What is a VPN?

A VPN (Virtual Private Network) is a technology that allows creating a secure and encrypted connection over a less secure network, such as the Internet. VPNs are used to protect privacy, secure communications and remotely access private network resources.

Main Features

1. Encryption

VPNs use encryption protocols to protect transmitted data:

  • AES-256: Advanced encryption standard
  • ChaCha20: Modern and efficient alternative
  • RSA: For key exchange

2. Tunneling

Process of encapsulating data packets within other packets:

[Original data] β†’ [Encryption] β†’ [Encapsulation] β†’ [Secure transmission]

3. Authentication

Mechanisms to verify user identity:

  • Digital certificates
  • User credentials/password
  • Two-factor authentication (2FA)
  • Security tokens

VPN Types

Remote Access VPN

Allows individual users to connect to a private network from remote locations.

Use cases:

  • Remote work
  • Access to corporate resources
  • Secure connection from public networks

Site-to-Site VPN

Connects entire networks between different geographic locations.

Use cases:

  • Connect corporate offices
  • Branch integration
  • Distributed enterprise networks

Common VPN Protocols

OpenVPN

  • Type: Open source
  • Security: High (TLS/SSL)
  • Platforms: Multi-platform
  • Port: Configurable (usually 1194)
1
2

# OpenVPN connection example
sudo openvpn --config client.ovpn

WireGuard

  • Type: Modern and lightweight
  • Security: High (Noise Protocol)
  • Performance: Excellent
  • Code: Minimalist (~4,000 lines)
1
2
3
4
5
6
7
8
9

# WireGuard configuration example
[Interface]
PrivateKey = <private-key>
Address = 10.0.0.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0

IPSec

  • Type: Protocol suite
  • Security: High
  • Use: Primarily enterprise
  • Components: IKE, ESP, AH

L2TP/IPSec

  • Type: Protocol combination
  • Security: Medium-High
  • Compatibility: Wide
  • Use: Common on mobile devices

VPN Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Client    │◄───────►│ VPN Server  │◄───────►│  Private    β”‚
β”‚   Remote    β”‚  Tunnel β”‚   (Gateway) β”‚         β”‚  Corporate  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ Encryptedβ””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜         β”‚   Network   β”‚
                                                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Use Cases

1. Secure Remote Work

Employees securely access corporate resources from home:

  • Access to internal servers
  • Use of corporate applications
  • Protection of sensitive data

2. Privacy Protection

Hide user IP address and location:

  • Anonymous browsing
  • Avoid tracking
  • Access to geo-restricted content

3. Security on Public Networks

Protection when using public WiFi:

  • Cafes
  • Airports
  • Hotels

4. Office Interconnection

Connect multiple corporate locations:

  • Share resources
  • Centralize services
  • Backup between sites

Advantages

βœ… Security: End-to-end encryption
βœ… Privacy: Hides browsing activity
βœ… Remote Access: Connectivity from anywhere
βœ… Bypass: Avoids geographic restrictions
βœ… Cost-effective: Alternative to dedicated lines

Disadvantages

❌ Speed: May reduce bandwidth
❌ Complexity: Configuration can be complex
❌ Cost: Premium services require subscription
❌ Trust: Depend on VPN provider
❌ Compatibility: Some services block VPNs

Basic Implementation with WireGuard

On the Server

1
2
3
4
5
6
7
8
9

# Install WireGuard
sudo apt update
sudo apt install wireguard

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

# Configure interface
sudo nano /etc/wireguard/wg0.conf

Server configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32

On the Client

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server-public-key>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Best Practices

  1. Use modern protocols: Prefer WireGuard or OpenVPN
  2. Strong encryption: Minimum AES-256
  3. Robust authentication: Implement 2FA when possible
  4. Logs and audit: Monitor access and activity
  5. Kill switch: Block traffic if VPN disconnects
  6. Secure DNS: Use encrypted DNS (DoH/DoT)
  7. Updates: Keep software updated
  8. No logs policy: If using external provider

Protocol Comparison

ProtocolSpeedSecurityStabilityUse
WireGuard⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐Modern
OpenVPN⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐Standard
IPSec⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐Enterprise
L2TP/IPSec⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐Compatible
PPTP⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐Obsolete ❌

Monitoring and Diagnostics

Verify Connection Status

1
2
3
4
5
6
7
8

# WireGuard
sudo wg show

# OpenVPN
sudo systemctl status openvpn@server

# View network interfaces
ip addr show

Connectivity Tests

1
2
3
4
5
6
7
8

# Verify public IP
curl ifconfig.me

# Speed test
speedtest-cli

# Traceroute
traceroute google.com
  • WireGuard: Modern VPN client/server
  • OpenVPN: Robust open source VPN solution
  • Tailscale: WireGuard-based mesh VPN
  • Pritunl: Management interface for OpenVPN
  • StrongSwan: IPSec implementation
  • SoftEther: Multi-protocol VPN

References

Glossary

  • Tunnel: Encrypted point-to-point connection
  • Gateway: Server that acts as entry/exit point
  • Split tunneling: Send only certain traffic through VPN
  • Kill switch: Feature that blocks internet if VPN drops
  • Perfect Forward Secrecy: Generation of unique keys per session