What is VPN? How do VPN work? Is a VPN Secure or Unsecure?


VPN (Virtual Private Network) is a technology used to connect private networks over public network infrastructure. For security, the private network connection may be established using an encrypted layered tunneling protocol, and users may be required to pass various authentication methods to gain access to the VPN. Encryption is a common, but not an inherent part of a VPN connection.

  1. Site-to-Site & Remote-Access VPN
  2. How do VPN works?
  3. When We Need to Use VPN
  4. VPN Benefits
  5. The Dangerous Side of Wrong VPN Implementation

You can watch the explanation in Bahasa Indonesia in the following video. Pembahasan dalam Bahasa Indonesia dapat Anda tonton di video berikut.

Site-to-Site & Remote-Access VPN

The figure shows a collection of various types of VPNs.

Site-to-Site VPN

Site-to-Site VPN is VPN which is generally used to connect two or more local networks those are separate locations but are connected to same infrastructure (usually via the public network / internet infrastructure). In the example above, Site-to-Site VPN is used to connect the main office and branch office. So that the LAN it the branch office can access the LAN it the main office and vice versa.

Site-to-Site VPN configured on a VPN-Gateway, also called a terminating device, is usually a router or firewall device. So, the client (internal hosts) have no knowledge that a VPN is being used.

Remote-Access VPN

In Juniper also called Dynamic VPN. This VPN is usually used to treat client connected to the VPN as if that client is acting as a VPN-Gateway (or a device that is on the same network as the VPN-Gateway). VPN-Gateway in Remote-Access VPN also called VPN-Server. In the example above, mobile workers are connected to a VPN-Server that is located in the main office. There are two possibilities in this scenario.

First, traffic from the mobile worker to the Internet (public networks) will first be delivered to the VPN-server, then from the VPN-server the traffic is forwarded to the destination on the internet (public network). The second scenario, Remote-Access VPN allows mobile workers to access the local network in the main office. Even when the Site-to-Site VPN that connects the main and branch offices is established, mobile workers can also access the local network in the branch office.

How a VPN works

Generally, VPN works by encapsulating the packet with the VPN header. Then create a new IP header. The field of VPN header differs depending on the type of VPN protocol used. As shown in the following image.

Apart from that, most VPN protocols also provide encryption. However, there are some VPNs that don't provide encryption. Because there are several VPNs whose purpose is only for tunneling without encryption. It should be noted that the better an encryption is, usually the more resources needed.

The figure shows how Site-to-Site VPN works.

In the example above, Host A in the main office wants to connect to Host B in the branch office. Site-to-Site VPN is implemented on each gateway router (called VPN-Gateway). In this case, no configuration required in host A and host B, they may not even know they are connected over VPN tunnel.

We use letters A and B to represent IP addresses of hosts A and B. This explanation only focuses on VPN processing, we do not cover the full TCP / IP process.

  1. Host A sends a frame to the Router (VPN-Gateway) with source address: A and destination address: B. The source and destination address are usually private IPs.
  2. The VPN-Gateway in the main office receives the frame. Ganerally, VPN-Gateway encrypts the packet, then encapsulates the packet into a VPN header. After that, The VPN-Gateway creates a new IP header. And now the source address is IP of main office's VPN-Gateway and the destination address is IP of branch office's VPN-Gateway. After creating an appropriate new frame, the frame forwarded to the VPN-Gateway in branch office over internet (public networks).
  3. After VPN-Gateway in the branch office receives the frame. The VPN-Gateway remove the Layer 2 header, the new IP header, and the VPN header. Also, decrypts the payload (original packet). Now, the packet returns to the original (before going through the VPN tunnel), has a source address: A and a destination address: B. An appropriate frame header added then forwarded to destination (Host B).

The figure shows how Remote-Access VPN works.

In the image above, client has IP address X on its physical interface and the VPN-Server has IP address Y on its physical interface. The client is connected to a VPN-Server. After, a VPN tunnel is established between them. Virtual tunnel interfaces are created on both device, the client has a virtual IP address: C and the VPN-Server has a virtual IP address: S. And now, the client's default gateway is VPN-Gateway. Thus, traffic from client to destination addresses that do not exist in the client's routing table will be forwarded to the VPN-Server.

The first example, the client requests data to the web server in the internet.

  1. The original frame is created and then exits through client's virtual interface. This frame has a packet with source address: C (IP address of client's virtual interface) and destination address A (IP address of the web server on the internet).
  2. Before the frame exits through the client's physical interface. The client performs VPN encapsulation. The original IP header, TCP/IP header, and data will usually be encrypted. Then, encapsulated into the VPN header. After that, new IP header is created with source address: X (IP of client's physical interface) and destination address: Y (IP of VPN-Server's physical interface). New frame also created, then the frame forwarded to VPN-Server over public network (internet).
  3. VPN-Server receives the frame. The packet de-encapsulated and (if needed) decrypted to original packet (has source address: C and destination address: A). VPN-Server creates an appropriate session. After that, VPN-Server changes the source address to IP of VPN-Server's physical interface: Y and send out to the real destination (web server on the internet).

The second example, the client requests data to the file server in the main office. The working principle is still the same as the first example before.

  1. The original frame is created and then exits through client's virtual interface. This frame has a packet with source address: C (IP address of client's virtual interface) and destination address B (IP address of the file server on the main office).
  2. Before the frame exits through the client's physical interface. The client performs VPN encapsulation. The original IP header, TCP/IP header, and data will usually be encrypted. Then, encapsulated into the VPN header. After that, new IP header is created with source address: X (IP of client's physical interface) and destination address: Y (IP of VPN-Server's physical interface). New frame also created, then the frame forwarded to VPN-Server over public network (internet).
  3. VPN-Server receives the frame. The packet de-encapsulated and (if needed) decrypted to original packet (has source address: C and destination address: B). VPN-Server creates an appropriate session. After that, VPN-Server changes the source address to IP of VPN-Server's physical interface: Y and send out to the real destination (file server on the internet).

When We Need to Use VPN?

1. Connecting two or more local networks in a different sites.

As in the previous example we can connect two different local networks in different locations with site-to-site VPN over public network (internet). In fact, we can also connect them in the same network segment even though their location is different.

2. When we need different treatment of our traffic.

There are many examples for this case. The treatment can be a QOS, firewall, route, security and so on.

For example, we are in Indonesia, we subscribe to ISP A with high local bandwidth, for example, the traffic to the IIX can be 100Mbps. But global traffic is low, for example 10 Mbps. So when we access a server outside Indonesia, it will feel slower. The solution, we can rent a VPN from another local provider (for example: ISP B) with higher global bandwidth. Thus, traffic from us to the global internet when passing through ISP A, will be considered as local traffic, because the destination address is ISP B's server which is the same location at IIX.

Another example, we use an ISP without a firewall. However, we want a security in the form of a firewall that protects against unsafe websites, malicious traffics and also an ad block. We can use a VPN that has those services. So that our traffic will be filtered from unsafe websites, malicious traffics, and annoying ads.

3. When we want secure access to office resources for remote employee.

We have discussed it before, that remote workers who work from home or from anywhere can access resources at office securely through the internet public network. We can create a remote-access VPN server in the office, then the remote worker connects to it before accessing the office resources.

And so on, there are many examples of vpn implementations that I didn't mention.

VPN Benefits

  1. Cost Savings
    With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
  2. Security
    Some VPN provides CIA (Confidentiality, Integrity, Availability), 3 elements of security that ensure data security. VPN encryption provides Confidentiality to ensure it cannot be read except by sender and receiver. Unreadable does not mean immutable, so VPN needs to provide Integrity, a mechanism to ensure that the data sent is not altered while it is transmitted. And the VPN authentication protocol provides Availability, ensuring only authenticated users can access the data. One of the protocols that provide CIA is IPSec (IP Security), we will discuss IPSec VPN in another session.
  3. Scalability
    VPNs allow organizations to use the internet, making it easy to add new users or expand the business without adding significant infrastructure. VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. VPN protocol is also supported by default on intermediate and end device.

The Dangerous Side of Wrong VPN Implementation

We agree, no system is safe. The risk of our data being exposed, our session hijacked, and our privacy being collected. All of these are things that I think are difficult to avoid when we use the internet. Likewise with a VPN, however we implement it, there are definitely downsides. But our job is to minimize risk.

When we talk about internet security, as long as we use and access public services such as google, facebook, e-commerce and so on. Our activities related to these services can definitely be recorded. Intermediary services such as service providers can also read our unencrypted traffic. Our data will be completely safe when we only access private services that are on our own infrastructure, but that's rare. Most only file servers, web server, it's boring. Not social media, not online marketplaces, and other cool services on the internet.

So, all we can do is choose who can see our data. Are legal organizations such as internet service providers, data centers, cloud providers, and others. Their activities are under the control of the rule of law (although, they could buy laws, haha). Or an illegal third party that has a purpose to break the law. See the following figure to see which is a legal organization and which an illegal third party.

Blue indicates low risk, red indicates potentially high risk. Free wifi is red because it has greater risk potential, anyone can access the network. During this condition, we are recommended to use VPN when accessing services that need security, such as internet banking, e-commerce, etc.

Red-server is a server in the legal data center, but there are naughty users. Later we will see what the naughty user means.

The following are things to avoid when using a VPN.

Using a free VPN

People often use a free remote-access VPN because it's free and can bypass the firewall. This free vpn server may be deployed on a server at a legal data center, like the red-server illustration above. Some things you need to know, when you connect to the vpn-server they have created in red-server. Your traffic will be forwarded to the red-server. Also, users on red-server can access your computer. So, he can do network reconnaissance, send malicious traffic or files, capture your traffic, and even hijack your session.

I have demonstrated how they, vpn server owners can capture your traffic and get your data in the following video. But this video is in Indonesian (not English).

Buy a VPN on an unknown provider.

This case like the case of free VPNs, we use VPNs from people or organizations that are not a legal provider and they intend to hijack your data. But also noted, not everyone that is not legal provider intends to hijack you, they may actually want to sell or just help you. Only you can consider, when you want to use a VPN. My advice is to use VPN from the provider that you know well or buy from a legal provider.

Only the two things above that we need to pay attention to as laypeople (user). When we as network engineers we can determine in more detail when choosing a VPN, such as what vpn protocol to use, whether encryption is needed. If needed, what type of encryption is used. It all depends on our needs.

In the next article we will discuss the IPSec VPN concept.

Tags: VPN is, What is VPN, How do VPN work, Types of VPN, Site-to-Site VPN, Remote-Access VPN, Secure VPN, Unsecure VPN, what are the advantages of a VPN?, VPN benefits, When We Need to Use VPN, Free VPN, Apakah VPN berbahaya, Apa itu VPN, Apakah VPN Gratis aman?, VPN Gratis, Cara Kerja VPN, Tips menggunakan VPN, Fungsi VPN.

Disqus Comments