VPN – Why? What? How?

In this series of posts I will show how to use IPSEC technology and VPN to secure data when roaming in public access hotspots with your mobile devices and then how to implement your own VPN server or connect your home network so some traffic will be forwarded to the VPN and the rest will be forwarded through your ISP network. This post will introduce the VPN basic concepts.

Protecting your data with VPN technology

A few days ago I went with my son to a 5 team water-polo tournament (by the way his team won all 4 of their matches :-)) and at the swimming pool there was an open hotspot, no password no security. Many of my son’s mates and their parents just connected to it (laptops, iPhones, iPads, all species of smartphones and tablet) without a second thought. This could be fine for casual browsing but even that exposes your taste and habits in term of site visited. If you are sending email, filling in web forms on non SSL connections or you wish to keep private your browsing, you should take measures to do exactly that: protect your privacy. Actually the privacy of you connection really depends on where the traffic goes and if it is clear or encrypted. Many of the email clients use SSL to protect the exchanges with the servers but not all are correctly configured. Is your client using SSL connections? Are you sure? Did you check lately?

Network Diagram

Typical Network


The above is a very simple network, which could easily represent what you find in many open hotspots. There usually is an air segment which in public hotspot is in the clear (no encryption, no WEP, no WPA nothing) and even if encrypted many vulnerabilities have been discovered (WEP being the oldest and weakest protocol should not be considered anymore: see this Wikipedia article for some additional details).

So now you might be concerned that your traffic is sent in the clear and someone could intercept your data discovering what servers you are connecting to, and what is the content of the transaction. Mind you, even if you are using SSL, the snooper would be able to know and analyze your traffic patterns (who you are connecting to, what kind of transactions and how much data you are transmitting). So how can we fix this? Well with a VPN of course.

How VPN works

VPN Working Principle


In a networked environment (and very often even within the same computer) applications communicate between them through the network stack. One application sends a packet composed by source IP Destination IP (sometimes port numbers) flags and a payload. No matter where the receiving application is (same computer or across the world) the networking software will take the proper decision and deliver (best effort) the packet to the other application.

Referring to the network diagram picture, this might involve crossing unsecured networks segments (an open WiFi HotSpot for example) and your data could be prey of unscrupulous people.

If you adopt a VPN configuration (let’s assume the simplest one, with a software client running in your own computer) the packet, before leaving the computer, is handed over to the VPN client. The VPN client, encrypts the packet (all included: source IP and destination, flags and payload). The VPN client also knows where in the world it is the VPN server, has keys to authenticate to it so it forwards the newly created packet to the VPN server.

This is also called tunneling because to the sending computer the VPN interface (the virtual interface where the packets are delivered) appears as a single logical hop to the VPN server, while the actual encrypted packed crossed several networks and routers.

The VPN server, once it receive the packet, decrypts it and is then able to discover the real destination, replaces the source IP with its own (so the destination host will send traffic back to the VPN server) and creates a state table with the details needed to send back the returning traffic which will be also encapsulated in an encrypted packet on its way back.

Does this really improve security? After all from the VPN server to the destination host the packet travels the Internet unencrypted and for all to see … In my opinion the security of your transaction is way better since the packet will hit the Internet from the network of your VPN provider. Usually this is a secure data center with multi Gigabit links. It is a bit more difficult to extract your data stream from there, additionally you would have create geographical separation between you (in Europe, maybe) and your unencrypted data (your VPN provider could be in USA or somewhere else). Also your IP address will be the one of your VPN provider’s server and therefore you will be appearing to the destination host as coming from somewhere else. In fact the VPN sometime is used to access sites that uses IP geo-localization to customize their offering (or remove it all together). Or to access uncensored Internet from censoring areas. In fact using a VPN anonymizes you to a certain degree (not to you VPN provider which will happily surrender you access logs to proper authority, and with the Patriot Act in force, an FBI badge is proper authority no warrant needed).

Bottom line: VPN is an instrument to secure your communication, anonymize you to a certain degree and allow you to access your services when traveling in areas that would otherwise prevent you from accessing them (censorship, restrictive geo-localization, filtering firewalls) it is not a invisibility cloak to do misgiving and remain unpunished. Use it wisely.

In a follow up post I will show you how to select a VPN (what are the key elements in the choice) configure a router to connect a network to a VPN server so all the traffic from the computers in the network (or selected traffic) could be encrypted or appear coming from different part of the world.


Go back to Index

About Fabio

Love of technology and flying have been the drivers of my life, more about me.
Tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Couldn't connect to server: Connection timed out (110)