Computer Networks

VPN: Virtual Networks

You work from a coffee shop, and your laptop is part of the corporate network in New York. You print to the office printer. You access internal servers by name. The coffee shop's WiFi sees nothing but an encrypted stream to one IP. This is the magic of VPN.

  • **Remote Work:** COVID accelerated VPN adoption. Companies scaled VPN infrastructure 10x within months
  • **Multi-cloud:** Site-to-Site VPN connects AWS, Azure, GCP, and on-premise. Data flows securely between clouds
  • **Geo-restrictions:** VPN changes the internet exit point. Streaming content available in another country

Предварительные знания

  • HTTPS and TLS

What is VPN

**VPN (Virtual Private Network)** creates an encrypted tunnel through a public network. Inside the tunnel, traffic is protected from interception and modification, as if the devices were on the same local network.

**VPN ≠ anonymity:** VPN hides traffic from the local network and ISP, but the VPN provider sees everything. For anonymity, Tor or similar systems are needed.

VPN technologies differ by the OSI layer they operate at:

Main VPN protocols:

How does Layer 2 VPN differ from Layer 3 VPN?

Site-to-Site VPN

**Site-to-Site VPN** connects entire networks (offices) through the internet. Users work normally - VPN is transparent to them. The tunnel is between routers/firewalls.

**Always-on:** Site-to-Site VPN runs continuously. Routes are static. Redundancy via backup tunnels.

For Site-to-Site, IPsec (standard) or WireGuard (modern) are typically used:

In a Site-to-Site VPN, who establishes the tunnel?

Remote Access VPN

**Remote Access VPN** connects individual users to a corporate network. Each client establishes its own tunnel. Ideal for remote work.

**VPN clients:** OpenVPN, WireGuard, Cisco AnyConnect, GlobalProtect, OS-native (IKEv2). Corporate ones often require MFA and device compliance checks.

Remote Access VPN connection process:

An employee connects to VPN from a café. What IP address does the corporate server see?

Split Tunneling and Full Tunnel

**Split Tunneling** - only corporate traffic goes through VPN, the rest goes directly to the internet. **Full Tunnel** - all traffic through VPN. The choice affects security and performance.

**Inverse Split Tunnel:** Everything through VPN EXCEPT certain addresses (e.g., video conferencing to save bandwidth). Implemented via exclude routes.

Pros and cons:

VPN makes me anonymous on the internet

VPN encrypts the connection, but the VPN provider sees all your traffic

VPN changes the exit point to the internet and hides traffic from the local network/ISP. But the VPN provider sees: who you are (payment), where you connect from, where you browse. For anonymity, Tor is needed - it routes through many independent nodes. 'No-log' VPN is trust in the provider, not a guarantee.

A bank employee works from a café. Which VPN mode is safer?

Key Ideas

  • **VPN** creates an encrypted tunnel through a public network. L2 VPN transmits frames, L3 - packets
  • **Site-to-Site** connects entire networks via gateway devices. Transparent to users, runs continuously
  • **Remote Access** connects individual users. Requires authentication, client gets IP from pool
  • **Split Tunnel** is faster (only corp. traffic via VPN), **Full Tunnel** is safer (all traffic protected)

Related Topics

VPN is built on cryptography and tunneling:

  • HTTPS and TLS — VPN uses similar cryptographic primitives for tunnel encryption
  • IPsec — Standard protocol for Site-to-Site VPN

Вопросы для размышления

  • Why don't companies just use HTTPS instead of VPN for internal resource access?
  • What risks does a public VPN provider create compared to a corporate VPN?
  • How does VPN affect apps that determine location by IP?

Связанные уроки

  • crypto-32-tls
VPN: Virtual Networks

0

1

Sign In