What You Need to Know about VPN

[kek]

What You Need to Know about VPN

In this post I will try to share what you should know about VPN, I will try to explain the theory behind what a VPN is, how it works, why one should use a VPN connection and some of the common mistakes I have encountered in the field.

This will be all explanations and theory, it will not be any specific How-To instructions in this post.

What is a VPN?
VPN is short for Virtual Private Network, as the name suggests it is used to create and or extends a private network across a public network, by doing this it enables users and services to send and receive data across shared or public networks as if their computer or network-devices were directly connected to the private network.
Why would I need a VPN?
There are several reasons for why you would need or want to use a VPN, a VPN on its own are just a way to bolster your internet security and access to resources on a different network you are not physically connected to. What you choose to do with a VPN is a different matter.

The first and foremost reason for using a VPN is security, as it is the only secure way of connecting remote devices or networks together, being your laptop connecting to your Home, School or Office network while you are out or you want to bypass silly country filters on services like Netflix, Hulu and Spotify for getting access to content that is not yet available in your aria without anyone able to see the traffic.

Second biggest reason for why you would need or want to use VPN is for privacy, some countries have silly rules that allows ISPs or other company to harvest your personal data and internet usage and then selling it to the highest bidder, whit a VPN the ISPs would be unable to see your personal data and internet usage as it is encrypted they will only see that you are connected to the VPN Server but not what type of date and usage is passed between the VPN Server and VPN Client.
There are a bunch more reasons for why you need or want to get a VPN, but these are the top two reasons that sticks out and covers everything you commonly would use a VPN.

Are there different types of VPN?
Yes there are several and very different types of VPNs, but unless you work in the field of Telecom, Networking or general IT and have a very specific need you are only going to see the two most common types of VPN is Remote Access based and Site to Site based connections and terminations.
What are the difference between Site to Site and Remote Access VPN?
Many users do not know the difference between Site to Site VPN and Remote Access VPN. While both are classified as VPN and uses basically the same computing infrastructure, there is a line that separates the two from each other and have different use cases.

Site to Site VPN:
A Site to Site VPN makes it possible for users in different fixed locations to establish a secure connection with each other over the internet, allowing a user in one location to access resources from another location. This means that if user A connects to a network where users B and C are connected, user A will be able to access resources that are in users B and C locations, and vice versa.

There are two types of Site to Site VPNs. The first one is intranet-based, where users create an intranet VPN with the intent of connecting multiple local-access networks (LANs) to a single wide-access network (WAN). The other one is extranet-based, where two separate intranets can connect to a secure shared network environment while still preventing access to each other’s intranets.

Remote Access VPN:
Remote Access VPN is different from Site to Site VPN in that it provides functionalities for multiple users, while the former tend to be more on the personal side. In a Remote Access VPN, individual users connect to a network in a remote location, through a secure and encrypted tunnel that allows them to access all resources in that network as if they are directly connected to the servers in that network.

In a Remote Access VPN, users connect to a Remote Access Server via the internet, using a dedicated VPN software. The VPN software establishes and maintains a secure tunnel to that Remote Access Server, allowing users to use a VPN through their devices over a safe connection.

Site to Site VPN is more for networks consisting of multiple users e.g. employees and departments within a company. Site to Site VPN allows each user to connect to a network where multiple users are also connected, allowing for resource sharing between the users within that VPN network. 

Remote Access VPN, on the other hand, is more focused on the personal user experience, providing users a number of benefits including a private and encrypted transfer of data and information, as well as access to the remote networks resources as if they are directly connected to that network. 

If you frequently use the internet for browsing and content consumption, then you will get more out of a Remote Access VPN than you would from a Site to Site VPN.

Are there different VPN Protocols?
Yes, there is as many different VPN Protocols, as there is types of VPNs. It seems as each type of VPN, has developed their own standards and protocols. However today there are only two protocols being used and recommended as the others are considered old, outdated and insecure on the modern internet, those two are IPSec and OpenVPN and both of these support Remote Access and Site to Site configuration and deployments.

List of common VPN Protocols you might see mentioned on the internet and in different guides are:
PPTP – Point to Point Tunnelling Protocol
L2TP – Layer 2 Tunnelling Protocol
OpenVPN – OpenVPN
IPSec IKEv1 – Internet Key Exchange (version 1)
IPSec IKEv2 – Internet Key Exchange (version 2)

PPTP – Point to Point Tunnelling Protocol
Point-to-Point Tunnelling Protocol is the most common VPN protocol. It is widely supported for Windows users, as it was created by Microsoft. It is available as standard on just about every VPN platform, making it easy to set up. It also requires a low computational overhead to implement, which means (for you VPN novices) that it is also quick to set up.
However, the PPTP was developed using 128-bit encryption keys which has since become considered quite weak in our quickly advancing digital world. Since there have been some security vulnerabilities with this protocol, most of today’s VPNs use a 256-bit security encryption.

L2TP – Layer 2 Tunnelling Protocol
Layer 2 Tunnelling Protocol does not provide encryption and relies on PPP (Point-to-Point protocol) to encrypt. The difference between PPTP and L2TP is that L2TP provides data confidentiality and data integrity. L2TP was built by Microsoft with Cisco as a foundation of PPTP and L2F (Layer 2 Forwarding) combined.
This VPN protocol is built to function with all modern operating systems and VPN devices. It’s also effortless to set up. While there are problems that may arise, this technology uses UDP port 500, which can be blocked by NAT firewalls.
L2TP encapsulates data twice, and that can compromise speed, but as encryption/decryption happens in the kernel and L2TP/IPsec, it enables multi-threading (OpenVPN does not), and as a result, it is faster.

OpenVPN – OpenVPN
OpenVPN is a somewhat new VPN protocol technology, and one big advantage is that it’s highly configurable and can easily bypass firewalls. It runs best on a UDP port and can be set to operate on any port. It uses 128-bit block size rather than Blowfish’s 64-bit block size, so it is able to handle larger files better.
The performance speed does depend on the level of encryption employed. Furthermore, it has become the default VPN connection type, even though it requires third-party software support. It’s also little hard to set up which can be frustrating for the new VPN user.

IPSec IKEv1 – Internet Key Exchange (version 1)
Outdated, no good reason to use this, use the updated IKEv2 protocol

IPSec IKEv2 – Internet Key Exchange (version 2)
Internet Key Exchange (version 2) is an IPSec based tunnelling protocol that was developed by Microsoft and Cisco. IKEv2 is good at re-establishing a VPN connection when users temporarily lose their internet connections. Mobile users benefit from using IKEv2 VPN protocol because of it support for the Mobility and Multi-homing(MOBIKE) protocol, which is useful if you want to connect your phones to a Wi-Fi network while at home but switch to mobile data use when out and about. IKEv2 is faster than PPTP and L2TP, as it does not use the overhead associated with Point to Point protocols (PPP). Stable and secure, easy to set up, and fully supportive of iOS, macOS, and Windows mobile devices, IKEv2 is available for Android devices but requires a connection with a third-party app.

Improvements with IKEv2
Fewer RFCs: The specifications for IKE were covered in at least three RFCs, more if one takes into account NAT traversal and other extensions that are in common use. IKEv2 combines these in one RFC as well as making improvements to support for NAT traversal and firewall traversal in general.
Standard Mobility support: There is a standard extension for IKEv2 (named MOBIKE) used to support mobility and multihoming for it and ESP. By use of this extension IKEv2 and IPsec can be used by mobile and multihomed users.

NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT.[14]
SCTP support: IKEv2 allows for the SCTP protocol as used in Internet telephony protocol VoIP.
Simple message exchange: IKEv2 has one four-message initial exchange mechanism where IKE provided eight distinctly different initial exchange mechanisms, each one of which had slight advantages and disadvantages.

Fewer cryptographic mechanisms: IKEv2 uses cryptographic mechanisms to protect its packets that are very similar to what IPsec Encapsulating Security Payload (ESP) uses to protect the IPsec packets. This led to simpler implementations and certifications for Common Criteria and FIPS 140-2, which require each cryptographic implementation to be separately validated.
Reliability and State management: IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error processing logistics and shared state management. IKE could end up in a dead state due to the lack of such reliability measures, where both parties were expecting the other to initiate an action - which never eventuated. Workarounds (such as Dead-Peer-Detection) were developed but not standardized. This meant that different implementations of workarounds were not always compatible.

Denial of Service (DoS) attack resilience: IKEv2 does not perform much processing until it determines if the requester actually exists. This addressed some of the DoS problems suffered by IKE which would perform a lot of expensive cryptographic processing from spoofed locations.
Supposing HostA has an SPI of A and HostB has an SPI of B.

What about speed and bandwidth over VPN?
Now that we have covered types and protocols, you might wonder about what speeds that you can expect, and the cold hard fact here is that you will never get a faster connection then the slowest link in the connection given from the ISP to ether side.

However there have been cases where one have gotten more speed over the VPN as the ISP have had a poor implementation of bandwidth limiting on their part and have not been able to detect the VPN traffic and given it a full connection, but these cases are few and far between and are not the norm.
When using a VPN it is expected to have a loss of about 25 – 30% on speed due to the overhead of encrypting \ decriypting the traffic before it is sent or received.

Common mistakes:
The biggest or most common mistakes people do when they try to connect or configure a VPN is that they do not think about the IPs and Subnets involved in the configuration as those can not overlap when creating the Transport or Tunnel network as it will then think the destination is the same as the sender,

Example:
Site A has LAN of 192.168.1.0 – 255. /24 – 255.255.255.0
Site B has LAN of 192.168.1.0 – 255. /24 – 255.255.255.0
Tunnel Network 10.10.10.0

For the VPN this would look like this:
Sender 192.168.1.0 – 255 ? 10.10.10.0 ? 192.168.1.0 – 255 Receiver

As you see here both site has exactly the same LAN network so when they try to connect to each other the network is going to be confused as they have the same information for sender and receiver.

Example:
Site A has LAN of 192.168.1.0 – 255. /24 – 255.255.255.0
Site B has LAN of 192.168.2.0 – 255. /24 – 255.255.255.0
Tunnel Network 10.10.10.0

For the VPN this would look like this:
Sender 192.168.1.0 – 255 ? 10.10.10.0 ? 192.168.2.0 – 255 Receiver
This example would work as there is a clear understanding of the source and destination of the traffic

Transport or Tunnel Network is the Private Network shared between the devices on the VPN Connection.

If you want a deeper technical explanation of how VPN works I can recommend watcing Eli The Computer Guy’s video on VPS https://www.elithecomputerguy.com/network/vpn-virtual-private-networking