12 Jun, 2016 No Comments Bobby How Security Works

You’ve probably used one or at least heard about them, but what exactly is a VPN? What makes them secure? Which type should I use? I answer these questions and more in this article.

What is a VPN?

A VPN is a private network connection between two points over the internet. It’s useful when you have multiple locations or computers that need to be connected together from a distance. To create this connection, a VPN builds a “tunnel” through the internet just for you, through which all your data is funneled as it travels back and forth.

In the old days, in order to establish a connection between two points, a special dedicated line had to be run between locations. This meant paying a service provider tens of thousands of dollars (or more) just to get multiple physical locations hooked together on the same network.

Now, thanks to VPN, we can use the public internet instead, and all you need is an internet connection at each location. VPN stands for virtual private network, which is pretty self explanatory. It’s creating a virtual dedicated connection over the internet instead of requiring a real dedicated connection for your network.

There are two reasons we use VPNs:

1) To connect a single computer to a remote network (Remote Access VPN)
If you’ve ever “VPN’d” into work from home, a coffee shop, or hotel, this is what you did. It requires two endpoints: a computer and a VPN server. The computer reaches out over the internet and connects to the VPN server at work, which acts as a portal to the network. All your network traffic (including all web browsing) is being funneled through your workplace.

Remote Access VPN

2) To connect entire physical locations together (Site-to-Site VPN)
When you have two locations that need connected, with multiple computers on each end, a simple Remote Access VPN won’t cut it. Instead, you need a site-to-site VPN. This establishes a connection between two VPN servers, one at each location. Unlike a remote access VPN which is used on an as-needed basis, site-to-site connections typically stay up permanently.

Site-to-site VPN

What can I use a VPN for?

Site-to-site VPNs are typically used by businesses or large organizations only. What most of us will be using is a remote access VPN, where we only need to connect our computer to a remote location. There are several reasons we might do this.

1) To remote into a workplace or home network

As discussed, it’s common to use remote access VPNs to log into your workplace’s network. But it’s also possible to set up a VPN server at home. That will let you access anything on your home network from essentially anywhere in the world. You can set up your own physical server at home for this, but some more expensive routers come with built-in VPN server software that makes it a lot easier. Or, if you’re feeling adventurous, you can create your own VPN router.

One thing to keep in mind: while connected to a remote location, all your web surfing is also inside the VPN. This means you’re using the internet connection of the office to browse the web. In the case of connecting to the office, it would appear to the internet as if you’re browsing from work. That means your workplace can also see everything you’re surfing to while connected over VPN.

2) To hide your traffic from eavesdroppers

If you’re on a public WiFi connection (coffee shop, airport, hotel, library, etc), anyone sitting next to you can see your traffic. That’s just the nature of wireless networks. Your computer sends out its signal as if it were a beacon of light in the dark. Anyone close enough (in any direction) can see everything that’s being transmitted.

This exposes you to the hacker sitting in the corner of the room, or in his car in the parking lot. Using a VPN tunnel would hide your wireless traffic from those eavesdroppers.

Even if it’s not WiFi, and you’re physically plugged into a network port (like in a hotel), it doesn’t change anything. There are still other strangers plugged into the same network. And don’t forget that the owner of the network can see all the traffic. You cannot trust a public network, period.

But public networks aren’t the only concern people have. At home, your internet service provider (ISP) is your “portal” to the internet. The ISP can see everything you’re doing, including potentially private stuff. Even if you’re not doing anything wrong, the fact that they’re essentially building a profile of your life on the internet unnerves a lot of people. It also makes ISPs huge targets for government spying efforts.

To thwart these privacy and security threats, you can sign up for a commercial VPN service. These companies will let you connect to their VPN servers out there in the world somewhere. So everything in between, including coffee shop hackers and ISP companies, will be shut out of your traffic.

However, if you don’t care about the ISPs and all you want is security on a public network, you could set up your own VPN at home. When you connect to it, it would be as if you were sitting right in your own house, using your own internet connection.

3) To get past geo-location restrictions

Some countries or regions restrict certain types internet traffic. Using a secure VPN, you can hide your traffic from the sniffers that are watching everything go in and out. They will only see the encrypted VPN tunnel and can’t see what’s inside. If the VPN is configured correctly, it can bypass such filters.

This is also done in workplaces. Some companies have proxies on all incoming and outgoing traffic. This lets them control what internet traffic is allowed on their network. A VPN can foil these in the same way it does a country’s filter.

4) To gain anonymity on the internet

VPNs can also be used to give you a basic level of “anonymity”. This is because all your traffic is routed through a single endpoint somewhere else in the world. You may be in the UK but connected to a VPN server in Singapore, hiding your true location. You’re basically hiding behind the VPN server, “masking” yourself to the internet at large.

Using it this way, however, is of limited value. The “anonymity” provided by VPNs is not very strong. For someone who’s determined, there are ways to find out where the traffic is really coming from. And don’t forget that the owner of the VPN server can see everything. This is a huge weak point. VPN providers can be a valuable resource for someone who’s looking for you. This is why the best commercial VPN services don’t keep logs of any of their users’ activity.

Typical commercial VPN setup

Below are some more detailed illustrations of how a typical commercial VPN service works – first without a VPN, then with. You can see how a secure VPN tunnel shuts out everything in between the two endpoints. This is how services like ProXPN and PrivateInternetAccess work.

No VPN Service image

VPN Service image

The difference between VPNs and proxies

I’ve heard a lot of confusion between these terms. They’re similar in that both a VPN and a proxy will route your traffic through a third party. The difference is what traffic they route.

A VPN wraps a tunnel around your entire connection. Every byte that goes through your connection is stuffed into the tunnel, no matter what protocol it is. This could be web traffic (HTTP), DNS, FTP, bittorrent, and everything else. There’s a lot more going over your network connection than just websites.

A proxy, on the other hand, is only designed for specific types of traffic. Typically, internet proxies are meant just for websites (HTTP and HTTPS) but can include other protocols as well.

How Does a VPN Tunnel Work?

We’re getting into the geeky section now, so hold on.

Network traffic is moved by breaking it down into very tiny pieces called packets. VPNs work by encapsulating (“wrapping”) these packets inside a different protocol. They are then treated as the new protocol and the actual payload inside is ignored.

This is what’s referred to as a “tunnel”. It isn’t, of course, creating a real physical tunnel. It’s just putting the traffic inside another protocol for transport. When it reaches the other end, it’s opened back up and the original form of the data is restored.

It’s a bit like driving around in your car. You can think of yourself as the network packet and your car as the tunneling protocol. While you’re in the car, you’re obeying a different set of rules than if you were walking, much like tunneling protocols may allow you to go places and do things you couldn’t with the original traffic.

VPN Security

Not all tunneling protocols are secure. A VPN can be configured to work without actually encrypting the data, sending it in plain text instead. Some common examples of non-secure tunneling protocols are GRE and L2TP. Anyone capturing data in the middle of these connections would be able to read it plainly.

These non-secure protocols can, however, be used in conjunction with encryption to make the connection secure. More on that later.

Non-secure VPNs can be okay, depending on your application. If your data isn’t sensitive, it might not matter to you, and leaving out the encryption will reduce processing overhead. For instance, you may just want to move a certain type of traffic over an incompatible network. Like if you need to move IPv4 traffic over an IPv6 network, you’d use a GRE tunnel. Or to move layer 2 traffic over an IP (layer 3) network you might use an L2TP tunnel.

For a secure VPN connection, two things are necessary: encryption and authentication. Encryption garbles the data so it looks random and no one can read it who doesn’t have the decryption key. Authentication verifies the integrity of the data when it reaches the other end to make sure it hasn’t been modified in transit.

This means that each end of the connection needs 1) the encryption/decryption keys and 2) the authentication key. The keys can be shared symmetrically or asymmetrically.

Symmetric key sharing means you have to log into both ends and type in the keys yourself. This is the type of encryption you have on your home WiFi. Asymmetric key sharing (more common) is when you rely on the endpoints to share the keys automatically using the PKI (Public Key Infrastructure).

Either way, once both ends of the connection are on the same page, all traffic going over the tunnel will now be secured with one of the three VPN protocols.

VPN Security Protocols

Each protocol has its own strengths and weaknesses, but SSL (particularly the OpenVPN method) is going to be your best bet for security.

SSL

SSL (or TLS) is the same encryption protocol used by secure websites. It uses port 443 by default and therefore makes the VPN indistinguishable from other SSL traffic (like HTTPS websites). This means it has no trouble getting through most firewalls or proxies. However, in practice, SSL VPNs are not as fast as the other protocols or as widely supported (though this is changing rapidly).

OpenVPN is the most most common implementation of an SSL VPN, but you’ll need to install a client on your device as it’s not natively supported on most platforms. Most good commercial VPN services offer their own OpenVPN clients. OpenVPN is widely regarded as the most secure of all the VPN methods.

Another SSL VPN option is Microsoft’s proprietary SSTP protocol. But its support is mostly limited to Windows, and not very widely used.

IPsec

IPsec isn’t, itself, an encryption protocol. It’s a suite of many protocols for tunneling, authentication, and encryption. It can be configured in several different ways, depending on your needs, with or without encryption or authentication.

A non-secure tunneling protocol like GRE or L2TP can be used by IPsec in tandem with encryption to make it secure. These are referred to like “L2TP over IPsec”, or L2TP/IPsec.

IKEv2 is probably the most secure implementation of IPsec (originally, it was called IKE/IPsec until it got an upgrade). If it’s available then use it before any other version of IPsec.

Since IPsec uses port 500, it’s simple for proxies and firewalls to block because it’s easily recognizable. This makes it not so great for certain needs like crossing geo-location restrictions.

There are currently no known security concerns for IPsec as long as it’s configured well. But I would be remiss not to mention the supported speculation that it’s been compromised by the NSA. All things considered, IPsec seems to be reaching the end of its usefulness. I wouldn’t hesitate to use it if it’s all I had, but not if a better protocol is available.

PPTP

PPTP is the fastest VPN protocol, but also the last one that anyone should use. It’s been around a long time and has been shown to be quickly crackable. Not to mention that we know the NSA regularly defeats it.

PPTP uses port 1723 so it is also easily recognizable and therefore easily blocked.

Some legacy devices and mobile platforms only support PPTP. So I guess if it’s all you have then it’s all you have. But don’t use it if there’s another option.

Build your own VPN router

So you want to be able to VPN into your home or office? Internet routers are available with this functionality, but are typically for business-level applications and can be quite expensive. There is an alternative, which is to create your own. It requires using a compatible consumer-level router and flashing it (wiping and reloading the memory) with some open source firmware.

Stay tuned for my step-by-step article on how to do this. If you want to try it now on your own, I suggest the Asus RT-N16 router to get started and the DD-WRT firmware. Here’s a guide to get you on your way.

Other VPN facts

  • You cannot “nest” VPN connections
  • If you’re already connected over a VPN connection, you cannot make another connection through the existing tunnel. The protocol isn’t engineered to allow that. For instance, you cannot connect to a commercial VPN service while already connected over VPN to your workplace.

Related Articles