VPN stands for Virtual Private Network. It is a method by which two end-points create a single, private connection, or tunnel, while using a larger network infrastructure such as the internet or wide area network. When established, a VPN acts like a direct connection to a private network.
The VPN itself simply acts like a network interface to the client and is transparent the operating system, applications, and users accessing the VPN network. Therefore, applications, messages, and users can all use the connection normally without any need to understand how the VPN operates.
A traditional VPN requires two endpoints. One is the remote endpoint and the other is the local endpoint. To create the VPN connection, both endpoints must be set up and configured to send and receive data using a VPN protocol. There are various ways to implement VPN functionality including third-party clients, built-in OS functionality, and network-based implementations. In any case, the VPN on both endpoints must match or support the VPN methodology used on the other endpoint.
Once both endpoints have been established and configured, they create a connection called a VPN tunnel. The connection can always be on or be dynamically triggered by a user or certain events.
Types of VPN
One common form of VPN enables a remote user, whether an employee, student, or other authorized user, to access a private local network across a more public network. In this type of VPN, the remote user must have a VPN client installed and configured to connect to a VPN gateway on the local network. Examples include:
- A remote worker connecting to the corporate network from a remote location via the internet and accessing data and applications as if they were directly plugged into the network.
- A student connected to a campus network using a VPN connection to connect to a standalone network of lab equipment, allowing secure access to the machines and data on the smaller network.
Another widely used form of VPN allows for a WAN-style connection between two different sites by using a public network such as the internet rather than going through the expense and difficulty of installing a direct, private connection. In this type of VPN setup, users do not need to setup or configure VPN clients. Instead, remote connectivity is directed through two VPN servers. Each VPN server acts as a server to all clients and as an endpoint to the remote VPN server. In this type of VPN, only the VPN gateway requires a VPN implementation. However, to use the connection, an end user must be directly connected to one of the local networks connected to the VPN gateway.
An increasingly common form of VPN, in which the user connects to a VPN provider who in turn is connected to the internet. The user must have a VPN client installed and configured to connect to the remote VPN provider’s VPN servers. When established, this VPN connection provides a secure, virtual tunnel to the provider, who then unencapsulates the packet and forwards it out onto the internet. In this design, the VPN connection only exists for the first part of the connection, and not all the way to the destination.
- The primary example of this type of VPN connectivity is a remote user using an insecure Wi-Fi network such as those at a coffee shop, airport, or hotel. To prevent a nearby party from intercepting the insecure communication over the wireless network, the user can establish a VPN connection to a VPN provider who forwards traffic to the internet. The easily intercepted local wireless traffic is encrypted all the way to the provider, who then presumably connects securely to the internet, making a sniffer or man-in-the-middle, attack less likely.
- The other main example of this type of VPN is for those concerned with privacy. In many countries, including recent rulings in the United States, it is permissible for an internet provider to log and use information about where the user connects and what the user does once connected. As the user’s ISP, it would have access to any nonencrypted traffic from the user. By connecting to a VPN provider, the traffic sent over the user’s ISP connection is encrypted. Theoretically, the VPN provider could record and use the user’s traffic at this point, thereby moving the privacy concern from one place to the next. However, since such privacy is the primary selling point of a VPN provider, such invasion is less likely.
- Some users have restrictions on their internet usage in the form of government restriction, employer or student website blocking, or even geographic restrictions where data is only accessible to users from certain areas. A VPN connection may be able to bypass some of these restrictions in certain cases. For example, a student blocked from YouTube by their school might be able to access the site by first connecting to the VPN provider. Since the school has no way of knowing where the traffic goes after it goes to the VPN, the school cannot block the traffic. However, the school could block the VPN provider.
A VPN works by establishing a secure, point-to-point connection between the remote client and a VPN server connected to the target network. Once established, a VPN connection encapsulates and encrypts both the data and the IP header used for routing on the local network behind the remote endpoint. An IP header designed to route across the insecure, public network is added, and then the data is ready for transport.
Standalone VPN clients
Standalone VPN clients require the installation of software on one or both endpoints. The software is configured to match the requirements of the other endpoint. To establish a VPN connection, the endpoint must run the VPN client and connect to the other endpoint.
Standalone VPN clients are common on public VPN services. Typically, the user downloads the VPN service’s client to connect to the public VPN.
One of the best-known open source clients, OpenVPN, runs on MacOS, Windows, and Linux, as well as on Android and iOS. In addition, it is also compatible with major cloud vendors like AWS or Azure. Many public site-to-provider VPN providers use OpenVPN within their clients including Private Internet Access, as well as OpenVPN’s own client and other clients like NordVPN.
Built-in OS VPN Clients
Most modern operating systems, including Windows, iOS, MacOS, Android, and Linux, allow for connectivity to a remote VPN server, provided the remote endpoint supports the same VPN protocol and configurations. These clients are often not easily configured by non-technical users. They are therefore most often used in a corporate environment where IT professionals can set up, configure, and maintain client installation as well as the VPN servers the clients connect to on the other end.
The remote endpoint connects to a VPN server that supports the VPN client and configuration on the remote system. Typically, the VPN server acts like a gateway and router at the edge of either the local network to be accessed, or, in the case of a client-to-provider setup, at the edge of the internet.
The server is responsible for unwrapping the packets and repackaging them for distribution onto the local network or internet. Any replies or connections going back to the remote endpoint are sent from the local network or internet to the VPN server which then reverses the process, encapsulating the packets and sending them back to the endpoint.
To connect within a public network, a VPN must establish and use a normal, non-VPN connection within the context of that network. This is accomplished by means of a tunneling protocol. A tunneling protocol wraps each transmitted packet such that it can be read and transmitted across the non-private network. This process is called encapsulation.
The endpoint creates a packet that would be transmitted on the private network behind its corresponding endpoint. That packet contains the headers and other data to reach the destination. However, that data is encapsulated by the tunneling protocol, turning all local network headers and metadata into part of the data payload. When the packet is transmitted, the public network reads only the wrapper to determine how to transmit the packet, moving it across the public network like any other traffic. When the packet reaches the other endpoint, the tunneling protocol on that endpoint strips off the wrapper and repackages the packet using the original transmission data and headers, allowing it to travel across the local network like any other local network traffic. The process is reversed for any returning traffic.
For example, an endpoint that is part of a VPN established from a remote office to another office using the internet would create a packet for transmission on the remote, local network, including a local IP address. The VPN client would then encapsulate that packet by turning the transmission headers into part of the data payload of the packet. It would take the resulting packet and wrap it inside a standard internet TCP/IP packet. To the equipment and nodes on the public network, the VPN transmissions look like typical TCP/IP packets and are transmitted the same. Upon arrival at the endpoint, the VPN client would strip off the public TCP/IP headers, take the original transmission information from the data payload of the packet, and create a packet using that local transmission information to send out on the local network.
A VPN connection provides several advantages, including privacy and security.
VPN connections are encrypted. If any data is intercepted, it should be unreadable to any attacker. While the data is encrypted, it is also true that the IP headers within the packets are also encrypted, denying the attacker even the ability to use typical network data to find additional attack vectors.
Many VPN connections are used not only for security, but also for providing privacy for a connection as well. Recent FCC rulings allow American ISPs to log and track their customers’ communications. The uses for this information range from the annoying, such as advertising and marketing, to the legally problematic, such as a list of all websites visited being provided to government agencies, or litigious groups, such as music and movie companies.
A VPN connection not only hides the data transferred, but also the ultimate destination of the connections. To a remote website, the end client’s IP address appears to be the IP address of the VPN instead, preventing any tracking of the user. To the user’s ISP, the destination IP address also appears to be the IP address of the VPN, preventing tracking of where the user connects to while using the connection of the ISP. Hiding the user’s actual IP address also prevents the ability to determine the physical location of the user.
Some services and applications are available only to users in certain geographic regions. Sometimes, these blocks are due to legal issues like copyright and privacy. A VPN connection can, in some cases, allow for circumventing these blocks. By connecting to a VPN service in another location, the destination service would assume that the connection is coming from the VPN provider’s location, not the original user’s location, and allow access. For this reason, VPN services are illegal in some countries.
A VPN connection is essentially an extra stop along the way that all data must take. Besides, the encryption for the securing of data needs additional time. As a result, every VPN connection will be at least marginally slower.
The speed of a VPN connection depends on the speed of both endpoints’ connection speed. For example, a user accessing a corporate network over a VPN is limited to the slowest of the connection from the user to internet, the connection of the internet to the VPN server, and the connection of the VPN server to the resources accessed.
Likewise, a user using a VPN for client-to-internet access may have a gigabit connection directly to their ISP, but if the VPN connection to the internet does not provide the same gigabit connection to that user, then the overall connection would, at a maximum, be as fast as the connection provided between the VPN and the internet.
A slow VPN provider can lead to a significant bandwidth drop. Most paid VPN services guarantee a certain bandwidth in their SLAs.
A VPN, by design, is a point-to-point style of connection. As a result, any sort of broadcast or multicast will not be usable by the endpoint of the VPN. While most applications and operating systems have been moving away from these types of networking, there are still older applications in corporate environments especially, that rely on them and will not be usable across a VPN.