Post

VPN

Posted Updated
By dakota levermann 5 min read

VPN stands for Virtual Private Network. In a nutshell, if two separate Local Area Networks (LAN) exist (say, in California and in New York), a VPN allows for them to be connected as if it were a singular LAN. If I were a host machine in California, a fax machine in New York may be accessible to me locally (e.g., on 192.168.0.100). A VPN is responsible for providing this illusionary tunnel.

Site-to-site VPNs

VPNs have evolved to a number of use-cases. Described above was an example of a site-to-site VPN. Both California and New York had a VPN gateway (server) on-site which communicated with each other to provide the tunnel without the need to overcomplicate how the LANs work internally. They do this by encrypting all traffic between the VPN gateways. There are a number of VPN protocols which manage how this is done.

Before VPNs if the company wanted to connect these two LANs they would have to physically connect them by wire to create a Wide Area Network (WAN). Really, the entire Internet is one large WAN, but a company may desire its own WAN to avoid using the insecure internet. Creating this type of physical direct WAN is expensive, however, so VPNs provide a way to use the insecure internet (which is far cheaper) in a secure way.

Remote Access

VPNs are also used for remote access. If I work for company A which is based in California, but I live in New York, I need a way to connect to the internal infrastructure from the other side of the country (Note: I am a single client, not a LAN). I can run a VPN client on my computer which communicates with the VPN gateway in California to provide the exact same encrypted tunnel as described above. There is no difference in the technology used; the difference lies in the use of a software based VPN client vs. going through a VPN gateway.

There exists a slight difference between a VPN Protocol and a VPN Client. A protocol describes how these encrypted tunnels are created and exchange data. An example is the OpenVPN Protocol, or WireGuard. A VPN Client is what allows you to use this protocol, and some clients support multiple protocols. The OpenVPN Connect Client is an example of a client used for an OpenVPN VPN. As a further example, OpenVPN specifically uses OpenSSL for TLS encryption, and works over both UDP and TCP. WireGuard, on the other hand, uses different encryption schemes and runs on UDP.

VPN as a Service

Probably the biggest use of VPNs today is how it is used for privacy, anonymity, and added confidentiality in suspicious networks. Instead of a VPN Gateway being hosted on the edge of a LAN, a VPN Gateway can be hosted by a VPN Provider (a company which offers VPN gateways, sometimes at a price). Your VPN Client would send encrypted data to that gateway, which would then send the traffic back out to its intended destination, only this time the source IP is not your own. The data makes it back to you, but the recipient server never knows it was you who requested it.

This can be used in a lot of ways. Using a VPN in a public wifi coffee shop prevents the coffee shop from seeing any of your data. It prevents your ISP from knowing what you are up to. It allows you to browse the internet from another country. For example, if you connect to a VPN gateway hosted in France, then all your outgoing traffic will appear as if it is coming from France. This is great if a website is only available in one country and you want to access it. Or if YouTube does not allow French users to connect (because of French laws), a citizen could use a VPN hosted in the USA to access YouTube. A fight against censorship!

An interesting client is the public VPN Gate Client managed by the Graduate school of University of Tsukuba, Japan, which has provided over 19 billion connections and tunneled over 700,000 TB of data. The VPN servers are run by volunteers. Note that it is possible to host your own VPN gateway!

What does a VPN Encrypt?

  • all of your traffic (both encrypted and unencrypted traffic, adding a layer of protection)
  • your source and destination IP (once an encrypted tunnel has been established)

What can a VPN not do?

Although your ISP will no longer be able to read the data you send (due to it being encrypted), it is still possible for an ISP to tell that you are using a VPN. You can still be fingerprinted (e.g., what browser, OS, you are using), and cookies still exists for websites you visit. You also have to be wary of the VPN provider you are using. A VPN is meaningless if they just sell the data right back to your ISP anyways! In addition, when you use a service like Google, you are obivously not hidden from… well, Google. Google can track you just by seeing what new IP address you’ve got. A VPN also doesn’t stop you from being silly and downloading malware.

Theres also something known as a DNS Leak, which happens when your VPN is configured incorrectly. It’s where your device makes a DNS query on it’s own, as opposed to doing it through the VPN server, which reduces the privacy that VPNs are meant to provide. You need to make sure your VPN client and implementation are reliable.

Sources

  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
  • https://security.stackexchange.com/questions/84210/help-understanding-vpn
  • https://www.wireguard.com/
  • https://openvpn.net/community-resources/how-to/
  • https://www.vpngate.net/en/
  • https://www.security.org/vpn/browsing-history/
  • https://surfshark.com/blog/what-does-a-vpn-hide
  • https://surfshark.com/blog/can-you-be-tracked-if-you-use-a-vpn
Notes
This post is licensed under CC BY 4.0 by the author.