OVERKILL
$100 Site Donor 2021
Seems the topic of VPN's has become quite common as of late and there appears to be a significant amount of confusion regarding just what exactly a VPN is and what it can and cannot do. I've written this thread to hopefully provide a layman-geared breakdown of the topic. If there is something you don't feel is sufficiently simplified/comprehensible then please let me know and I will attempt greater clarification.
VPN is an acronym that simply stands for Virtual Private Network. As the name implies, the nature of this private network is logical; it is a construct, not a physically private network, such as your home LAN. At its most basic, a VPN is simply an encrypted tunnel between two or more points where all traffic inside that link is concealed during traversal.
Historically, the purpose of a VPN was to provide remote access for employees to work resources; allow the user's device(s) to securely tunnel into the company LAN and access resources located therein. These resources could be accessed via a Remote Desktop connection, using Citrix, or some other medium or even directly from the remote workstation in smaller deployments when what was being accessed consisted of simple print queues and SMB shares.
VPN connections come in two flavours: Hardware and Software.
Hardware: A physical appliance is deployed at the remote location to provide access to the resources. This is available all the time with no intervention required by the user. This is most common for branch offices but teleworker gateways are also a thing and reasonably popular. This device establishes the tunnel itself and maintains it. Traffic is directed across the tunnel per whatever policy is defined which could be a split-tunnel or full-tunnel setup.
Software: An integrated client or software package is used to create and maintain the tunnel. This may require user intervention (and typically does in most configurations) where the tunnel is only established when the user needs to access the remote resources. There have been myriad proprietary and standards-based commercial packages available over the years, many vendor-specific like Cisco's IPSec VPN client, Juniper's Pulse Secure, OpenVPN, Cisco's AnyConnect SSL client...etc. Most OS's offer core support for standards-based VPN setups like L2TP for example. These software solutions also offer full or split-tunnel capabilities. Browser-based solutions are now also available which function in a similar manner, where all browser traffic is funnelled over an encrypted link to a remote network.
While most hardware VPN's terminate on a corresponding piece of equipment on the other end of the link like say a Cisco ASA or ISR, Juniper SSG...etc, software clients can terminate on those devices, or, on a software solution running on a server like an OpenVPN install for example. The server software decrypts the traffic and forwards it on through its link(s), be it LAN or WAN destined.
Back when bandwidth was expensive, VPN's were very commonly of the split-tunnel variety where only traffic destined to/from the remote LAN was transmitted over the encrypted link. This was done by nature of a routing entry or entries where only those specific subnets were assigned routes that pushed through the adapter interface IP assigned to the VPN. As bandwidth became cheaper, admins were more inclined, particularly if they were using software clients, toward full-tunnel setups so that all traffic to/from the remote client had to pass through the corporate firewall for inspection. This allowed the detection and filtering of malware, inappropriate websites, viruses...etc. These tasks could be offloaded to teleworker gateways and remote firewalls in a hardware deployment however.
More recently, VPN's have gained popularity for concealing traffic from ISP's (Internet Service Providers) because people fear being penalized or having their browsing habits monetized. The main benefits of using a VPN outside of accessing work resources are:
- To facilitate location spoofing for services that filter content based on location, like Netflix
- To protect traffic when using public WiFi at Starbucks or a hotel
- For less-than-legal activities like torrenting where one may come under fire from the RIAA or one of the movie companies for illegal procurement of content.
While Paramount might have luck contacting your ISP and indicating that a specific IP in their block on April 5th was downloading one of their titles from the Pirate Bay, they are going to have much less of a chance of success getting cooperation from a VPN provider headquartered in the Netherlands and terminating your connection in Nigeria.
Because a VPN only encrypts the traffic traversing the link, it does not provide end-to-end security, unless the resource you are accessing is the VPN provider. This means that already encrypted content like banking transactions for example, aren't further bolstered in security and it also means that any plain-text data being transmitted still crosses multiple hops in its plain-text state once it exits the VPN. This could actually mean more, less secure hops than if the traffic didn't have its egress point relocated, depending on where the tunnels lands.
Say for example you were posting on BITOG pre-SSL days, so all traffic is unencrypted. We'll pretend the server is located in Washington at a Datacentre that put it squarely on the AT&T backbone.
Scenario 1, no VPN: Traffic goes from your computer, through your ISP to the AT&T network, total carrier count is 2, hop count is 7.
Scenario 2, with VPN: Traffic goes encrypted to Romania where it exits the VPN. It then gets routed through Skynet then onto a provider out of Munich, through London where it gets onto Vodaphone which routes it across the pond to AT&T. Total carrier count is 5, hop count 40.
At any point post de-encapsulation that plain text content is sniffable as it traverses those 40 hops.
So already encrypted traffic doesn't benefit. Plain text traffic doesn't benefit unless you count DNS queries, which could be resolved at the VPN termination point, or forwarded on to a server operated by their provider, depending on the topology. This prevents your ISP from seeing the sites you are going to, but it doesn't prevent the VPN provider from seeing them or your DNS queries unless you are using a DNSCrypt mechanism inside the VPN and tunnelling those queries to a separate entity, which you could also just do without the VPN. In any case, the VPN provider sees the same level of detail your ISP would without the VPN, as does their provider.
VPN is an acronym that simply stands for Virtual Private Network. As the name implies, the nature of this private network is logical; it is a construct, not a physically private network, such as your home LAN. At its most basic, a VPN is simply an encrypted tunnel between two or more points where all traffic inside that link is concealed during traversal.
Historically, the purpose of a VPN was to provide remote access for employees to work resources; allow the user's device(s) to securely tunnel into the company LAN and access resources located therein. These resources could be accessed via a Remote Desktop connection, using Citrix, or some other medium or even directly from the remote workstation in smaller deployments when what was being accessed consisted of simple print queues and SMB shares.
VPN connections come in two flavours: Hardware and Software.
Hardware: A physical appliance is deployed at the remote location to provide access to the resources. This is available all the time with no intervention required by the user. This is most common for branch offices but teleworker gateways are also a thing and reasonably popular. This device establishes the tunnel itself and maintains it. Traffic is directed across the tunnel per whatever policy is defined which could be a split-tunnel or full-tunnel setup.
Software: An integrated client or software package is used to create and maintain the tunnel. This may require user intervention (and typically does in most configurations) where the tunnel is only established when the user needs to access the remote resources. There have been myriad proprietary and standards-based commercial packages available over the years, many vendor-specific like Cisco's IPSec VPN client, Juniper's Pulse Secure, OpenVPN, Cisco's AnyConnect SSL client...etc. Most OS's offer core support for standards-based VPN setups like L2TP for example. These software solutions also offer full or split-tunnel capabilities. Browser-based solutions are now also available which function in a similar manner, where all browser traffic is funnelled over an encrypted link to a remote network.
While most hardware VPN's terminate on a corresponding piece of equipment on the other end of the link like say a Cisco ASA or ISR, Juniper SSG...etc, software clients can terminate on those devices, or, on a software solution running on a server like an OpenVPN install for example. The server software decrypts the traffic and forwards it on through its link(s), be it LAN or WAN destined.
Back when bandwidth was expensive, VPN's were very commonly of the split-tunnel variety where only traffic destined to/from the remote LAN was transmitted over the encrypted link. This was done by nature of a routing entry or entries where only those specific subnets were assigned routes that pushed through the adapter interface IP assigned to the VPN. As bandwidth became cheaper, admins were more inclined, particularly if they were using software clients, toward full-tunnel setups so that all traffic to/from the remote client had to pass through the corporate firewall for inspection. This allowed the detection and filtering of malware, inappropriate websites, viruses...etc. These tasks could be offloaded to teleworker gateways and remote firewalls in a hardware deployment however.
More recently, VPN's have gained popularity for concealing traffic from ISP's (Internet Service Providers) because people fear being penalized or having their browsing habits monetized. The main benefits of using a VPN outside of accessing work resources are:
- To facilitate location spoofing for services that filter content based on location, like Netflix
- To protect traffic when using public WiFi at Starbucks or a hotel
- For less-than-legal activities like torrenting where one may come under fire from the RIAA or one of the movie companies for illegal procurement of content.
While Paramount might have luck contacting your ISP and indicating that a specific IP in their block on April 5th was downloading one of their titles from the Pirate Bay, they are going to have much less of a chance of success getting cooperation from a VPN provider headquartered in the Netherlands and terminating your connection in Nigeria.
Because a VPN only encrypts the traffic traversing the link, it does not provide end-to-end security, unless the resource you are accessing is the VPN provider. This means that already encrypted content like banking transactions for example, aren't further bolstered in security and it also means that any plain-text data being transmitted still crosses multiple hops in its plain-text state once it exits the VPN. This could actually mean more, less secure hops than if the traffic didn't have its egress point relocated, depending on where the tunnels lands.
Say for example you were posting on BITOG pre-SSL days, so all traffic is unencrypted. We'll pretend the server is located in Washington at a Datacentre that put it squarely on the AT&T backbone.
Scenario 1, no VPN: Traffic goes from your computer, through your ISP to the AT&T network, total carrier count is 2, hop count is 7.
Scenario 2, with VPN: Traffic goes encrypted to Romania where it exits the VPN. It then gets routed through Skynet then onto a provider out of Munich, through London where it gets onto Vodaphone which routes it across the pond to AT&T. Total carrier count is 5, hop count 40.
At any point post de-encapsulation that plain text content is sniffable as it traverses those 40 hops.
So already encrypted traffic doesn't benefit. Plain text traffic doesn't benefit unless you count DNS queries, which could be resolved at the VPN termination point, or forwarded on to a server operated by their provider, depending on the topology. This prevents your ISP from seeing the sites you are going to, but it doesn't prevent the VPN provider from seeing them or your DNS queries unless you are using a DNSCrypt mechanism inside the VPN and tunnelling those queries to a separate entity, which you could also just do without the VPN. In any case, the VPN provider sees the same level of detail your ISP would without the VPN, as does their provider.