Virtual Private Network (VPN)- Types & Working

In today’s digital landscape, where online privacy and security are paramount, Virtual Private Networks (VPNs) have emerged as essential tools for safeguarding personal information and ensuring secure internet access.

VPNs come in various forms, each designed to meet specific needs and use cases. They range from remote access VPNs that allow individuals to connect securely to their home or office networks to site-to-site VPNs that link multiple networks for businesses.

Understanding the different types of VPNs is crucial for making informed decisions about network security. In this article, we will explore what is VPN? and understand various types of VPNs, their unique features, and how they can enhance your online experience.

What is a VPN?

A Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a less secure network, such as the Internet.

By extending a private network across public networks, VPNs allow users to send and receive data securely, ensuring that their online activities remain private and protected from potential eavesdropping or cyber threats.

VPNs work by masking the user's IP address and encrypting their internet traffic, making it difficult for third parties to track their online behavior or access sensitive information.

VPNs are utilized for various purposes, including enhancing privacy while browsing, accessing restricted content, and connecting remote users to corporate networks.

They operate through different protocols that establish secure tunnels for data transmission, ensuring confidentiality and integrity.

As online security concerns grow, understanding how VPNs function and their benefits have become increasingly important for both individual users and organizations seeking to protect their digital communications.

IPSec VPN Training CourseLearn the fundamental s of IPSec VPN..Explore course

Types of VPN Network

Now coming on to types of Virtual Private Network (VPN), there are two types of VPN:

1) Remote Access VPN

Remote Access VPN allows a user to connect to a private network. Similarly, a VPN accesses all its services and resources remotely. Due to the internet, the connection between the user and the private network occurs and the connection is secure and private.

Remote Access VPN is useful for home users and business users to bypass regional restrictions on the internet and access blocked websites.

For example, an employee of a company or some organization goes out of the station and uses a VPN to connect to the company or to send or access some files or data.

2) Site-to-Site VPN

A Site-to-Site VPN is also called a Router-to-Router VPN and is commonly used in the corporates. Enterprises, with branch offices in different locations, use Site-to-site virtual private networks to connect the network of one office location to the network at another office location.

It is further divided into two types i.e., Intranet-based VPN or extranet-based VPN.

What is a VPN tunnel?

A VPN tunnel is an encrypted link between your device and the internet or between two private networks connected on the internet. A VPN tunnel was created using some tunneling protocols:

●  PPTP (point-to-point Tunneling Protocol)

●  L2TP (Layer 2 Tunneling Protocol)

●  SSL (Secure Sockets Layer)

●  TLS (Transport Layer Security)

●  IPsec (Internet Protocol Security)

●  OpenVPN

Now let's understand each one of these one by one.

PPTP (Point-to-Point Tunneling Protocol)

It is a VPN protocol which is developed by Microsoft. It is supported across various operating systems and devices. PPTP allows secure transmission of data over an IP network by encapsulating data packets within IP packets.

Key Components of PPTP

1. Control Connection: PPTP establishes a control connection between the client and the server. This connection is responsible for managing the setup, maintenance, and termination of the VPN tunnel.

2. Data Tunnel: PPTP creates a data tunnel for transmitting user data. The data tunnel encapsulates the user's data packets within PPTP packets, which are then encapsulated within IP packets for transmission over the network.

3. GRE (Generic Routing Encapsulation): PPTP uses GRE to encapsulate the data packets. GRE provides a mechanism for encapsulating various network layer protocols, allowing them to be transmitted over an IP network.

4. Encryption: PPTP supports encryption to ensure the confidentiality of data transmitted over the VPN tunnel. It uses Microsoft Point-to-Point Encryption (MPPE), which provides encryption for the data packets.

PPTP Operation

1. Connection Establishment: The PPTP client initiates a connection to the PPTP server. This involves establishing a TCP connection (typically on port 1723) for the control connection.

2. Authentication: Client and server are authenticated using either CHAP (Challenge Handshake Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) protocols.  That means only authorized users can establish VPN connections.

3. Tunnel Setup: After successful authentication, the client and server negotiate the parameters for the VPN tunnel, including encryption settings. This is done through the control connection.

4. Data Transmission: With the VPN tunnel established, the client can now send data securely over the connection. When a client sends data, it first encapsulates the data in PPTP packets followed by another encapsulation of IP packets, and then transmitted over the network. The server receives the packets, decapsulates them, and forwards the original data to the appropriate destination.

5. Tunnel Termination: The control connections are closed as soon as the VPN session is completed by either by client or server. 

Advantages of PPTP

1. Widely Supported: It is supported on different platforms like most operating systems and other devices. That's why it is easier to implement across platforms.

2. Easy to Configure: PPTP is relatively simple to configure, requiring minimal configuration settings on client and server devices.

3. Good Performance: PPTP has low overhead and provides good performance for most applications.

Disadvantages of PPTP

1. Security Concerns: PPTP is not that secure as compared to IPsec and OpenVPN.

2. Limited Encryption Options: PPTP supports the Microsoft Point-to-Point Encryption (MPPE) protocol with a maximum of 128 bits of key size.

3. NAT Traversal Issues: PPTP can encounter difficulties when used in conjunction with network address translation (NAT), potentially leading to connection issues in certain network environments.

Overall, while PPTP is widely supported and easy to configure, its security vulnerabilities and limited encryption options have led to its declining usage in favor of more secure protocols such as IPsec and OpenVPN.

L2TP (Layer 2 Tunneling Protocol)

L2TP operates at the data link layer of the OSI model and provides a secure tunnel for transmitting data over an IP network. L2TP provides better security and flexibility by combining the best features of PPTP and L2F.

Key Components of L2TP

1. Control Connection: L2TP establishes a control connection between the client and the server. The control connection is responsible for managing the setup, maintenance, and termination of the VPN tunnel.

2. Data Tunnel: L2TP creates a data tunnel for transmitting user data. The data tunnel encapsulates the user's data packets within L2TP packets, which are then encapsulated within IP packets for transmission over the network.

3. L2TP Tunnel: It has two components.

● L2TP Access Concentrator (LAC)

● L2TP Network Server (LNS). 

The LAC resides on the client's side, while the LNS is located on the server's side. These components work together to establish and maintain the VPN connection.

● PPP (Point-to-Point Protocol): L2TP uses PPP for authentication, encryption, and encapsulation. PPP provides a reliable and secure method for transmitting data over a VPN connection.

● L2TPv3: L2TPv3 is an extension of L2TP that transports non-IP protocols over an IP network. This allows L2TP to be used for various types of traffic, not just IP-based data.

L2TP Operation

● Connection Establishment: The L2TP client initiates a connection to the L2TP server. This involves establishing a control connection using the UDP protocol (typically on port 1701).

● Authentication and Tunnel Setup: PPP protocols like PAP and CHAT are used to authenticate between client and server. After successful authentication, the L2TP tunnel is established, and the session is initiated.

● PPP Session: Within the L2TP tunnel, PPP sessions are created. These sessions provide the framework for transmitting data securely between the client and server. PPP negotiates various parameters such as authentication methods, encryption settings, and IP addresses.

● Data Transmission: With the L2TP tunnel and PPP session established, the client can now send data securely over the connection.  When a client sends data, it is encapsulated in L2TP, and it is again encapsulated in IP packets and then transmitted over the network. The server receives the packets, decapsulates them, and forwards the original data to the appropriate destination.

● Tunnel Termination: When the VPN session is complete or terminated by either the client or the server, the control connection is closed, and the L2TP tunnel and associated PPP sessions are dismantled.

Advantages of L2TP

1. Enhanced Security: L2TP provides enhanced security compared to PPTP by using the more secure PPP protocol for authentication and encryption.

2. Wide Platform Support: It is supported on multiple operating systems and other devices. 

3. Support for Non-IP Protocols: L2TPv3 extends the functionality of L2TP and can transport of non-IP protocols.

Disadvantages of L2TP

1. Overhead: L2TP adds a layer of encapsulation, which can introduce some overhead and potentially impact performance compared to other VPN protocols.

2. Limited Encryption Options: L2TP itself does not provide encryption. It relies on the PPP protocol for encryption, which offers limited encryption options compared to other protocols like IPsec and OpenVPN.

Overall, L2TP is a widely supported VPN protocol that offers improved security compared to PPTP. While it may have some performance overhead and limited encryption options, its compatibility with various platforms and support for non-IP protocols make it a viable choice for many VPN deployments.

SSL (Secure Sockets Layer)

It was created to enhance the security of network communication over the Internet. SSL ensures privacy, accuracy, and trustworthiness of data. TLS is an improved SSL form of TLS but still SSL is commonly used.

Key Features of SSL

1. Encryption: SSL uses encryption algorithms to secure data in transit. Encrypted data is transmitted between client and server which is highly secured using SSL.

2. Authentication: SSL provides mechanisms for mutual authentication between the client and the server. In order to ensure that the client always connects to the intended server, both parties verify the identities of each other.

3. Data Integrity: SSL employs cryptographic algorithms to verify the integrity of transmitted data. That means nobody has modified the data in transit.

4. Trust and Certificates: Digital certificates provided by trusted CAs are used in the SSL to ensure trust between two parties. Certificates are public keys that are used for encryption and authentication.

5. Secure Handshake: The client and server perform a secure handshake process to establish a connection between them. During the handshake, the client and server negotiate encryption algorithms, exchange certificates, and verify each other's identities.

SSL Operation

1. Client Hello: The SSL handshake begins with the client sending a Client Hello message to the server. This message includes the SSL version supported by the client, a random number, and a list of supported cipher suites.

2. Server Hello: Upon receiving the Client Hello, the server responds with a Server Hello message. This message contains the SSL version chosen by the server, another random number, and the chosen cipher suite from the client's list.

3. Certificate Exchange: The server sends its digital certificate to the client, which contains the server's public key. The client verifies the authenticity of the certificate using trusted certificate authorities.

4. Client Key Exchange: The client generates a pre-master secret and encrypts it using the server's public key from the certificate. The client sends this encrypted pre-master secret to the server.

5. Session Key Generation: Both the client and the server independently derive the session key from the pre-master secret and other random values exchanged during the handshake. This session key is used for encrypting and decrypting data transmitted during the SSL session.

6. Session Established: With the session key generated, the client and server complete the handshake process. They exchange messages to confirm that the SSL connection has been successfully established.

7. Secure Data Exchange: The client and server exchange data securely. SSL encrypts the data using the session key to ensure confidentiality and integrity.

Advantages of SSL

1. Data Security: SSL provides encryption, confidentiality, and integrity of the transmitted data.

2. Authentication and Trust: SSL provides trust between client and server by verifying the identities the two parties.

3. Widely Supported: SSL is widely supported by web browsers, servers, and various network applications, making it accessible for secure communication.

Disadvantages of SSL

1. Performance Overhead: The encryption and decryption processes of SSL introduce some performance overhead, which may impact the speed of data transmission.

2. Vulnerabilities: The new versions of SSL are released to ensure the improvements in the older versions which may have some security vulnerabilities. The best case is to use TLS's latest version.

Overall, SSL offers encryption, authentication, and data integrity hence securing communications over the internet. 

TLS and SSL are protocol that ensures secure communication over a network. TLS has replaced SSL as the industry standard. Below are the differences between TLS and SSL:

Development and Versions

1. SSL: SSL was developed by Netscape in the 1990s and slowly improved to SSL 3.0.

2. TLS: TLS 1.0 was based on SSL 3.0, first TLS was intended to upgrade SSL. 

Security:

1. SSL: SSL was later depreciated due to several vulnerabilities. These vulnerabilities included POODLE (Padding Oracle On Downgraded Legacy Encryption) and BEAST (Browser Exploit Against SSL/TLS).

2. TLS: TLS has undergone significant improvements in security over its various versions. 

Handshake Process:

1. SSL: The handshake process in SSL involves a series of steps, including the exchange of supported cipher suites, negotiation of encryption algorithms, and verification of the server's certificate. SSL handshake messages are sent in plain text.

2. TLS: The TLS handshake process is similar to SSL but with additional features and improvements. One significant change is that the handshake messages are encrypted, providing better security against eavesdropping and tampering.

Cipher Suite Support:

1. SSL: SSL supports a limited set of cipher suites compared to TLS. 

2. TLS: TLS supports cipher suites which are more secure encryption algorithms. TLS cipher suites are designed to provide better security and meet modern cryptographic standards.

Compatibility:

1. SSL: Due to security concerns and the deprecation of older SSL versions, many modern systems and applications have dropped support for SSL or have limited support for specific SSL versions.

2. TLS: TLS is widely supported by modern systems and applications. Most web browsers, servers, and network devices prefer TLS over SSL due to its enhanced security and better compatibility with current security standards.

IPsec (Internet Protocol Security)

It is a protocol suite used to secure IP communication by providing confidentiality, integrity, and authenticity at the IP packet level. It is mainly used to establish secure connections over public networks such as the Internet. IPsec operates at the network layer of the OSI model and can be implemented in both transport mode and tunnel mode.

Components of IPsec

1. Authentication Header (AH): AH provides data integrity, authentication, and protection against replay attacks. It adds an integrity check value (ICV) to the IP packet, ensuring that the data has not been tampered with during transmission. AH does not provide confidentiality, as it does not encrypt the packet contents.

2. Encapsulating Security Payload (ESP): ESP provides confidentiality, data integrity, and authentication. It encrypts the IP packet's payload, ensuring that the data remains confidential. ESP also adds an ICV to protect against tampering and includes authentication mechanisms to verify the packet's origin.

3. Security Associations (SA): An SA is a unidirectional relationship between two IPsec peers, defining the parameters for secure communication. Each SA includes security protocol (AH or ESP), cryptographic algorithms, encryption keys, and other parameters needed for secure communication.

4. Key Management: IPsec relies on key management protocols to establish and maintain encryption keys used for securing the communication. Key management protocols, such as Internet Key Exchange (IKE), enable peers to negotiate and exchange encryption keys securely.

IPsec Modes

1. Transport Mode: In transport mode, IPsec secures only the IP packet's payload, leaving the IP header unchanged. It provides secure communications between end-to-end hosts. Transport mode does not protect the IP header, which means that some information, such as source and destination IP addresses, remains visible to potential eavesdroppers.

2. Tunnel Mode: In this mode, the entire IP packet including the IP head is encapsulated in the new IP packet. The original IP packet becomes the payload of the new IP packet, which is encrypted and authenticated. Tunnel mode is commonly used for VPNs, where the original IP addresses are hidden, and secure communication is established between gateways or endpoint-to-gateway scenarios.

CCNP SVPN Certification TrainingPrepare for the 300-730 SVPN Cisco certification.Explore course

IPsec Operation

1. Security Association (SA) Negotiation: IPsec peers negotiate the parameters for secure communication, including the security protocol (AH or ESP), cryptographic algorithms, keys, and other security-related information. This negotiation is typically done using key management protocols such as IKE.

2. Key Exchange: Peers exchange encryption keys securely through key management protocols. The keys are used to encrypt and decrypt the IPsec packets.

3. Secure Communication: Once the SAs and encryption keys are established, IPsec encrypts and/or authenticates the IP packets according to the defined security parameters. The IPsec implementation adds the necessary headers (AH and/or ESP) to the IP packet, encapsulating the payload and protecting it during transmission.

4. Packet Processing: At the receiving end, the IPsec implementation verifies the integrity and authenticity of the received packets. It decrypts the encrypted payload and performs additional checks to ensure the packet's integrity and protect against replay attacks.

Advantages of IPsec:

1. Strong Security: IPsec provides encryption, authentication, and integrity of data transmitted over IP networks.

2. Wide Industry Support: IPsec is widely supported by various operating systems, routers, and network devices, making it a popular choice for secure communication.

3. Compatibility: IPsec can be used with existing IP-based applications and does not require modifications to the applications themselves. It operates at the network layer, making it transparent to higher-layer protocols.

Disadvantages of IPsec:

1. Complex Configuration: IPsec can have complex configuration requirements, particularly when deploying large-scale VPNs or complex network architectures. Setting up IPsec tunnels and managing security associations can be challenging.

2. Potential Performance Impact: The encryption and decryption processes of IPsec can introduce some performance overhead, which may impact the speed of data transmission, particularly on lower-end devices.

Despite these considerations, IPsec remains a widely adopted and robust protocol suite for securing IP communication, particularly in enterprise networks and VPN deployments.

OpenVPN

It provides a private and secure connection over the internet. It is an open-source protocol. OpenVPN is compatible with different operating systems and devices.

It achieves its security by using special techniques, like secret codes and secure communication methods, to establish safe connections between your device and the network you're connecting to.

Key Features of OpenVPN

1. Security: OpenVPN uses encryption algorithms to ensure confidentiality and integrity of data.

2. Flexibility: Network configurations such as site-to-site, client-to-site, and point-to-point are supp. 

3. Cross-Platform Compatibility: OpenVPN is compatible across all devices to establish secure connections. 

4. Scalability: OpenVPN can scale from small-scale and large-scale deployments. It can handle a significant number of concurrent connections, making it suitable for enterprise-level VPN solutions.

5. Client Authentication: OpenVPN pre-shared keys, username/password combinations, certificates, and two-factor authentication for client authentication. This allows for flexible and strong authentication mechanisms.

6. Network Address Translation (NAT) Traversal: OpenVPN includes NAT traversal capabilities, enabling secure communication between hosts behind NAT devices or firewalls.

OpenVPN Operation

1. Connection Establishment: OpenVPN uses a combination of SSL/TLS protocols for the initial connection establishment. The client and server negotiate encryption algorithms, exchange certificates, and perform mutual authentication.

2. Session Key Exchange: OpenVPN negotiates a session key that is used for encrypting and decrypting data after initial connections are established. The session key is periodically rekeyed to maintain security.

3. Data Encryption: OpenVPN encrypts the data payload of IP packets using symmetric-key encryption. The data is encapsulated in SSL/TLS  before being transmitted over the network.

4. Data Integrity and Authentication: OpenVPN ensures data integrity and authentication by adding a message authentication code (MAC) to each packet. The MAC is computed using a hash function and shared keys.

5. Compression: OpenVPN includes an optional data compression feature that can reduce bandwidth usage by compressing the data before encryption. Compression can improve performance in scenarios where data transfer is a bottleneck.

6. Routing and Configuration: OpenVPN can configure routing tables to direct traffic through the VPN tunnel. It can also manage network configurations, such as IP address assignment and DNS (Domain Name System) settings, to ensure seamless connectivity.

Advantages of OpenVPN

1. Security: OpenVPN provides robust encryption and authentication which ensures secure and private communication over public networks.

2. Flexibility: OpenVPN supports various network configurations and can operate over different protocols, making it adaptable to diverse network environments.

3. Cross-Platform Compatibility: OpenVPN is compatible with major operating systems and other devices.

4. Open-Source and Audited: OpenVPN's open-source nature allows for continuous community review and security audits, contributing to its reliability and trustworthiness.

Disadvantages of OpenVPN

1. Configuration Complexity: Setting up OpenVPN and configuration and troubleshooting may be difficult and complex as compared to other VPN solutions.

2. Performance Overhead: OpenVPN may introduce some performance overhead due to encryption and encapsulation processes, which can affect data transfer speeds, especially on lower-end devices.

Despite these considerations, OpenVPN is a VPN protocol that offers high security and flexibility for establishing secure connections over public networks.