Using PPP as a tunneling layer

[ValdikSS]

Anti-censorship proxy software is always implemented as proxy: it has a HTTP or Socks front-end, it works only with TCP and sometimes UDP traffic, it can't route incoming connections to the client, it requires configuration of every software to use it, or to set up a pseudo-VPN with its own userspace IP stack, which does not bypass all the limitations mentioned. However, it is easy to program, as the programmer is presented with data flows, not individual packets.

VPN software provides an interface capable of encapsulating any IP protocol (TCP/UDP/ICMP/GRE/etc), you don't need to configure applications separately to use it, and the applications are able to accept incoming connections, has better compatibility with VoIP/WebRTC/NAT Punching. However it's inconvenient/non-trivial for the programmer to handle individual packets.

The question which kept my mind busy whole last month is: why the developers of anti-censorship software have never considered PPP as a building block for tunneling layer? PPP is universally implemented in modern OS, provides all the advantages of the VPN and additionally authentication, IP assignment, compression layers, and ease of programming as in proxy — the developer of anti-censorship layer don't need to implement all of these things, just send and receive PPP frames generated by the OS.

Wouldn't it be wise to use PPP as the endpoint? If not in a 'raw' form, then as L2TP — a PPP-over-UDP layer which could listen on 127.0.0.1:1701 (unprivileged port) on the local machine. This would also allow to configure not only desktop OS, but also routers with L2TP support (also univerally supported). There are lots of enterprise-grade PPP termination systems.

Would like to hear your opinion.

[marknefedov]

I’m not that well versed in networking terminology by PPP do you mean this https://en.m.wikipedia.org/wiki/Point-to-Point_Protocol ?

EDIT: I’ve originally thought about Microsoft’s PPTP

[ValdikSS]

Yes, yes, exactly. It's just a matter of using stdin/stdout pipe for pppd to get a real VPN connection between two proxied endpoints.

[marknefedov]

By the way, is there anything like this for l2tp? I found xl2tp, but as I undertood it routes ppp over l2tp.

[marknefedov]

I wonder this approach can be transferred to smartphones. IOS at least have something resembling TAP device, but on Android only option is TUN.
It may be possible to create a local l2tp/ipsec server and connect to it.

[ValdikSS]

By the way, is there anything like this for l2tp? I found xl2tp, but as I undertood it routes ppp over l2tp.

You mean an L2TP-only server with support for remote PPPd tunneling? I don't know any, but there should be some for certain.

It may be possible to create a local l2tp/ipsec server and connect to it.

It should be possible to make a plain L2TP server (it listens on non-privileged port, while for IPsec you need port 500 which is privileged, not possible on mobile without root).

[ValdikSS]

Maybe accel-l2tp supports this type of configuration.