Please explain VPN to me

Hi,

Let me start off by saying that I am very computer literate and I have a good understanding of networking, hardware, the entire OS stack, etc etc.

However, I have no idea what a VPN is or how it works. I cannot seem to find a simple technical explanation that doesn’t involve vagaries like “lets you join a secure network”.

I’m looking for info along the lines of:

1. How does it work?

2. Who assigns IP addresses? The networks DHCP server, or the VPN server?

3. What is my route to the wider internet if I use a corporate VPN?

4. Where is all traffic tunneled?

5. How does it compare to a SSH/SOCKS proxy, which I understand?

etc

Sorry if this is a dumb question, just something I have trouble with the mental model of. Any help greatly appreciated!

Easiest way to think about it is as if you’re using a dial-up modem. The other end of the VPN, the server is something you dial into, it assigns you an IP address either itself or the DHCP server on the other network.

For corporate, your route will always be through the VPN unless it’s got ‘split tunneling’ enabled, in which case most of your traffic will go over your normal connection until you try to open something on the other local area network.

SSH/SOCKS works for specific ports, VPN does it for all network traffic.

The VPN will look to windows like a network adapter, only it’s not real, it’s a virtual one.

There are a couple different types of connections that fall under the VPN umbrella. I’m not sure if they have proper names, since most people don’t differentiate, but I refer to them as “infrastructure” and “P2P”.

An infrastructure VPN is the more common type. You connect from the outside (WAN, internet, whatever you want to call it) to the remote router, and it routes you as if you are connected directly to the LAN. You are assigned an internal IP address, just as if you were physically plugged into the router with an ethernet cable. You can communicate with any device on the LAN on any port. You’re effectively “on the inside”, even though you might physically be on the other side of the country.

A P2P VPN is a little different. These are most often provided by a service like teamviewer or Logmein’s Hamachi. It will only give you access to the machines connected to the P2P VPN, not to the other machines on their local network(s). The IP addresses are provided by the service, and have nothing to do with your or your peers’ physical network addresses. It’s an entirely separate virtual subnet and neither your nor your peers’ routers are involved. The “router” for this network is the service itself, though all it really does is set up the connection. None of the data on the virtual subnet passes through the service - if tunnels directly from your machine to the machine of your peer.

How/where the traffic is tunneled depends on the type of VPN and how it was set up. Most use 80 or 8080, as those are the least restricted by ISPs and most likely to work. Some corporate VPNs probably use other ports for various reasons.

Your “route to the internet” can either be through your actual internet connection, or through the VPN connection, depending on how you have things set up (assuming the VPN router allows it). If it helps, any VPN connection works through a network connection that, to your computer, is indistinguishable from a hardware connection. It’s like you have two network cards - one connected to your local LAN, the other connected to the remote LAN. It’s just that the remote connection is entirely virtual instead of an actual chip connected to a physical cable. I honestly don’t know what the default behavior is for your software (despite using VPNs regularly), but you can almost certainly choose which you want to use for internet connectivity. For example, if your local address is 192.168.1.5, and your VPN address is 10.1.10.20, you should be able to tell your browser to use the VPN gateway (presumably 10.1.10.1) for internet access. Note that you have to do this in the software itself - attempting to tell windows to only use a virtual connection for internet will result in failure. I’ll let you figure out why

As for comparison to a proxy, you can use the VPN connection for internet access and that would effectively be a proxy. But the main purpose is to get you inside a remote network, either for security purposes or to access ports that would normally be blocked to the outside world.

If you know OSI, it basically is a tunnel/wrapper at layer 2 or 3 so that it looks like you’re plugged into a remote switch. That’s pretty much all it is. You may be over complicating it. Encryption can be added after the fact.

Edit

To answer the socks ssh proxy, same thing but it tunnels all layer 3 traffic, not just certain layer 4 ports.

https://www.youtube.com/watch?v=4BfL0UHrzDY

Hi, I will do my best to clarify what’s the VPN service and its usages for you.
The VPN stands for Virtual Private Network which helps you to change your ip address and gives you another one from this networks; it’s very good and more secure than a proxy server which is used also to hide your ip address.
You can know the difference between those two services on unblocking sites and surfing the web anonymously from here http://www.proxybreaking.com/en/proxy-vpn/.
How does it work?
There are many ways to utilize this service like using one of VPN service providers, setting up L2TP VPN connection manually, or using OpenVPN protocol provided from some VPN service providers to get a VPN connection which is more secure.
You can know how to setup a VPN router from here http://www.bestcheapvpnservice.com/setup-vpn-routor/.
I hope that my answer helps!

This might be a little to ELI5 for your question (although it might indirectly help with #5), but if you think of a board meeting, where each board member represents a computer and the conversation they are having within that (private) room represents network traffic.

A VPN is then like having this guy (on a tablet) attending the meeting remotely, but for all intents and purposes being in the (private) room. In fact, if it existed, a solid hologram where he could get up and pat someone or leave the room would be more accurate - the tablet version is too restricted (although some VPNs probably are or can be configured to be restrictive). Aside from the speed issues because internet, you shouldn’t be able to tell the difference between working remotely via a VPN or physically within the network.

The implementation of how the conversation flows from the board room to that guys actual physical location varies between infrastructures and providers.

So would it be correct to say that there is a VPN “driver” which represents as a (virtual) network card to the OS, and any data send/received over that network interface is encrypted and tunnelled to the other end, where there is some kind of virtual outlet network interface which is connected to the end network?

i.e. it is like a virtual ethernet card (vpn driver) and cable (encrypted vpn tunnel) from my machine, connected to the network.

I’m having trouble understanding what happens at the other end. The VPN server must be running on a specific machine. How are all the connected virtual interfaces mapped onto the network through that machine’s one or two physical network cards?

And am I right in thinking (based on the above) that there is no reason for a VPN to interfere with ports etc? Does it take other traffic than TCP?

Yes, there’s a driver on the OS that sits there as if it’s an ethernet card for all intents and purposes, the tunnel is equivalent to an ethernet cable, and the machine the other end is acting as a router the other end.

The VPN server can be a machine, or multiple machines that sit there waiting for connections, they authenticate the users, and sit there routing traffic to the right place, sometimes they are physical VPN devices or can be a server configured as a VPN server. Think of the VPN server as if it’s your own router, you’ve just extended the cable a few hundred miles. VPNs won’t interfere with ports, they just pile traffic onto an encrypted tunnel between two TCP ports, the VPN server unencrypts and routes it all the other end. It’s TCP/IP over TCP/IP.

not so much a “driver” as a program, but yes, it will present itself as a virtual network card.

As for mapping, it’s important to remember there are A LOT of ports. VPNs might transit data using IPSec (using ports 51, 500, and 4500), SSL (ports 443, 465, 993, and 995) L2TP (port 1701), or PPTP (1723 and 47), they may use a combination, or they may roll their own.

The point is, once it reaches your computer, your VPN software recognizes that as valid data, says “oh hey, that’s VPN traffic”, and decrypts it as normal network data.

Ports themselves, correct, should not be interfered with. The reason is that ports are also tied to the IP address. For example, if my pulbic-facing IP address is 10.11.221.123, and my VPN addres is 11.212.21.11, I could theoretically run, say, two separate Minecraft servers - one bound to traffic on 10.11.221.123:25565 and one bound to 11.212.21.11:25565. The VPN’s traffic will be routed to my VPN’s router, which will then forward it to my VPN IP.

i’m so happy your name isn’t chavgap