If you decided to take the VPN route for ensuring your online privacy and unlocking geo-restricted content, you’re probably interested in how VPN works. This has less to do with enriching your general knowledge and more with learning the mechanisms of a VPN to help you determine which of these services is the best one for you. Perhaps “best” is an exaggeration, and a more honest way to describe a top security tool is one which seems to be tailor-made for your needs and which best represents your interests.
How VPN works boils down to figuring out what kind of features you are looking for. Maybe you want better speed when accessing the internet through a secure tunnel. However, you should take into account that this usually has a negative impact on the level of privacy. Or perhaps you wish to be able to use the same VPN service on multiple devices at the same time.
To know which VPN tool to pick while window shopping, it’s recommended that you understand the ins and outs of a virtual private network. You can start by understanding how VPN works compared to how the internet normally works, then proceed with VPN servers, authorization, encryption and protocols, as well as hardware and equipment.
Identify your needs to narrow down VPN choices
We’ve previously established that you should identify your needs before scouting the market for a suitable VPN application. Since there is no universal “best VPN” out there that’s absolutely perfect in every way, this list of dos and don’ts can help you narrow down candidates. By cross-checking this list with the list of features provided by a virtual private network tool and by understanding how VPN works, you can easily find the winner.
The list of features presented by the VPN service provider is usually attractive, and it should be like that if the company has a solid marketing department behind it. Unfortunately, it’s common practice for companies to be misleading or simply lie about the capabilities of their software, in an effort to gain as much financial gain and media attention as possible.
Don’t just trust external sources, make your own investigation
Learning how to spot scams and tell them apart from reality is one of the benefits of discovering how VPN works. After learning the ropes, you will be able to take a closer look at a program’s features and see for yourself if it’s actually capable of doing what it says. You can also discover missing key elements and even become part of the community by sending a feature request to the developer to hopefully get a positive response. Otherwise, you can take a shortcut by moving on to a better, tailor-made privacy solution.
Another option would be to only rely on the opinion on trusted reviewers and other media channels. This would work in our favor since we actually plan on becoming a trusted source of information. However, it doesn’t really sit well with us since we firmly believe that you, the VPN user, have a clearer image in mind of what is the better privacy tool for you.
For dummies: how VPN works
A virtual private network takes advantage of the public internet to put together a closed, private, secure tunnel between your computer and the remote server you’re connected to. This tunnel ensures that sent and received data cannot be seen, accessed and obtained by anyone who might be snooping around (when using public wireless networks, for example). This is the short version to how VPN works.
VPN tunneling, data encapsulation and transport
In technical terms, this is known as data encapsulation. The internet works by breaking down information into many bits of data (packets), sending each packet to its destination on request. When all packets are received, they get reconstructed to recreate the original file that was requested, according to the protocol.
What a VPN does is put each packet inside another packet, encapsulating one type of packet within the diagram of another protocol. This is known as VPN tunneling. Like a bodyguard, the outer packet protects the inner one (passenger) and makes sure it safely arrives at its destination while passing through the tunnel, without being intercepted (data transport). Once it arrives, the inner packet is extracted from the outer shell using a certain protocol. You can look at a protocol as a set of rules or a language that must be known by both sender and receiver to understand each other.
Voluntary and compulsory VPN tunneling
There are two kinds of tunneling: voluntary and compulsory. The main difference is that voluntary tunneling depends on the actions of the user or client computer, since it is necessary to manually send a VPN request for creating a voluntary VPN tunnel and configuring settings. In this scenario, the computer which sends the request turns into a tunnel endpoint and assumes the role of the tunnel client.
Compulsory tunneling, on the other hand, allows the remote access server with VPN functions to put together the compulsory tunnel and customize options automatically. The computer of the end user does not become a tunnel endpoint and take over the role of the tunnel client in this case. Instead, this falls in the hands of another device placed between the machine of the end user and the tunnel server, namely the dial-up access server.
VPNs have many benefits, like giving you access to online content that’s not normally available in your country and connecting to your workplace’s intranet (aka remote access VPN). Large corporations can even connect multiple offices from different geographical regions in the same network (aka router-to-router VPN or site-to-site VPN). But it really has just one main purpose: keep your online identity safe by masking your real IP address and making other devices think you’re using another, fake IP address.
Never use the company’s VPN for your personal activities
For instance, if you want to remotely connect to your workplace when staying home or traveling, the company’s administrator configures a system that permits access to authorized users only. It’s typically based on a combination of username and password (like FTP clients). When you’re connected to your workplace via VPN, your public IP changes to an IP address that’s pre-approved by the company’s administrator. You can easily check this by going to any website that shows your IP address.
However, we need to mention that, if you’re one of the people in this situation, you should never use your work VPN for personal, questionable activities, like downloading illegal torrents or using a tool like Popcorn Time for watching movies (which downloads torrents in the background to be able to load contents). The connection could be traced back to your company. Instead, you can just use another VPN tool. This is another key element that you must understand about how VPN works.
Software applications dedicated to VPN usually list multiple countries in their graphical interface. Ideally, each country is associated with many IP addresses that are spread out across different cities. Every time you turn on the VPN (each session), the provider assigns a different, random IP address to you, even if you select the same country. The remote IP address becomes your server as soon as you connect to it, and you become the client.
Hypothetically, if there are enough people using the same VPN application as you and over a long period of time, they eventually cycle through the same IP addresses. This network might seem chaotic, but it actually works in your favor since you are harder to trace by a powerful third party (like the NSA). The point is that a VPN service provider should support a lot of IP addresses (the more, the better).
VPN authorization and encryption
Other two aspects are essential to how VPN works: authorization and encryption. Authorization gets you through the firewall of the remote host. It can be represented by a username and password, smart card or another hardware token, one-time password, certificate, fingerprinting, or another form of authentication. Encryption, on the other hand, is responsible with scrambling the information you send, so that only the designated target will be able to decrypt it, and no one else.
You are most likely familiar with the username and password combo since it’s used for almost everything, like logging into your Facebook or email account. The only important aspect here is that the username and password pair must be registered in the VPN client. But anyone who gets hold of these details can impersonate you. Smart cards take it up a notch since you must have an authorized smart card and know its PIN. Even so, if someone were to steal your smart card and find out its PIN, then all is lost. Fingerprinting, on the other hand, provides one of the best security methods as far as VPN authorization goes, because it’s unique.
In order for encryption to work, decryption must be successful (one cannot exist without the other). The receiver must know the correct key that can be used for decrypting the information (text, images or any other kind of contained file). There are two ways to do this: the same key can be used for both encryption and decryption by the sender and receiver (aka symmetric key or private key), or two distinct, paired keys can be used for encryption and decryption, respectively (aka public key).
Talking about VPN encryption and how VPN works brings up the topic of VPN protocols. There are many network protocols that can be used for secure encryption, such as PPTP, IPSec, L2TP/IPsec, SSL and TLS, SSH, SSTP, IK3v2, and OpenVPN. Each protocol takes its own approach toward the way it ensures internet security, stability and speed. Some of them are optimized for a specific operating system only, so compatibility with multiple OSes and platforms is important, too. Every protocol has its upsides and downsides.
VPN protocols: PPTP
For example, PPTP (Point-to-Point Tunneling Protocol) is now considered obsolete for VPN integration, due to security flaws. Nevertheless, it still comes bundled with Windows 10, as well as other operating systems and mobile platforms. Examples include Linux, mac OS X, and iOS. The protocol is easy to configure since it relies only on the username and password authentication mode (in addition to having to specify the server address).
Furthermore, it supports TCP, GRE and different encryption modes for various purposes. An example is 128-bit AES, which may not be the top of the line but secure enough against hackers with a supercomputer trying to use brute force. On the bright side, because it provides weaker security than other encryption methods, 128-bit AES ensures better internet speed. PPTP also facilitates stable connections which, paired with speed, make it ideal for casual users and for online streaming like Netflix.
VPN protocols: OpenVPN
On the other side of the spectrum is OpenVPN. Thanks to the fact that it’s open-source, this modern protocol is continuously being developed, supervised and patched by the community. It supports high-level encryption methods like 256-bit AES, which is more secure than PPTP but doesn’t deliver the same speed. Plus, OpenVPN can use TCP and UDP to bypass firewalls.
On the other hand, it cannot be used without third-party software (doesn’t have native support like PPTP). Unless there’s a default, optimized configuration bundled with the OpenVPN client, it requires a bit of investigation to be able to set it up (not as easy as PPTP), which can lead to a data breach if it’s not configured properly. On top of this, OpenVPN doesn’t currently support mobiles.
You can check out another article with more details on VPN protocols, including PPTP, L2TP/IPsec, IKEv2/IPsec, OpenVPN, SSTP, SSL/TLS, TCP and UDP. We have covered need-to-know facts, pros and cons, and other relevant information about VPN authentication, encryption and protocols, depending on what we stumble upon when reviewing VPN software.
VPN addressing and routing
Besides receiving a new IP address once it is created, a VPN connection has to make sure it is secure and not routed through the public internet, which would mean exposing your machine to hackers. For this to happen, existing routes have to be modified or new ones have to be added. The configuration depends on the connection mode, which can be either remote access VPN or router-to-router VPN.
In the case of remote access VPN, the computer is responsible with setting up the remote access connection. The VPN server attributes an IP address to the VPN client with remote access, and it makes modifications to the default route on the remote client, ensuring that traffic is routed via a virtual interface.
When it comes to router-to-router VPN, a demand-dial interface is used to forward packets. It is necessary to specify the IP address of the VPN server, along with the type of encryption and authentication. Most routers have a default setting for this but custom configurations can be made, too.
Temporary and persistent VPN
There are two kinds of router-to-router VPNs: temporary and persistent. Temporary mode means that packets are continuously transferred from one side to another through the virtual private network but, when a certain amount of idle time has passed, the connection will be automatically terminated. To make this happen, it is necessary to establish the idle time before the connection is terminated on both VPN client and server, since packet routing is unlimited by default. It is generally recommended to use temporary VPN connections when providing remote access to branch offices via dial-up connections.
Persistent mode, on the other hand, keeps the connection active at all times, and it is not affected by the routed packets. If the VPN connection is interrupted for any reason, the system makes sure to retry the connection until it is successful. Compared to temporary mode, persistent VPN is ideal for offices with a steady internet connection.
Under normal circumstances, when a branch office is connected to the headquarters via VPN to be able to download files and perform other operations involving the office’s intranet, the work-related activity is not isolated from the rest of the internet. In this case, when visiting a common web page that is not relevant to the job, the office is able to see this information since traffic bounces to the corporate network without reaching your computer.
Besides being a matter of privacy, this also has a negative impact on network performance, leading to a slower connection. However, this can be avoided using split tunneling. It is a technique designed to raise a barrier between VPN and internet traffic, making sure that packets sent over the internet reach their destination directly, without being routed through the virtual private network. Another advantage of split tunneling is that it makes it possible to access resources spread across different machines in the local network. It also reduces the load on the business network.
VPN hardware and equipment
While most users resort to buying VPN services or using free tools, large-scaled business corporations prefer focusing on the safety aspect. These are typically companies that branched out to other cities or countries. Maximizing data security cannot be done with software alone, so companies that are willing to pay the price install their own equipment that’s customized and optimized for a virtual private network. This is basically a data center with its own rules and pieces of hardware, depending on what the administrator of the company plans to do.
Nevertheless, most VPN data centers share a few traits. For example, it’s mandatory to set up a firewall. It should be capable of filtering internet traffic based on a list of IP addresses (or it can follow other rules). It’s also necessary to configure the AAA server that’s responsible with authentication (identifies an account), authorization (allows or denies access to the account) and accounting (monitors the activity of the account and puts it into logs that can be later examined). Maybe this isn’t exactly crucial information for most users related to how VPN works, but we thought it might spark the interest of those thinking about setting up their own VPN hardware.
VPN firewall and NAT
Since the goal of VPN is to connect a private network to the public internet, it becomes essential to set up a reliable firewall that is capable of filtering IP addresses in a correct manner. This way, it makes sure that unauthorized IP addresses cannot establish connections to the private network and do some damage, like install rootkits or launch DoS attacks.
The job of setting up a firewall in relationship with the virtual private network falls in the hand of the administrator. According the conditions established by the admin, VPN traffic is allowed to go through firewalls, proxy servers and routers. There are two main ways to set up IP packet filtering: by placing the firewall between the VPN server and the internet, or between the VPN server and the intranet once the VPN server is already connected to the public internet.
VPN server behind a firewall
When the firewall is between the VPN server and internet, it means that the VPN server is behind the firewall. The upside of this is that the firewall can be easily integrated with the current security infrastructure of the company. In this case, the VPN server is treated like any other resource in the intranet that is linked to the office network. Data exchanged between the VPN server and firewall is encrypted.
The administrator must configure filters for inbound and outbound traffic on the internet and local network interfaces to make sure that packets sent via VPN will reach their destination. If necessary, more filters can be set up for permitting web, FTP and other kinds of servers to exchange data on the local network.
VPN server in front of a firewall
If the VPN server is connected to the public web, then it is possible to create the firewall between the VPN server and intranet, which means that the VPN server is in front of a firewall. Compared to the first method, this one offers enhanced security in case of a hacker who managed to infiltrate into the system, since its access to the local resources can be limited. On the other hand, the traffic between the VPN server and firewall is not encrypted.
The admin has to set up rules for IP packet filtering for the internet interface using a whitelist. Whitelisting means that the only VPN traffic allowed has to be defined in advance on the IP mappings; any traffic that cannot be identified by IP address will be prohibited.
VPN server next to a firewall
A third way is to put the firewall on the same box as the VPN server. It means that the VPN server is technically behind the firewall but they can work well hand in hand since both have routing features. This method is ideal for corporations whose firewall is heavily required during day hours and its VPN server is required during the night shift. On the other hand, a security expert should be ready to troubleshoot issues at a moment’s notice.
VPN and NAT
Based on RFC1631, NAT (Network Address Translator) can connect a private network with unregistered IP addresses to the public internet by facilitating shared access. It works on a router and translates private IP addresses into public ones, so that traffic can be properly sent to other networks. Thanks to this feature, it is possible to broadcast just a single IP address to the public internet instead of multiple addresses belonging to many machines in the same network. The main advantage of this is that the internal network can be protected from the outside world by hiding it behind the unique IP address. NAT is typically integrated within VPNs but cannot be used with encryption-based protocols.