Explain How VPN Works

December 4, 2017 | Kim Crawley

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

The recently discovered KRACK vulnerabilities affecting WPA2 have encouraged people to talk about the benefits of Virtual Private Networks. I think that's great! Ideally, we should all be using VPNs at home, in the office, during your commute, over Wi-Fi, and over Ethernet. But in order to use VPNs, it helps to understand how they work and how they make your internet use more secure.

A VPN is a series of virtual connections routed over the internet which encrypts your data as it travels back and forth between your client machine and the internet resources you're using, such as web servers. Many internet protocols have built-in encryption, such as HTTPS, SSH, NNTPS, and LDAPS. So assuming that everything involved is working properly, if you use those ports over a VPN connection, your data is encrypted at least twice!

Many enterprises will insist that their employees use their VPN if they're working remotely by connecting to their office network from home. Sometimes people will use a VPN when they're using BitTorrent to pirate media so that they don't get caught and their ISP can't stop them. I don't condone piracy. But to those people, I strongly suggest avoiding VPNs which are advertised through ads on The Pirate Bay as they are likely not what they seem and may even be malicious. Sometimes people use VPNs because they're understandably conscientious of their everyday security. That's an excellent reason to use them.

PCs, smartphones, tablets, dedicated servers, and even some IoT devices can be endpoints for a VPN connection. Most of the time, your client will need to use a VPN connection application. Some routers also have built-in VPN clients. Unlike proxy networks such as Tor, VPNs shouldn't noticeably slow down your internet traffic under usual circumstances. But some VPNs are faster than others, and one of the most important factors is how many VPN clients are using a VPN server at any given time.

A VPN connection usually works like this. Data is transmitted from your client machine to a point in your VPN network. The VPN point encrypts your data and sends it through the internet. Another point in your VPN network decrypts your data and sends it to the appropriate internet resource, such as a web server, an email server, or your company's intranet. Then the internet resource sends data back to a point in your VPN network, where it gets encrypted. That encrypted data is sent through the internet to another point in your VPN network, which decrypts the data and sends it back to your client machine. Easy peasy!

Different VPNs can use different encryption standards and technologies. Here's a quick list of some of the technologies that a VPN may use:

  • Point-to-Point Tunneling Protocol: PPTP has been around since the mid-1990s, and it's still frequently used. PPTP in and of itself doesn't do encryption. It tunnels data packets and then uses the GRE protocol for encapsulation. If you're considering a VPN service which uses PPTP, you should keep in mind that security experts such as Bruce Schneier have found the protocol, especially Microsoft's implementation of it, to be quite insecure.
  • IPSec: You should consider IPSec to be a better alternative to PPTP. IPSec is actually a suite of different protocols and technologies. Packet encapsulation is done through the ESP protocol, and AES-GCM, AES-CBC, 3DES-CBC, or HMAC-SHA1/SHA2 may be used for encryption.
  • Layer 2 Tunneling Protocol: L2TP can be used for tunneling with IPSec for added security.
  • Secure Shell, otherwise known as SSH can be used to handle both the tunneling and encryption in a VPN network.

So now that you understand the basics of what VPN is, and how it works, you may be considering using one yourself. In lieu of endorsing any particular company's services, I'll give you some tips on how to choose a good VPN service.

The physical location of the VPN service should be considered. If you want to bypass region-based content blocking, you will want the VPN to be operating in the country that you want to appear to be in from the perspective of the company that's delivering your media. For example, a lot of people here in Canada use American VPNs so that they can access the content that Netflix only makes available to the American market. You may also want to consider the laws of the jurisdiction of where your VPN is physically located. For example, American VPNs may be subject to search warrants from American law enforcement agencies.

Some VPNs use anti-malware software! That could be a selling point. If your VPN service scans the data going through it for malicious code, that gives you an added layer of malware protection in addition to whatever anti-malware software you're using on your client machine.

Consider what sort of devices you'll be using with your VPN. Are you only going to use the VPN with your PC? Or do you also want to be able to use the VPN on your smartphone or tablet? Which operating systems do you use? Some VPN providers offer dedicated mobile apps, and some VPN providers require software that's only compatible with certain operating systems.

It may also help to go on social media and ask people which VPN services they recommend.

It's probably better to use a paid VPN service than a free one. A free VPN may have to deliver ads to you, and could be less reliable than a paid service. Sometimes you get what you pay for!

Consider your VPN service carefully, but I strongly recommend using one regardless of how you use the internet. Nothing can make internet use 100% secure, but a good VPN will make you a lot more secure than you would be otherwise. It can even protect you on insecure Wi-Fi connections!

Kim Crawley

About the Author: Kim Crawley, Guest Blogger
Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.
Read more posts from Kim Crawley ›

TAGS: vpn


Watch a Demo ›