If you decided to take the VPN route for ensuring your online privacy and unlocking geo-restricted content, then you must be interested in how VPN works. This has less to do with enriching your general knowledge and more with learning the mechanisms of a VPN.
This way, you can determine what is the best VPN service that fits your needs after weighing its pros and cons. Perhaps “best” is an exaggeration. A more honest way to describe a top security tool is one which seems to be tailor-made for your needs and which best represents your interests.
Understanding how VPN works
How VPN works boils down to figuring out what kind of features you are looking for. Maybe you want better speed when accessing the Internet through a secure tunnel.
However, you should take into account that this usually has a negative impact on the level of privacy. Or, perhaps you wish to be able to use the same VPN service on multiple devices at the same time.
To know how to choose a VPN service while window shopping, it is recommended that you understand the ins and outs of a virtual private network.
You can start by learning how VPN works compared to how the Internet normally works, then proceed with VPN servers, authorization, encryption and protocols, as well as hardware and equipment.
- Identify your needs to narrow down VPN choices
- Do not trust external sources, make your own investigation
So, how does VPN work?
- VPN tunneling, data encapsulation and transport
- Voluntary and compulsory VPN tunneling
- Remote access, router-to-router, and site-to-site VPN
- VPN servers
- VPN authorization and encryption
- VPN protocols
- VPN addressing and routing
- Temporary and persistent VPN
- Split tunneling
- Native VPN clients, browser addons, and manual configuration
- VPN hardware and equipment
- In conclusion
Identify your needs to narrow down VPN choices
We have previously established that you should identify your needs before scouting the market for a suitable VPN application. Since there is no universal “best VPN” out there that is absolutely perfect in every way, this list of dos and don’ts can help you narrow down candidates.
By cross-checking this list with the set of features provided by a virtual private network tool and by understanding how VPN works, you can easily find the winner.
The list of features presented by the VPN service provider is usually attractive, and it should be like that if the company has a solid marketing department behind it.
Unfortunately, it is common practice for companies to be misleading or simply lie about the capabilities of their software, in an effort to gain as much financial gain and media attention as possible.
Do not trust external sources, make your own investigation
Learning how to spot fake VPNs and tell them apart from reality is one of the benefits of discovering how VPN works. After learning the ropes, you will be able to take a closer look at a program’s features and see for yourself if it is actually capable of doing what it says.
You can also figure out missing key elements and even become part of the community by sending a feature request to the developer to hopefully get a positive response. Otherwise, you can take a shortcut by moving on to a better, tailor-made privacy solution.
Another option would be to only rely on the opinion on trusted reviewers and other media channels. This would work in our favor (FindYourVPN.com) since we actually plan on becoming a trusted source of information.
But it does not really sit well with us since we firmly believe that you, the VPN user, have a clearer image in mind of what is a better privacy tool for you.
So, how does VPN work?
A virtual private network takes advantage of the public Internet to put together a closed, private, secure tunnel between your computer and the remote server you are connected to.
This secret tunnel ensures that sent and received data cannot be seen, accessed, and obtained by anyone who might be snooping around. For example, you are safe from hackers who lurk around public wireless networks. This is the short version to how VPN works.
VPN tunneling, data encapsulation and transport
In technical terms, the process revolves around data encapsulation. The Internet works by breaking down information into many bits of data (packets), sending each packet to its destination on request.
When all packets are received, they get reconstructed to recreate the original file that was requested, according to the solicited VPN protocol. What a VPN does is put each packet inside another packet, encapsulating one type of packet within the diagram of another protocol.
This is known as VPN tunneling. Acting as a bodyguard, the outer packet protects the inner one (passenger) and makes sure it safely arrives at its destination while passing through the tunnel, without being intercepted (data transport).
As soon as it arrives, the inner packet is extracted from the outer shell using a certain VPN protocol. You can look at a protocol as a set of rules or a language that must be known by both the sender and receiver to understand each other.
Voluntary and compulsory VPN tunneling
There are two kinds of tunneling: voluntary and compulsory. The main difference is that voluntary tunneling depends on the actions of the user or client computer since it is necessary to manually send a VPN request.
The request triggers the creation of a voluntary VPN tunnel, and users can configure the required settings. In this scenario, the computer which sends the request turns into a tunnel endpoint and assumes the role of the tunnel client.
Compulsory tunneling, on the other hand, allows the remote access server with VPN functions to put together the compulsory tunnel and customize options automatically.
The computer of the end-user does not become a tunnel endpoint or take over the role of the tunnel client in this case. Instead, this falls in the hands of another device placed between the machine of the end-user and the tunnel server, namely the dial-up access server.
Remote access, router-to-router, and site-to-site VPN
VPNs have many benefits, like giving you access to online content that is not normally available in your country and connecting to your workplace’s intranet (aka remote access VPN).
Large corporations can even connect multiple offices from different geographical regions in the same network (aka router-to-router VPN or site-to-site VPN). But it really has just one main purpose: keep your online identity safe by hiding your real IP address and making other devices think you are using another, fake IP address.
For instance, if you want to remotely connect to your workplace when staying home or traveling, the company’s administrator configures a system that permits access to authorized users only.
It is typically based on a combination of username and password (like FTP clients). When you connect to your workplace via VPN, your public IP changes to an IP address that was previously approved by the company’s administrator. You can easily check this by going to any website that shows your IP address.
Never use the company’s VPN for your personal activities
We need to mention that, if you are one of the people in this situation when you work from home using the company’s computer, you should never use it for personal, questionable activities, like downloading questionable torrents or using a tool like Popcorn Time to watch movies (which downloads torrents in the background to be able to load contents).
The connection could be traced back to your company. Instead, you can just use another VPN tool or, better yet, your personal computer to stay out of trouble. This is another key element that you must understand about how VPN works.
Software applications dedicated to VPN usually list multiple countries in their graphical interface. Ideally, each country is associated with many IP addresses that are spread out across different cities.
Every time you launch your VP client and connect to a VPN server, the provider assigns a different, random IP address to you, even if you select the same country. The remote IP address becomes your server as soon as you connect to it, and you become the client.
Hypothetically, if there are enough people using the same VPN application as you and over a long period of time, they eventually cycle through the same IP addresses.
This network might seem chaotic, but it actually works in your favor since you are harder to trace by a powerful third party (like the NSA). The point is that a VPN service provider should support a lot of IP addresses (the more, the better).
VPN authorization and encryption
Two other aspects are essential: authorization and encryption. Authorization gets you through the firewall of the remote host. It can be represented by a username and password, smart card or another hardware token, one-time password, certificate, fingerprinting, or another form of authentication.
Encryption, on the other hand, is responsible for scrambling the information you send, so that only the designated target will be able to decrypt it, and no one else. Both are integral parts to how a VPN works.
You are most likely familiar with the username and password combo since it is used for almost everything, like logging into your Facebook or email account. The only important aspect here is that the username and password pair must be registered in the VPN client.
But anyone who gets hold of these details can impersonate you. Smart cards take it up a notch since you must have an authorized smart card and know its PIN.
Even so, if someone were to steal your smart card and find out its PIN, then all is lost. Fingerprinting, on the other hand, provides one of the best security methods as far as VPN authorization goes, because it is unique.
In order for VPN encryption to work, decryption must be successful (one cannot exist without the other). The receiver must know the correct key that can be used for decrypting the information (text, images or any other kind of contained file).
There are two ways to do this: the same key can be used for both encryption and decryption by the sender and receiver (aka symmetric key or private key), or two distinct, paired keys can be used for encryption and decryption, respectively (aka public key).
Talking about VPN encryption and how VPN works inevitably brings up the topic of VPN protocols. There are many network protocols that can be used for secure encryption, such as PPTP, IPSec, L2TP/IPsec, SSL and TLS, SSH, SSTP, IK3v2, OpenVPN, and more modern protocols like SoftEther and WireGuard.
Each protocol takes its own approach toward the way it ensures Internet security, stability, and speed. Some of them are optimized for a specific operating system only, so compatibility with multiple OSes and platforms is important, too.
Every protocol has its upsides and downsides. If you are wondering what are the two most commonly used VPN protocols, they are PPTP and OpenVPN.
PPTP (Point-to-Point Tunneling Protocol) is now considered obsolete for VPN integration due to various security flaws that have surfaced over the years. Nevertheless, it still comes bundled with Windows 10, as well as other operating systems and mobile platforms.
Examples include Linux, Mac, and iOS. The protocol is easy to configure since it relies only on the username and password authentication mode (in addition to having to specify the server address).
Furthermore, it supports TCP, GRE and different encryption modes for various purposes. An example is 128-bit AES, which may not be the top of the line, but it is secure enough against hackers with a supercomputer trying to use brute force.
On the bright side, because it provides weaker security than other encryption methods, 128-bit AES ensures better Internet speed. PPTP also facilitates stable connections which, paired with speed, make it ideal for general browsing and for online streaming like Netflix.
On the other side of the spectrum is OpenVPN. Thanks to the fact that it is open-source, this modern protocol is continuously being developed, supervised, and patched by the community.
It supports high-level encryption methods like 256-bit AES, which is more secure than PPTP but does not deliver the same speed. Plus, OpenVPN can use TCP and UDP to bypass firewalls.
On the other hand, it cannot be used without third-party software because it does not have native support like PPTP. Unless there is a default, optimized configuration bundled with the OpenVPN client, it requires a bit of investigation to be able to set it up, since it is not as easy as PPTP.
In turn, this can lead to a data breach when improperly configured. You can check out more details on VPN protocols, including PPTP, L2TP/IPsec, IKEv2/IPsec, OpenVPN, SSTP, SSL/TLS, TCP and UDP, WireGuard, and SoftEther.
We covered need-to-know facts, pros, and cons, and other relevant information about VPN authentication, encryption, and protocols, depending on what we stumble upon when reviewing VPN software.
VPN addressing and routing
Besides receiving a new IP address once it is created, a VPN connection has to make sure it is secure and not routed through the public Internet, which would mean exposing your machine to hackers.
For this to happen, it must modify existing routes or add new ones. The configuration depends on the connection mode, which can be either remote-access VPN or router-to-router VPN.
In the case of remote access VPN, the computer is responsible for setting up the remote access connection. The VPN server attributes an IP address to the VPN client with remote access, and it makes modifications to the default route on the remote client, ensuring that traffic is routed via a virtual interface.
When it comes to router-to-router VPN, a demand-dial interface is used to forward packets. It is necessary to specify the IP address of the VPN server, along with the type of encryption and authentication. Most routers have a default setting for this but custom configurations can be made, too.
Temporary and persistent VPN
There are two kinds of router-to-router VPNs: temporary and persistent. Temporary VPN mode means that packets are continuously transferred from one side to another through the virtual private network.
But, when a certain amount of idle time has passed, the connection will be automatically terminated. To make this happen, it is necessary to establish the idle time before the connection is terminated on both VPN client and server since packet routing is unlimited by default.
It is generally recommended to use temporary VPN connections when providing remote access to branch offices via dial-up connections.
Persistent VPN mode, on the other hand, keeps the connection active at all times, and it is not affected by the routed packets. If the VPN connection is interrupted for any reason, the system makes sure to retry the connection until it is successful. Compared to the temporary mode, persistent VPN is ideal for offices with a steady Internet connection.
Under normal circumstances, when a branch office is connected to the headquarters via VPN to be able to download files and perform other operations involving the office’s intranet, the work-related activity is not isolated from the rest of the Internet.
In this case, when visiting a common web page that is not relevant to the job, the office is able to see this information since traffic bounces to the corporate network without reaching your computer.
Besides being a matter of privacy, this also has a negative impact on network performance, leading to a slower connection. However, it can be avoided using split tunneling.
It is a technique designed to raise a barrier between VPN and Internet traffic, making sure that packets sent over the web reach their destination directly, without being routed through the virtual private network.
Another advantage of split tunneling is that it makes it possible to access resources spread across different machines in the local network. It also reduces the load on the business network.
Native VPN clients, browser addons, and manual configuration
A virtual private network can operate within a native VPN client, a browser addon, or in manual configuration mode. There are several notable differences between these.
The native VPN client does not require additional configuration. You download and install it on your computer or mobile, just like any other software or app, launch it, pick a server, then click a button to connect. It ensures VPN protection to all Internet-enabled applications on your device.
A browser addon, on the other hand, protects only the web browser it is installed on. Many VPN providers offer a browser extension in addition to the native VPN client. It comes with several benefits, like obfuscating your VPN traffic through SSL or disabling WebRTC to prevent IP leaks.
Manual configuration mode does not require special software. All you need are VPN configuration settings, which you can obtain from your commercial VPN provider. The main advantage is that you can set up OpenVPN in manual config mode on your router, in order to share the VPN connection with all nearby devices, even the ones that do not have native VPN support.
VPN hardware and equipment
While most users resort to free or paid VPN services, large-scaled business corporations prefer focusing on the safety aspect. These are typically companies that branched out to other cities or countries.
Maximizing data security cannot be done with software alone, so companies that are willing to pay the price install their own equipment, which is customized and optimized for a virtual private network.
This is basically a data center with its own rules and pieces of hardware, depending on what the administrator of the company plans to do.
Nevertheless, most VPN data centers share a few traits. For example, it is mandatory to set up a firewall. It should be capable of filtering Internet traffic based on a list of IP addresses, or it can follow other rules.
It is also necessary to configure the AAA server responsible with Authentication (identifies an account), Authorization (allows or denies access to the account) and Accounting (monitors the activity of the account and puts it into logs that can be later examined).
Maybe it is not exactly crucial information for most users related to how VPN works, but we thought it might spark the interest of those thinking about setting up their own VPN hardware.
VPN firewall and NAT
Since the goal of a VPN is to connect a private network to the public Internet, it becomes essential to set up a reliable firewall that is capable of filtering IP addresses in a correct manner.
This way, it makes sure that unauthorized IP addresses cannot establish connections to the private network and do some damage, like install rootkits or launch DDoS attacks.
The job of setting up a firewall in a relationship with the virtual private network falls in the hands of the administrator. According to the conditions established by the admin, VPN traffic is allowed to go through firewalls, proxy servers, and routers.
And there are two main ways to set up IP packet filtering: by placing the firewall between the VPN server and the Internet, or between the VPN server and the Internet once the VPN server is already connected to the public Internet.
VPN server behind a firewall
When the firewall is between the VPN server and the Internet, it means that the VPN server is behind the firewall. The upside of this is that the firewall can be easily integrated with the current security infrastructure of the company.
In this case, the VPN server is treated like any other resource in the intranet that is linked to the office network. Data exchanged between the VPN server and the firewall is encrypted.
The administrator must configure filters for inbound and outbound traffic on the internet and local network interfaces to make sure that packets sent via VPN will reach their destination. If necessary, more filters can be set up for permitting the web, FTP, and other kinds of servers to exchange data on the local network.
VPN server in front of a firewall
If the VPN server is connected to the public web, then it is possible to create the firewall between the VPN server and intranet, which means that the VPN server is in front of a firewall.
Compared to the first method, this one offers enhanced security in case of a hacker who managed to infiltrate into the system, since its access to the local resources can be limited. On the other hand, the traffic between the VPN server and firewall is not encrypted.
The admin has to set up rules for IP packet filtering for the Internet interface using a whitelist. Whitelisting means that the only VPN traffic allowed has to be defined in advance on the IP mappings; any traffic that cannot be identified by IP address will be automatically prohibited.
VPN server next to a firewall
A third way is to put the firewall on the same box as the VPN server. It means that the VPN server is technically behind the firewall, but they can work well hand in hand since both have routing features.
This method is ideal for corporations whose firewall is heavily required during day hours and their VPN server is required during the night shift. On the other hand, a security expert should be ready to troubleshoot issues at a moment’s notice.
VPN and NAT
Based on RFC1631, NAT (Network Address Translator) can connect a private network with unregistered IP addresses to the public Internet by facilitating shared access. It works on a router and translates private IP addresses into public ones so that traffic can be properly sent to other networks.
Thanks to this feature, it is possible to broadcast just a single IP address to the public Internet instead of multiple addresses belonging to many machines in the same network.
The main advantage of it is that the internal network can be protected from the outside world by hiding it behind the unique IP address. NAT is typically integrated within VPNs but cannot be used with encryption-based protocols.
We are aware that there are many technicalities to how a VPN works. And most of it is pretty boring, no matter how hard we try to make it sound engaging. Nevertheless, if you are a privacy-concerned user, it is essential to grasp the concepts of a virtual private network tool.
By understanding its mechanisms, you will be able to easily tell the good VPNs from the bad when you are out there on the Internet trying to purchase a trustworthy VPN solution. Only then can you begin to make yourself anonymous on the web and enjoy unrestricted access.