connect to a remote server.
Hop invokes its priviliged helper tool, hopcontrol, when it needs to do things that require root access. One of these tasks is loading/unloading hopd into launchd.
An optional OpenVPN scrambler/obfuscator which Hop can run for you.
Hop.app: Objective-C, Cocoa
Hop-iOS.app: Objective-C, UIKit, NetworkExtension
hopd: Objective-C, Foundation
rvpnd: Objective-C, Foundation
hopcontrol: Objective-C, Foundation
Hop API server: PHP, PostgreSQL, Apache, Linux
OpenVPN: open-source, C/C++
stunnel: open-source, C/C++
Hop puts the following files/folders on your Mac:
/Library/Application Support/Rayner/Hop/ Top-level Hop support folder
/etc/hopd.conf hopd & rvpnd config file (managed by Hop.app)
/tmp/com.raynersw.hop/ Temporary files folder, i.e. OpenVPN client config files
/Library/LaunchDaemons/com.raynersw.hopcontrol.plist launchd config file for escalating hopcontrol’s permissions
/Library/LaunchDaemons/com.raynersw.hopd.plist launchd config file for starting and running the hopd daemon process
- 1. RVPN is Hop’s own custom VPN service.
- 2. Hop includes OpenVPN 2.4.3, which employs a more restrictive set of available ciphers than earlier versions.
- 3. These are the sizes of the binaries included inside the Hop.app bundle.
- 4. Any protocol earlier than TLS 1.2 is rejected. We look forward to implementing TLS 1.3 once it becomes available in the APIs we use.
- 5. macOS now creates its own tun/tap style devices, called utun. In the absence of these, Hop will install the tun/tap kernel extension.