Virtual Private Networks (VPNs) can extend a local area network (LAN) over the Internet to remote networks and remote client machines. A VPN uses the Internet to route LAN traffic from one location to another by encapsulating the data inside encrypted IP packets. The encrypted packets are unreadable by intermediary Internet devices and can contain any kind of network communications – such as file and printer sharing, e-mail, remote procedure calls, and database access.
VPNs can be setup using server computers, firewalls or routers. Client access to the VPN can be made using client-side VPN software or by connecting to an ISP that supports the VPN protocol.
VPNs solve the problem of accessing private servers over the Internet through a combination of IP encapsulation, cryptographic authentication and data payload encryption.
IP encapsulation provides a way to protect the data while in transit between the remote client and the private LAN. Computers outside the VPN should not be able to snoop on the traffic exchanged between the remote client and private server or be able to insert their own data into the communication stream. This is accomplished by creating what people refer to as a private and protected “tunnel” through the public Internet. When an IP packet contains another IP packet this is called IP encapsulation, and it provides a mechanism to refer to a host within a private network when a direct network connection may not exist. When this is combined with data encryption then we’ve effectively created our virtual tunnel.
Cryptographic Authentication is used to securely validate the identity of the remote client so that the private LAN can determine what level of security should be applied to that user. VPNs use the authentication process to determine whether or not a remote user can participate in the encrypted tunnel, and for exchanging the public key that will subsequently be used for data encryption.
Data Payload Encryption
Data Payload Encryption uses a public key to encrypt the data field of the IP encapsulated packet. That is, data payload encryption is exactly like normal IP except that the data has been encrypted. It does not encrypt the header information, so details of the private network can be gleaned by analyzing the header information.
Advantages and Disadvantages
Compared to Wide Area Networks (WANs), VPNs offer some advantages but, also, present some disadvantages.
Although there are a number of ways to configure a VPN here is an example of one scenario that is fairly common — an employee wishes to work from home and exchange data between their home machine and a private web server on the corporate network. There are two important processes here — the process of negotiating and building a VPN session, and the process of protecting and handling the data within an existing VPN connection. Here I’ll briefly describe the latter and leave the former as a potential topic for a future article.
Suppose we have the following:
(a) a VPN client with a public IP address of 18.104.22.168 and a private IP address of 192.168.0.202 (provided by the corporation’s DHCP server).
(b) a VPN server on the corporate network with two interfaces — a public interface to the Internet that uses 22.214.171.124 and an interface to the private network with an IP of 192.168.0.101
(c) a web server on the corporate network with an IP address of 192.168.0.102
Prior to creating a VPN session the client host has one interface and a connection to the Internet through an ISP. The client machine can communicate with any host on the Internet but can not access the web server on the private network 192.168.0.X. After the VPN session has been created then the client host has 2 interfaces — the original interface to the Internet and a new VPN interface. The new VPN interface becomes the default gateway — that is, all packets will initially travel through the new interface. However, the VPN interface is not a physical network card — it doesn’t physically connect to anything. The VPN interface is used to encrypt and encapsulate packets that are subsequently sent as the payload of a new, outer packet. It is the outer packet that is sent out over the Internet (using the original interface) to the corporate VPN server.
The inner packet will use the client’s private IP of 192.168.0.202 as the source IP address and the web server’s private IP of 192.168.0.102 as the destination address. The VPN client encrypts the data field of the inner packet and this inner packet then becomes the payload of an outer packet. The outer packet uses the client’s public IP of 126.96.36.199 as the source IP address and the public interface of the VPN server (188.8.131.52) as the destination IP. The IP encapsulated packet is then sent to the ISP and out over the Internet.
When the IP encapsulated packet reaches the VPN server at the edge of the private network it will unwrap the inner packet and decrypt its data field. Since the VPN server also has an interface to the private network it will then be able to forward the inner packet to the destination web server. When data is sent from the web server back to the client then the process is reversed — that is, the VPN server handles the encryption/encapsulation and the VPN client is responsible for unwrapping/decoding.