What is VPN?
VPNs (Virtual Private Networks) are sets of servers that route (a.k.a. tunnel) internet traffic from the user to the user’s web destination. These servers (a.k.a. proxies in this context) act as an intermediary to all the user’s traffic once they are logged into the VPN.
Primary Use Cases
There are three primary use cases for VPNs:
- Corporate access: Access to a specific group of internal systems can be exclusively limited to originating from the VPN’s proxy servers.
- Enhanced online privacy and security: VPNs mask your IP address. The IP address that the destination servers (the ones hosting the websites being visited) see is the IP address of the VPN server. This provides some level of browsing anonymity.
- Bypassing geo-restrictions and censorship: By selecting a VPN server that is located inside or outside a specific region, geo-restrictions targeting that region can be bypassed.
How VPN Connection is Established
- The connection request to the VPN server is initiated by the client. Operating Systems typically have built-in integration with several VPN protocols (e.g. L2TP/IPsec, OpenVPN, IKEv2/IPsec), offering additional encryption beyond SSL/TLS. Third-party software to establish the connection is another common initialization mechanism for the user. In either case, in order to encrypt the data intended for the final destination (website), credentials or some key must be provided.
- The VPN server responds, a connection is opened and kept alive via a keep-alive mechanism. A virtual network interface is also created on the client machine for all traffic through the VPN.
How VPN Traffic Travels
- User initiates internet traffic, such as opening a website or sending an email.
- The VPN client software (OS or third-party) takes this internet traffic and encapsulates it within the VPN protocol’s framework. The actual request intended for the final destination is encrypted.
- The traffic passes through the client machine’s virtual network interface, through the VPN tunnel, and appears to be strictly intended for the VPN proxy (if examined by ISPs or any nodes en-route in the world).
- At the VPN proxy server, the encapsulated traffic is unwrapped and the request intended for the final destination is decrypted.
- The VPN proxy server sends the traffic to the final destination, and the traffic appears to originate entirely from the location of the VPN proxy.
- The final internet destination response to the request back to the VPN proxy.
- The VPN proxy server encrypts the response and forwards it back to the user who originated the initial request.
VPN Servers vs Bastion Servers
The resemblance between VPN proxy servers and Bastion hosts is subtle and primarily centers on their roles as gateways. Bastion hosts are designed as secure entry points for administrators requiring exceptional access to systems that are deliberately isolated and not directly accessible. These systems typically reside in private subnetworks. They might permit connections from other devices within private subnets or, in some cases, from load balancers located in public subnets. It is in this gateway functionality that VPN proxy servers and Bastion hosts share a degree of similarity.
To be updated in the new year with diagrams.
Sam Malayek works in Vancouver, using this space to fill in a few gaps. Opinions are his own.