6.1 Introduction to VPN

Virtual Private Network or VPN is literally a virtual private network. Most likely, you often heard the word VPN when you wanted to change the country in the browser of your phone or computer. Launch VPN, select a country and you're done.

Although VPNs, in fact, have nothing to do with countries. The case is a little different.

Imagine that you work in an office on a computer, and in this office there are various computer equipment with network access: computers, servers, printers, video conferencing equipment.

Situation 1 : your office has grown, you decided to move to the next floor. You took your computer, moved it to another room, plugged it into another network outlet, and you still have access to all the servers and computers of the company.

Most likely, your computer is now talking to another router, but all the routers in your company know how to communicate with each other and provide you with all the benefits of being on the same local network. You have no problem accessing any equipment on the corporate network.

Situation 2 : A pandemic has begun and you decide to work from home. You took your work computer home, but bad luck, there is no access to office servers at home. It seems to be logical, because they stayed at the office at the other end of the city. On the other hand, the question arises: when you transferred the computer in the first case, you still had access to office computers. When you moved the computer in the second case, there is no access. What has changed?

In the first case, all computers in your office (even those located on different floors) were on the same local network. But in the second case, no. Your computer at home is not connected to the office LAN. Accordingly, you do not have access to the internal resources of the office network.

As a solution to this problem, a solution was proposed - a virtual local area network (VPN). In your office, on each floor, there was a router that sent data to each other and ensured the operation of the local network.

We need to create two virtual routers (in the form of programs), one in your office, the second at home, which will also send encrypted data to each other over the Internet. And there are such programs: one of them is called VPN server , and the second is VPN client .

The VPN server is configured by the system administrator in the office, and the VPN client is now in every computer and/or phone.

You launch a VPN client on your computer and use it to connect to the VPN server, so the computer now thinks that it is inside the local network where the VPN server is located.

If you now launch your browser, then all data from your browser will go to your local virtual router (VPN client), from it to the company’s virtual router (VPN server), and then further out into the world through the Internet gateway of your office companies.

The external IP address of your computer will now match the public IP address of your office. And if this office was, for example, in Germany, then the server that your browser accessed will be sure that you are in an office in Germany.

6.2 VPN types

VPN networks are divided according to their target functions. There are many different ones, but here is a list of typical VPN solutions:

Intranet VPN

It is used to combine several distributed branches of one organization into a single secure network, exchanging data via open communication channels. This is the first one that started it all.

Remote Access VPN

It is used to create a secure channel between a corporate network segment (central office or branch office) and a single user who, while working at home, connects to corporate resources from a home computer, corporate laptop, smartphone, or Internet kiosk. This is the option you have if you work from home and connect to the office via a VPN.

Extranet VPN

Used for networks to which "external" users (for example, customers or clients) connect. The level of trust in them is much lower than in the company's employees, so it is necessary to provide special "frontiers" of protection that prevent or restrict the latter's access to especially valuable, confidential information.

Internet VPN

Used by providers to provide access to the Internet, usually if several users connect via one physical channel. The PPPoE protocol has become the standard in ADSL connections.

L2TP was widespread in the mid-2000s in home networks: in those days, intranet traffic was not paid, and external traffic was expensive. This made it possible to control costs: when the VPN connection is turned off, the user does not pay anything.

Currently, wired Internet is cheap or unlimited, and on the user's side there is often a router on which turning the Internet on and off is not as convenient as on a computer. Therefore, L2TP access is a thing of the past.

Client/server VPN

Also a popular option. It ensures the protection of transmitted data between two nodes (not networks) of a corporate network. The peculiarity of this option is that the VPN is built between nodes that are usually located in the same network segment, for example, between a workstation and a server. This need very often arises in cases where it is necessary to create several logical networks in one physical network.

For example, when it is necessary to divide the traffic between the financial department and the human resources department, accessing servers located in the same physical segment. This option is similar to VLAN technology, but instead of separating traffic, it is encrypted.

6.3 OpenVPN

Remember, we talked about a virtual router on the office side, to which you can connect using VPN clients? So, there is one very popular solution that it will be useful for you to know about. This is OpenVPN.

OpenVPN is a free program that implements virtual private network (VPN) technology. It supports two popular modes of operation: client-server and point-to-point, when you need to combine two large networks.

It maintains a good level of traffic encryption between its participants, and also allows you to establish connections between computers behind NAT and a firewall without having to change their settings.

To secure the control channel and data flow, OpenVPN uses the OpenSSL library . This allows you to use the entire set of encryption algorithms available in this library.

It can also use HMAC batch authentication for more security and hardware acceleration to improve encryption performance. This library uses OpenSSL, more specifically, the SSLv3/TLSv1.2 protocols .

There are implementations of this program for all popular operating systems: Solaris, OpenBSD, FreeBSD, NetBSD, GNU/Linux, Apple Mac OS X, QNX, Microsoft Windows, Android, iOS.

OpenVPN offers the user several types of authentication :

  • The preset key is the easiest method.
  • Certificate authentication is the most flexible method in settings.
  • Using a login and password - can be used without creating a client certificate (a server certificate is still needed).

Technical information

OpenVPN conducts all network operations over TCP or UDP transport. In general, UDP is preferred because the tunnel will carry network layer traffic and above over OSI if a TUN connection is used, or link layer traffic and above if TAP is used.

This means that OpenVPN acts as a channel or even physical layer protocol for the client, which means that data transfer reliability can be ensured by higher OSI levels, if necessary.

Given that we have well analyzed the OSI model, you should understand what is being said here.

That is why the UDP protocol, in its concept, is closest to OpenVPN, since it, like the protocols of the data link and physical layers, does not provide connection reliability, passing this initiative to higher levels. If you configure the tunnel to work over TCP, the server will typically receive OpenVPN TCP segments that contain other TCP segments from the client.

Also, which is not unimportant, OpenVPN can work through most of the proxy servers, including HTTP, SOCKS, through NAT and network filters. The server can be configured to assign network settings to the client. For example, IP address, routing settings, and connection parameters. 

Network device,  8 уровень,  5 лекция
Network device
Network device