VPN – Virtual Private Network

In the old days, telcos would create a “dedicated line” just for use by your company (for a lot of money every month). That was a “private network”. With the advent of the Internet, it was possible to achieve the equivalent of that with a tunnel through the Internet, usually encrypted for privacy. That is a “virtual” private network.

A VPN is a “tunnel” that routes packets to and from your node to some other point of presence (your office, another country, etc). When you connect to some site via a VPN, you appear to be coming from the location of the other end of the tunnel. This could help you access services available only from the other country.  It can also “hide” your IP address as it appears to the site that your connection is coming from the IP address at the tunnel exit. This can provide some level of anonymity. Be aware that the VPN provider has access to who is using their tunnels and in some cases, the traffic flowing through them.

In my company (Sixscape Communications) we use a VPN to allow our employees to securely access our office network from home or on the road. We provide the VPN server (actually a pfSense firewall) at the office, and there are various VPN clients that we can use (for Windows, MacOS, etc) to connect to it. We have to authenticate before we can connect, which prevents others from using the VPN to access or attack our office network. Since we use encryption, anything we do (whether it supports encryption or not) is secure between our nodes and the office.

If you are accessing a website that is secured with SSL/TLS, it is already encrypted and you gain very little by using a VPN in terms of privacy (it may still be useful to hide your IP address from snoops). But your traffic will only be protected from your node to the exit point of the VPN tunnel, not all the way to the site (e.g. online banking) unless that site provides a VPN endpoint. Since those are difficult to set up, few sites use VPN for security for customers. SSL/TLS is very simple to set up and is sufficient for most purposes.

Today there are many vendors of VPNs for use on Windows, MacOS, Android and iOS.  Typical cost is $2 to $3 a month, regardless of how much traffic you put through it. Speed is usually about the same as without the VPN. A VPN account is tied to you, not your IP address or node. You can even install their app on multiple devices.

One popular vendor is VyperVPN. Another popular one is NordVPN. Cost for these are reasonable and their apps can be installed on almost any platform. Both have exit points in many countries. Both support encryption for privacy. These would not be very useful for secure access to your company network. This would typically be done by deploying a VPN server in your office network (e.g. on your firewall).

There are two basic technologies used to implement VPNs – IPsec (the IETF standard technology) and SSLVPN (as used in OpenVPN). SSLVPN makes a very non-standard use of SSL/TLS and there is no IETF standard for it (so different vendor’s implementations may not work with each other). SSL/TLS is supposed to be used to secure the connection between a client and a server as a shim between the application layer and the transport layer. IPsec was designed to be implemented as a tunnel that you can run any protocol through to gain privacy and even authentication. Unfortunately NAT breaks IPsec (as well as the scheme for secure key exchange called IKE (Internet Key Exchange), so it is not popular on IPv4. Both IPsec and IKE work great on IPv6 (no NAT!) so as more people move to IPv6 it will likely become dominant.