VPN

A vpn uses technology called tunnelling- a virtual point-to-point

connection
tunneling creates a secure encrypted connection where traffic remains
private as it travels
vpn comes in many different types in terms of technologies and services
Its job is to ensure the safe delivery of data across public networks by
doing this
it allows the user to send data as if they were directly connected to that
private network.

three basic types of vpn

 Site to Site vpn
 client to site vpn and
 commercial vpn for personal use
In a Site to Site vpn, tunnels connect multiple sites over the internet or
wide area network. At each site a vpn gateway encrypts and encapsulates
data to exchange over the tunnel with another vpn gateway.

A Site to Site vpn is a private network designed for a company with

multiple locations when distance makes impractical to have a direct
network connections between these locations. It is to hide the private
internet and allows users of these secure networks to access each other's
resources. It is always on, it has to be configured on both sides.
Site-to-site vpns are typically configured on either a router or a firewallon
both sites.
A popular site-to-site vpn is ipsec . Ipsec is a framework or set of rules for
creating vpns over a network it does not define any one way to create a
vpn but rather allows several protocols to be used for each vpn feature
ipsec is often used for site-to-site vpns but it can also be used for remote
access vpns as well.

Client-to-site vpn is also called host to site vpn or remote access

vpn
in a client-to- Site vpn - clients, servers and other hosts establish tunnels
with a private network using remote access server or vpn gateway at the
edge of local area network. With a client- Site vpn, an employee can
access his corporate network while sitting at home or in a hotel using tab,
laptop or mobile. Physically he is outside his corporate private network but
virtually his inside.
 Unlike site to site vpns which are always running, remote access vpns
require an
application on the host to connect back to the corporate network. The
corporate network will be listening for these connection requests.
An example of a vpn client application is cisco anyconnect or openvpn
While ipsec is used for site-to-site vpns,
TLS is usually used for remote access vpns
TLS is the same security protocol used to encrypt your web traffic when
connecting to https sites .It's also handy because some public wi-fi might
block ipsec ports whereas tls usually uses well-known port 443 which is
generally allowed
when configuring remote access vpns you need to decide if you want to
use something called a full tunnel or a split tunnel
A full tunnel means that once connected to the vpn, all traffic from the
host will be forwarded to the corporate network even if you're just
browsing facebook. This will all be tunneled through the corporate
network. This is great if you want to enforce your corporate firewall
policies
now a split tunnel means that only traffic destined for the corporate
network is sent over the vpn. All other traffic is rooted as normal this is
great to save bandwidth and also provide a bit more privacy to your users
Which one you choose is really up to you and your security needs.

Commercial vpn - for personal uses

This type of vpn is based on the remote access vpn mentioned above.
This is the general picture without vpn

my isp would see my activities and the us government and hackers if they
wanted to they can also be able to see my online activities.
With the vpn service it would be a different story. Vpn software or the
vpn client creates a tunnel to my vpn server before i send and receive
any data. My isp only knows my connection to the vpn server but has no
idea what's going on after that. This means that if i surf online with a vpn,
the vpn server becomes the source of my data. The vpn server is like
middleman or proxy it disguises my ip address and hides my location. All
my traffic data are transmitted through the encrypted tunnel, my isp and
other third parties cannot see which websites i visit or what data i send or
receive online
For the same reason this type of vpn allows users to access regionally
restricted content from anywhere in the world it can be used to bypass
the firewalls and internet censorship to gain access to the entire internet

How does a VPN work?

Ordinarily, most Internet traffic is unencrypted and very public.
When a user creates an Internet connection, such as visiting a website in
a browser, the user’s device will connect to their Internet Service Provider
(ISP), and then the ISP will connect to the Internet to find the appropriate
web server to communicate with to fetch the request website.

Information about the user is exposed in every step of the website

request. Since the user’s IP address is exposed throughout the process,
the ISP and any other intermediary can keep logs of the user’s browsing
habits. Additionally, the data flowing between the user’s device and the
web server is unencrypted; this creates opportunities for malicious actors
to spy on the data or perpetrate attacks on the user, such as a on-path
attack.

Conversely, a user connecting to the Internet using a VPN service has a

higher level of security and privacy. A VPN connection involves the
following 4 steps:

1. The VPN client* connects to the ISP using an encrypted

connection.
2. The ISP connects the VPN client to the VPN server, maintaining
the encrypted connection.
3. The VPN server decrypts the data from the user’s device and
then connects to the Internet to access the web server in an
unencrypted communication.
4. The VPN server creates an encrypted connection with the client,
known as a ‘VPN tunnel’.

The VPN tunnel between the VPN client and VPN server passes through
the ISP, but since all the data is encrypted, the ISP cannot see the user’s
activity. The VPN server’s communications with the Internet are
unencrypted, but the web servers will only log the IP address of the VPN
server, which gives them no information about the user.

*The VPN client is the VPN software installed on the user’s device.

What is IPsec?

IPsec helps keep private data secure when it is transmitted over a public
network. More specifically, IPsec is a group of protocols that are used
together to set up secure connections between devices at layer 3 of
the OSI model (the network layer). IPsec accomplishes this by scrambling
all messages so that only authorized parties can understand them — a
process known as encryption. IPsec is often used to set up virtual private
networks (VPNs).

IPsec (internet protocol security) primarily shields the IP layer, making it

suitable for creating end-to-end secure network tunnels. It's a go-to for
site-to-site connections, forming the backbone of many corporate-wide-
area networks.

Because IPsec operates at the network layer, it encapsulates the entire IP

packet, ensuring data integrity and confidentiality.

 Strong encryption and authentication: IPsec VPNs use advanced

encryption algorithms to safeguard data. Additionally, the robust
authentication processes validate participants' identities, reinforcing
data security by allowing only authorized access and minimizing
data breach risks.

 Full network access to remote users: IPsec provides comprehensive

security for network communications. Remote users get an
experience that rivals a direct connection to the local network,
which is crucial for businesses operating in multiple locations.

 Well-suited for network interconnections: Operating efficiently at the

network layer, IPsec is a common choice for linking large-scale
networks. This feature proves useful for organizations with multiple
branches or those needing reliable communication with business
partners.

What is SSL/TLS?

Secure Sockets Layer (SSL) is a protocol for encrypting HTTP traffic, such
as connections between user devices and web servers. Websites that use
SSL encryption have https:// in their URLs instead of http://. SSL was
replaced several years ago by Transport Layer Security (TLS), but the
term "SSL" is still in common use for referring to the protocol.

In addition to encrypting client-server communications in web browsing,

SSL can also be used in VPNs.

SSL (secure socket layer) VPNs leverage the SSL protocol initially designed
for secure web transactions. They enable remote users to connect
securely to network resources, often through a web browser. SSL is a
favorite for scenarios where users require on-the-go access without
extensive client software installations.

Operating at the application layer, SSL VPNs don't encapsulate the entire
packet like IPsec VPNs do. Instead, they only encapsulate the payload—
the actual data you are sending or receiving. This allows them to provide
more granular, application-specific access.

 Ease of use and deployment: Without the need for specialized client
software and the ability to work directly through standard web
browsers, SSL VPNs offer a simplified setup process. IT teams
appreciate the reduced technical overhead, and end users enjoy a
relatively seamless connection experience, eliminating many
common barriers to remote work.

 Broad device compatibility: Web browsers universally support SSL,

giving SSL VPNs a distinct advantage. This provides secure access
for those using traditional computers and those accessing
organizational resources via smart devices. This versatility fits the
modern digital landscape, where people work beyond office desks.

IPsec VPNs vs. SSL VPNs: What are the differences?

OSI model layer

One of the major differences between SSL and IPsec is which layer of the
OSI model each one belongs to. The OSI model is an abstract
representation, broken into "layers," of the processes that make the
Internet work.

The IPsec protocol suite operates at the network layer of the OSI model. It
runs directly on top of IP (the Internet Protocol), which is responsible for
routing data packets.

Meanwhile, SSL operates at the application layer of the OSI model. It

encrypts HTTP traffic instead of directly encrypting IP packets.
IPsec and SSL VPNs are pivotal technologies that help keep
communications and data transfer secure, especially when transmitted
over networks with potential vulnerabilities, such as the internet. While
sharing the overarching goal of encryption and secure transmission, these
technologies have inherent differences.

 Security approach: IPsec VPNs create a secure tunnel at the

foundation—the network layer. Encapsulating the entire IP packet
during transmission helps assure data security from applications
and protects network protocols while addressing intricacies. In
contrast, SSL VPNs’ specialized focus on the application layer allows
it to selectively encrypt specific applications or web services rather
than the entire network packet. This targeted approach enables
granular, application-centric access.

 Access control: IPsec provides access to the entire network. This

broad approach may only sometimes cater to the detailed control
some organizations desire. In contrast, SSL VPNs offer more
granular control based on user roles.

 Client software: IPsec VPNs’ reliance on dedicated client software

can be cumbersome for sprawling organizations with many devices
or users who pivot between multiple devices. Enter SSL VPNs, which
leverage the omnipresent web browser, enabling access across a
spectrum of devices.

 Compatibility: IPsec VPNs sometimes require specific configurations

tailored to user devices—a task that might overwhelm IT teams
supporting a range of device types. With their browser-centric
design, SSL VPNs offer a highly flexible connectivity solution.

Implementation

IPsec VPNs typically require installing VPN software on the computers of

all users who will use the VPN. Users must log into and run this software in
order to connect to the network and access their applications and data.

In contrast, all web browsers already support SSL (whereas most devices
are not automatically configured to support IPsec VPNs). Users can
connect to SSL VPNs through their browser instead of through a dedicated
VPN software application, without much additional support from an IT
team. (However, this means that non-browser Internet activity is not
protected by the VPN.)
these two technologies are the common use technology for establishing
secure
communication between remote devices and private Network although
they both serve
purpose of the secure communication they have some fundamental
differences

Now, to allow the data transfer to happen, there are two methods that we
can use.
These are known as transport mode or tunneling mode.
transport mode is going to use the packet's original IP header, and it's
used for client-to-site VPNs. This approach works really well if you have
problems increasing your packet size because you may end up hitting a
maximum transmission unit size or MTU inside your network. Remember,
by default, the MTU or maximum transmission unit size is set at 1500
bytes in most networks. If you go over 1500 bytes, the packet will become
fragmented and this can cause issues with your VPN's functionality. If
you're using a client-to-site VPN, I highly recommend you use transport
mode as your IPSec method, because it doesn't add additional padding to
your packet and doesn't increase its size.
Now, tunneling mode is used to encapsulate the entire packet and put
another header on top of it. This is going to increase the size of that
packet and it could go over your MTU.
This new header is going to have a new source and destination of the VPN
terminating devices at the different site that it wants to go to. When it
gets to the other site, the VPN concentrator is going to remove that outer
header inside of a network packet, decrypt the content, and then route it
across their private local area network, just as if it was coming from an
internally connected client.
When using tunneling mode you're encapsulating the entire packet into a
new packet. So this is going to increase the size of your overall packet.
And it could go above that MTU default size of 1500 bytes. if you're setting
up a site-to-site VPN, like having a regional office connecting back to a
main office, then I would use tunneling mode. If you're going to be using
a site-to-site VPN, you may need to allow jumbo frames, which is any
frame above the MTU size of 1500 bytes. This way it'll be properly
supported. Normally the best way to configure your devices would be to
drop your maximum MTU size on your inner router to something like 1400
bytes, and then connect it to the VPN. This way there's enough room to
add the extra encapsulation and the new packet header before
transmitting it out over the public internet inside your VPN tunnel. If you
control the entire network, you could actually raise your MTU size up to a
maximum of 9,000 bytes if you wanted to, but this should only be done on
your own local area networks because 9,000 byte packets will have
trouble traversing the internet.
transport mode is normally going to be used for client-to-site VPNs and
tunneling mode is normally going to be used for site-to-site VPNs.

AH and ESP Within IPSec Protocol

Authentication header or AH and an encapsulating security payload or ESP
within your IPSec protocol.
AH or authentication header is used to provide
 connectionless data integrity and
 data origin authentication for IP datagrams, and
 it provides protection against replay attacks.
Be aware though, that the authentication header does not provide any
kind of confidentiality of the data itself. Instead, the authentication header
contains a cryptographic hash of the data, and this acts as identification
information to provide the integrity between the sender and the receiver
of each packet being transmitted.
Now, the encapsulating security payload or ESP is used to
 integrity,
 provide authentication,
 replay protection, and
 confidentiality of the data.
By using ESP within IPSec, you can rewrite the payload of the packet
inside of an encrypted format. Now, with ESP, we're only protecting the
confidentiality of the payload contained within the packet, not the headers
themselves.
So if you're using transport mode, such as in a client-to-site VPN, you can
use the authentication header to provide integrity for your TCP header.
And then you can add the ESP, encapsulating security payload, to encrypt
the TCP header and the data in the payload. But this does not encrypt the
end-to-end header, so people outside your organization can see where the
data's coming from and where it's going to.
If you're using the tunneling mode, such as in a site-to-site VPN, you can
instead use both the authentication header and the encapsulating security
payload to provide integrity and encryption of that payload, including the
end-to-end header. In this case, a new IP header is going to be added to
the front of the packet to cover the hops to the other end of the secure
connection. This means that nobody on the internet can see the source or
destination of the traffic within the organization's internal networks on
either side of this VPN connection.