What is a VPN? A BITOG Guide

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
57,913
Location
Ontario, Canada
Seems the topic of VPN's has become quite common as of late and there appears to be a significant amount of confusion regarding just what exactly a VPN is and what it can and cannot do. I've written this thread to hopefully provide a layman-geared breakdown of the topic. If there is something you don't feel is sufficiently simplified/comprehensible then please let me know and I will attempt greater clarification.

VPN is an acronym that simply stands for Virtual Private Network. As the name implies, the nature of this private network is logical; it is a construct, not a physically private network, such as your home LAN. At its most basic, a VPN is simply an encrypted tunnel between two or more points where all traffic inside that link is concealed during traversal.

Historically, the purpose of a VPN was to provide remote access for employees to work resources; allow the user's device(s) to securely tunnel into the company LAN and access resources located therein. These resources could be accessed via a Remote Desktop connection, using Citrix, or some other medium or even directly from the remote workstation in smaller deployments when what was being accessed consisted of simple print queues and SMB shares.

VPN connections come in two flavours: Hardware and Software.

Hardware: A physical appliance is deployed at the remote location to provide access to the resources. This is available all the time with no intervention required by the user. This is most common for branch offices but teleworker gateways are also a thing and reasonably popular. This device establishes the tunnel itself and maintains it. Traffic is directed across the tunnel per whatever policy is defined which could be a split-tunnel or full-tunnel setup.

Software: An integrated client or software package is used to create and maintain the tunnel. This may require user intervention (and typically does in most configurations) where the tunnel is only established when the user needs to access the remote resources. There have been myriad proprietary and standards-based commercial packages available over the years, many vendor-specific like Cisco's IPSec VPN client, Juniper's Pulse Secure, OpenVPN, Cisco's AnyConnect SSL client...etc. Most OS's offer core support for standards-based VPN setups like L2TP for example. These software solutions also offer full or split-tunnel capabilities. Browser-based solutions are now also available which function in a similar manner, where all browser traffic is funnelled over an encrypted link to a remote network.

While most hardware VPN's terminate on a corresponding piece of equipment on the other end of the link like say a Cisco ASA or ISR, Juniper SSG...etc, software clients can terminate on those devices, or, on a software solution running on a server like an OpenVPN install for example. The server software decrypts the traffic and forwards it on through its link(s), be it LAN or WAN destined.

Back when bandwidth was expensive, VPN's were very commonly of the split-tunnel variety where only traffic destined to/from the remote LAN was transmitted over the encrypted link. This was done by nature of a routing entry or entries where only those specific subnets were assigned routes that pushed through the adapter interface IP assigned to the VPN. As bandwidth became cheaper, admins were more inclined, particularly if they were using software clients, toward full-tunnel setups so that all traffic to/from the remote client had to pass through the corporate firewall for inspection. This allowed the detection and filtering of malware, inappropriate websites, viruses...etc. These tasks could be offloaded to teleworker gateways and remote firewalls in a hardware deployment however.

More recently, VPN's have gained popularity for concealing traffic from ISP's (Internet Service Providers) because people fear being penalized or having their browsing habits monetized. The main benefits of using a VPN outside of accessing work resources are:
- To facilitate location spoofing for services that filter content based on location, like Netflix
- To protect traffic when using public WiFi at Starbucks or a hotel
- For less-than-legal activities like torrenting where one may come under fire from the RIAA or one of the movie companies for illegal procurement of content.

While Paramount might have luck contacting your ISP and indicating that a specific IP in their block on April 5th was downloading one of their titles from the Pirate Bay, they are going to have much less of a chance of success getting cooperation from a VPN provider headquartered in the Netherlands and terminating your connection in Nigeria.

Because a VPN only encrypts the traffic traversing the link, it does not provide end-to-end security, unless the resource you are accessing is the VPN provider. This means that already encrypted content like banking transactions for example, aren't further bolstered in security and it also means that any plain-text data being transmitted still crosses multiple hops in its plain-text state once it exits the VPN. This could actually mean more, less secure hops than if the traffic didn't have its egress point relocated, depending on where the tunnels lands.

Say for example you were posting on BITOG pre-SSL days, so all traffic is unencrypted. We'll pretend the server is located in Washington at a Datacentre that put it squarely on the AT&T backbone.

Scenario 1, no VPN: Traffic goes from your computer, through your ISP to the AT&T network, total carrier count is 2, hop count is 7.
Scenario 2, with VPN: Traffic goes encrypted to Romania where it exits the VPN. It then gets routed through Skynet then onto a provider out of Munich, through London where it gets onto Vodaphone which routes it across the pond to AT&T. Total carrier count is 5, hop count 40.

At any point post de-encapsulation that plain text content is sniffable as it traverses those 40 hops.

So already encrypted traffic doesn't benefit. Plain text traffic doesn't benefit unless you count DNS queries, which could be resolved at the VPN termination point, or forwarded on to a server operated by their provider, depending on the topology. This prevents your ISP from seeing the sites you are going to, but it doesn't prevent the VPN provider from seeing them or your DNS queries unless you are using a DNSCrypt mechanism inside the VPN and tunnelling those queries to a separate entity, which you could also just do without the VPN. In any case, the VPN provider sees the same level of detail your ISP would without the VPN, as does their provider.
 
Thank you for posting
thumbsup2.gif
 
Overkill,

Thank you for taking the time to post this information!

I have been intermittently been trying to get a better understanding of VPN's, how they work and most importantly, whether I can actually be more private and secure on the www?

I have had the desire to at least frustrate the efforts of entities that would monetize my data or snoop into my activities online.

You write up is the most understandable and English language like that I read thus far.

Do you think subscribing to a provider like ExpressVPN or such would be of any benefit?

I am reluctant to use public WiFi and just use my mobile data provider when away from home and avoid consuming video content while using mobile data services.

I try to avoid going to sketchy websites, clicking on links etc. I try to practice good hygiene when going online.

Do you have any recommendations for reading about how to be most private and secure online?

Thanks again for posting your write up.
 
Great write up. I used to be at a SNF chain where Site to Site VPNs and T1 MPLS circuits were everywhere. Even had one point where MPLS and backup Cable ISP went down, had a Verizon 3G PCMCIA/CardBus AirCard on a Windows XP laptop using Internet Connection Sharing into the WAN on a SonicWall with Aggressive Mode negotiation mode on and got a whole building running on 3G... man the memories.

Thankfully now, my entire campus is Fiber between buildings, Fiber ISP and Cable Backup WAN and my extent of VPN is using the NetExtender client when I want to remote it. Thank god.
 
Originally Posted by redhat
Great write up. I used to be at a SNF chain where Site to Site VPNs and T1 MPLS circuits were everywhere. Even had one point where MPLS and backup Cable ISP went down, had a Verizon 3G PCMCIA/CardBus AirCard on a Windows XP laptop using Internet Connection Sharing into the WAN on a SonicWall with Aggressive Mode negotiation mode on and got a whole building running on 3G... man the memories.

Thankfully now, my entire campus is Fiber between buildings, Fiber ISP and Cable Backup WAN and my extent of VPN is using the NetExtender client when I want to remote it. Thank god.


That's hilarious! I've had to jimmy rig similar, including a link using 56K
lol.gif
So I feel your pain.

Cisco AnyConnect is my current go-to for access to most resources. Using SSL, it works anywhere, hence the name, which makes it an excellent option.
 
Originally Posted by frankbee3
Overkill,

Thank you for taking the time to post this information!

I have been intermittently been trying to get a better understanding of VPN's, how they work and most importantly, whether I can actually be more private and secure on the www?

I have had the desire to at least frustrate the efforts of entities that would monetize my data or snoop into my activities online.

You write up is the most understandable and English language like that I read thus far.

Do you think subscribing to a provider like ExpressVPN or such would be of any benefit?

I am reluctant to use public WiFi and just use my mobile data provider when away from home and avoid consuming video content while using mobile data services.

I try to avoid going to sketchy websites, clicking on links etc. I try to practice good hygiene when going online.

Do you have any recommendations for reading about how to be most private and secure online?

Thanks again for posting your write up.



You are quite welcome!

Most stuff you can do is pretty easy. If you aren't trying to hide your traffic from your ISP, then a VPN for you doesn't make sense. I'd suggest using OpenDNS or similar as your DNS provider (it gives you some traffic filtering options, which are excellent, and blocks a lot of malware and similar) as well as browser with Adblock Plus or UBlock. Alternatively, you could use Brave, which has a built in blocker. Don't use google for searching, use duckduckgo, and that should keep you reasonably private.
 
good post. see my signature below , tho does not apply to you

Examples -Poor computer geek instructions: --- if they are so smart why cant they explain better???
1. your token has expired
2. step 1- launch your desktop client
3. software agreement includes Boot rom code
4. ecg watch app is now available in saudi arabia
 
Last edited:
Nice write-up OVERKILL ... thanks for the info, and thanks to others that contribute to this thread.

One thing that I'm not clear on is how does regular https:// and VPN differ in terms of the possible "packet sniffing" security of the data in the WiFi signal between the computer and modem/router when:

1) Using a https:// website on a secure WiFi network - with VPN vs without a VPN.

2) Using a non https:// website on a secure WiFi network - with VPN vs without a VPN.
 
Originally Posted by ZeeOSix
Nice write-up OVERKILL ... thanks for the info, and thanks to others that contribute to this thread.

One thing that I'm not clear on is how does regular https:// and VPN differ in terms of the possible "packet sniffing" security of the data in the WiFi signal between the computer and modem/router when:

1) Using a https:// website on a secure WiFi network - with VPN vs without a VPN.

2) Using a non https:// website on a secure WiFi network - with VPN vs without a VPN.


Simply put, HTTPS is end-to-end encryption, that is, all traffic between your computer and that remote site are encrypted. What doesn't take place inside that is name resolution and thus the initial "handshake" establishing with the site.

Whether a network is secured or not doesn't change the ability to capture unencrypted traffic once a client has been authenticated. The encryption is between the client and the network to prevent the traffic from being sniffed from devices not participating on/authenticated with the network. Once a device is securely authenticated and allowed to participate, while the communication with the network is protected, traffic inside that network is not.

Client isolation is a feature that blocks wireless clients from seeing each other. Some access point/WLAN setups also have the ability to prevent wireless clients from talking to LAN clients as well, essentially silo'ing them. But a person cannot depend on client isolation, and what degree of it, being in play when on a network they don't own, this is where a VPN becomes useful, as it means that ALL interesting traffic (assuming a full-tunnel not split tunnel setup) is encrypted before leaving the client device and only returns to its native state once it exits that tunnel. This also prevents against DNS injection hijacks, redirects and the like, because all name resolution happens through the tunnel, typically via a DNS provider you trust (in my case CIRA or OpenDNS).
 
I didn't want to start a new thread for my following comment, but got this message in Firefox 76.0 which is security related, so I'll just post it here. Any comments?

[Linked Image]
 
Originally Posted by OVERKILL
Originally Posted by frankbee3
Overkill,

Thank you for taking the time to post this information!

I have been intermittently been trying to get a better understanding of VPN's, how they work and most importantly, whether I can actually be more private and secure on the www?

I have had the desire to at least frustrate the efforts of entities that would monetize my data or snoop into my activities online.

You write up is the most understandable and English language like that I read thus far.

Do you think subscribing to a provider like ExpressVPN or such would be of any benefit?

I am reluctant to use public WiFi and just use my mobile data provider when away from home and avoid consuming video content while using mobile data services.

I try to avoid going to sketchy websites, clicking on links etc. I try to practice good hygiene when going online.

Do you have any recommendations for reading about how to be most private and secure online?

Thanks again for posting your write up.



You are quite welcome!

Most stuff you can do is pretty easy. If you aren't trying to hide your traffic from your ISP, then a VPN for you doesn't make sense. I'd suggest using OpenDNS or similar as your DNS provider (it gives you some traffic filtering options, which are excellent, and blocks a lot of malware and similar) as well as browser with Adblock Plus or UBlock. Alternatively, you could use Brave, which has a built in blocker. Don't use google for searching, use duckduckgo, and that should keep you reasonably private.


First a compliment to you as your explanation is first class. The only thing I disagree with in your posts are for my intended purposes which are some of yours as well.
For me, I do use duckduckgo ALL the time. I also have turned off googles "location services" in any or every family members android device when possible.

Since you mention duckduckgo all the time, I feel (and maybe I am dead wrong) you are discounting VPNs as another source of privacy. I feel this maybe doing a disservice to some in here.
More or less, you state that "If you aren't trying to hide your traffic from your ISP, then a VPN for you doesn't make sense."
Well, if you are one who wants privacy and one who does not want your information sold all over the internet or advertisers knowing your every want and desire, a VPN makes perfect sense. using duckduckgo denies google/advertisers from knowing your desires and purchases but your ISP is just as bad selling your information to advertisers. So why one and not the other, as again, the ISP is just as bad as google.

Correct? This is my understanding. Your internet provider is one of the largest collectors of personal information, as much if not more then google. Using a VPN denies them this. It also denies less scrupulous sites and or people your location.
 
Last edited:
Originally Posted by alarmguy
Correct? This is my understanding. Your internet provider is one of the largest collectors of personal information, as much if not more then google. Using a VPN denies them this. It also denies less scrupulous sites and or people your location.


It's going to depend entirely on your ISP as to if they collect ANY data on you at all for the purposes of monetization, which is far more of a PITA when you don't have access to the ability to control advertising content like ads provided through the browser. My ISP doesn't participate in it at all, and neither does Rogers. In fact, I'd be surprised if there was a Canadian ISP that did.

For ads to be targeted the ISP would have to provide traffic profiles, most likely based on DNS queries, that's the easiest, tied to a given IP, which then an advertising partner would target on their end. This is far more complicated than how Google does it or Microsoft. If it uses DNS, this could be wholly mitigated by simply using OpenDNS for example.

ISP's aren't going to sniff socket traffic for the purposes of determining sites visited because of the performance impact it would have and the obscene amount of data generated that would have to be parsed in that process. That's why I'd expect that if it IS taking place, they are using DNS.

Regarding location, that's just a guess based on where a specific subnet is geographically homed, they aren't determining your street address. Knowing somebody is in Toronto or New York doesn't have any privacy implications, but does allow for a targeted ad to tell you that "singles available in your area! Click here to see all singles in Toronto".
 
Originally Posted by ZeeOSix
I didn't want to start a new thread for my following comment, but got this message in Firefox 76.0 which is security related, so I'll just post it here. Any comments?

[Linked Image]



Yes, they've started operating what is essentially a DNS proxy that sends queries to CloudFlare for resolution:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https

This is one of the advantages I noted a VPN could provide when using public WiFi but when using a VPN, ALL traffic that's clear text is encrypted through to the VPN provider, where in this case it's only DNS queries made through Firefox that receives that treatment. So if you open your e-mail client, have steam running...etc those queries still occur through the servers obtained by your adapter through whomever the connection is provided unless overridden, but then they are still plain text.

That said, this service has the advantage of the DNS queries being encrypted end-to-end, so they'd never be in clear text, unlike a VPN that uses servers that are located outside of their service.

One potential disadvantage could be the limiting of the ability for AV software to intercept, and block, traffic from malicious sites, depending on how the service is configured. Something to keep in mind.

I expect we are going to see a serious push towards DNS being encrypted going forward, as more and more traffic is end-to-end encrypted.
 
Last edited:
Originally Posted by OVERKILL
Originally Posted by alarmguy
Correct? This is my understanding. Your internet provider is one of the largest collectors of personal information, as much if not more then google. Using a VPN denies them this. It also denies less scrupulous sites and or people your location.


It's going to depend entirely on your ISP as to if they collect ANY data on you at all for the purposes of monetization, which is far more of a PITA when you don't have access to the ability to control advertising content like ads provided through the browser. My ISP doesn't participate in it at all, and neither does Rogers. In fact, I'd be surprised if there was a Canadian ISP that did.

For ads to be targeted the ISP would have to provide traffic profiles, most likely based on DNS queries, that's the easiest, tied to a given IP, which then an advertising partner would target on their end. This is far more complicated than how Google does it or Microsoft. If it uses DNS, this could be wholly mitigated by simply using OpenDNS for example.

ISP's aren't going to sniff socket traffic for the purposes of determining sites visited because of the performance impact it would have and the obscene amount of data generated that would have to be parsed in that process. That's why I'd expect that if it IS taking place, they are using DNS.

Regarding location, that's just a guess based on where a specific subnet is geographically homed, they aren't determining your street address. Knowing somebody is in Toronto or New York doesn't have any privacy implications, but does allow for a targeted ad to tell you that "singles available in your area! Click here to see all singles in Toronto".


I dont disagree with you, except here in the USA I am almost positive data from ISPs is shared.
and ..
also there is certainly nothing at all wrong with using a VPN as an additional tool for security and privacy. I mean we can all lay down our bodies to be over run by companies building physiological profiles on us to sell to companies so they can sell us goods or we can do everything reasonable to limit it.
I take all the reasonable steps.

Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?
 
Last edited:
Originally Posted by alarmguy
Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?


Nope, you are all good on that front.
 
Originally Posted by OVERKILL
Originally Posted by alarmguy
Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?


Nope, you are all good on that front.


It might depend on what kind of WiFi hacking tools they are using.
 
Originally Posted by ZeeOSix
Originally Posted by OVERKILL
Originally Posted by alarmguy
Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?


Nope, you are all good on that front.


It might depend on what kind of WiFi hacking tools they are using.


They'd have to be ON his WiFi to figure out the IP address.
 
Originally Posted by OVERKILL
Originally Posted by ZeeOSix
Originally Posted by OVERKILL
Originally Posted by alarmguy
Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?


Nope, you are all good on that front.


It might depend on what kind of WiFi hacking tools they are using.


They'd have to be ON his WiFi to figure out the IP address.


Can a sophisticated WiFi sniffer see the network's IP address at any time?

https://www.lifewire.com/definition-of-sniffer-817996
 
Originally Posted by OVERKILL
Originally Posted by ZeeOSix
Originally Posted by OVERKILL
Originally Posted by alarmguy
Its early Sunday morning and on my first cup of coffee with a thought I never thought about before until you posted this.
If someone picks up my SSID on the street do they or can they know my IP address?


Nope, you are all good on that front.


It might depend on what kind of WiFi hacking tools they are using.


They'd have to be ON his WiFi to figure out the IP address.


Ok, cool.

Does anyone know what I asked this question????????

Simple, sometimes knowing an IP address can bring you pretty close to ones town and using a VPN will make you look far away, actually make you look any place in the world you want to be.

Google maps EVERYONES SSID by state, town, street, and general house number. So I was wondering if someone with that information could obtain the IP address. I guess its a silly question but ... well .. .it was a thought, you know?
You know the google mapping truck that drives all over the country all day long mapping streets, at the same time it recording the SSIDs of all the wifi networks to make google maps more accurate.
If your on a street between GPS and WIFI it can tell by SSID almost within feet where you are.
 
Last edited:
Back
Top