Virtual private network
- The conventional VPN describes a virtual private (self-contained) communication network. Virtual in the sense that it is not a separate physical connection, but an existing communication network that is used as a transport medium. The VPN is used to bind participants in the existing communication network to another network.
For example, an employee's computer can access the company network from home, just as if he were sitting in the middle of it. From the point of view of the VPN connection , the networks in between (its home network and the Internet) are reduced to the function of an extension cable that connects the computer ( VPN partner ) exclusively with the assigned network ( VPN gateway ). He now becomes part of this network and has direct access to it. The effect is comparable to changing the computer network cable to the network assigned via VPN.
This process works regardless of the physical topology and the network protocols used, even if the associated network is of a completely different type.
The resulting benefits of a VPN can, depending on the VPN protocol used, be supplemented by encryption, which enables tap-proof and manipulation-proof communication between the VPN partners. Establishing an encrypted (virtual) network over an unencrypted network can be an important criterion, and sometimes even the main reason for using a VPN.
SSL-VPN (also web-based VPN ) has supported solutions since 2002 that implement encrypted remote access to company applications and shared resources without the SSL-VPN partners being tied to the company network. The network cable is not symbolically connected to another network; only secure access to certain services of the other network is made possible.
The part of the name “VPN” for these solutions is controversial, but common in the market. From a technical point of view, they are based on a proxy mechanism ( Thin Client SSL VPN ) or on the fact that the coveted corporate application itself is a web application ( Clientless SSL VPN ), which an SSL VPN partner can access via a secure connection, but without one get direct access to the corporate network. In addition, SSL-VPN also supports a VPN mode in the sense of conventional VPNs ( Fat Client SSL VPN ).
The network to which a VPN connects its participants is sometimes also called an assigned network .The assigned network can flow into a physical network, into which external devices can be integrated with the help of VPN via a special (VPN) gateway (“end-to-site” VPN). The VPN partners become part of the assigned network and can now be addressed directly from there - practically as if they were right in the middle of it. Because of this illusion, the VPN partner is referred to as a virtual network.
The gateway can also point to a purely virtual network, which only consists of further VPN partners (“end-to-end” VPN).
In addition, there is the possibility of connecting two compatible networks that are adjacent to one and the same neighboring network (“site-to-site” -VPN), whereby the neighboring network in between can also be of a completely different type.
Mutually accessible networks
As soon as at least two separate networks are connected to one another via a device, these are mutually accessible networks. The connection device enables communication between the networks and could, for example, be a ( NAT ) router or a gateway ; in the case of purely virtual networks (which are embedded in another network), one of the participants can also assume this function.
For example, the connection device can be a DSL router that connects a company network to the Internet . Thanks to this device, a workstation computer can also access websites. Access to the company network for those on the Internet remains restricted; In contrast to a participant connected directly to the company network, a participant connected to the Internet cannot simply access all of the company's network resources (such as file and printer shares). For this it would have to be connected to the company network. This is exactly what can be done via a VPN, whereby the access authorization can be restricted to certain participants.
In the classic VPN configuration, the connection device plays a central role; VPN software is installed on it. The connecting device thus becomes - in addition to its previous function - a VPN gateway (also VPN dial-in node ).
The example illustration could be
Netz Aa home network,
Netz Bthe Internet, and
Netz Ca corporate network. If communication with the adjacent network up to the VPN dial-in node is possible, VPN works across several networks - so not only participants can dial in
Netz B, but also participants from
VPN is a pure software product
The mutually accessible networks together form the hardware (the devices themselves, plus cables) and software , which in turn is required by the devices in order to “tell” them what they should actually do.
VPN software is required in order to bind a participant from his original network to a network that can be reached there. In the classic configuration, it is installed on the one hand on the device that connects the networks and on the other hand on the participant to be integrated. VPN works without having to lay an additional cable or add anything else to hardware. In terms of its concept, VPN is therefore a pure software product. However, that does not mean that VPN not be implemented with separate devices can be optimized for such a solution. There is hardware, so-called VPN appliances, which are based on a specially secured (hardened) operating system and in which, for example, a corresponding hardware design helps to accelerate parts of the (optional) encryption. Using special VPN devices can be a sensible measure. However, this is only one option, as VPN can also be implemented without these devices.
Referring to the example illustration,
Netzwerk-Anschluss A2a VPN client software is running on the device that
Netz Bassigns this to the device . The former
PC A2becomes the "
Netz B" participant
PC B7, our VPN partner .
This VPN partner now sends a message to, for example
PC B2. The message is passed on to
VPN-Adapterwho is part of the VPN client software for forwarding . He visually puts the message in an envelope (address = "
PC B2", sender = "
PC B7") and then hands the letter to
Netzwerk-Anschluss A2. The letter is put into another envelope (address = "
(VPN-Gateway), sender = "
Netzwerk-Anschluss A2") and
Netz Ahanded over to it.
The trick is that the VPN packets can be addressed separately (outer envelope) regardless of their content and the original addressing (inner envelope) in order to send the letter in a form that is compatible
Netz A. From a technical point of view, the original network packets (inner letter) are placed in a VPN protocol for transport. This is why VPN is called a tunnel .
Netzwerk-Anschluss A3receives the letter and hands it over to the software
„VPN-Gateway“running on the device. This software removes the outer envelope and forwards the inner letter on into the network from
PC B2(the addressee of the inner envelope).
His answer is sending
PC B2back to
PC B7. It
Netzwerk-Anschluss B6intercepts the letter because it
VPN-Gatewayrecognizes that the "
PC B7" address belongs to one of its VPN partners. This letter is also
VPN-Gatewayvisually put into a second envelope (address = "
Netzwerk-Anschluss A2", sender = "
Netzwerk-Anschluss A3") and directed into that
Netz A. He
Netzwerk-Anschluss A2takes the letter and hands it over to him
VPN-Adapter. He removes the outer envelope and hands over the inner letter
In very simplified terms,
Netz Afrom the point of view of the VPN partner, this was reduced to the function of an extension cable that connects
PC B7directly to the
Netz B. For both communication partners,
PC B2, it looks as if you are in the
PC B7middle of
Netz Band not in the
Netz A. You do not notice anything of the mechanisms in between.
The resulting benefit of a VPN can be supplemented by encryption, depending on the VPN protocol used, which ensures that communication between
PC B7and can
Netz Abe viewed or manipulated by anyone . This optional VPN encryption is part of the outer envelope. So it does not reach into that
Netz B, but ends or begins (return) on
In a real environment,
Netz Bfor example, there could be a company network and
Netz Athe Internet (in a greatly simplified representation here), via which a device directly connected to the Internet dials into the company via VPN. Alternatively, it could
Netz Aalso be the employee's private home network, where the Internet would then be between
Netz B(denoted as “
Punkt X” in the example figure ). At this point there can be several nets in between, which the letter will pass through thanks to the outer envelope before it
VPN works largely independently of the physical topology and the network protocols used, even if the assigned one is
Netz Bof a completely different type. For since the actual network packets are packed in the VPN protocol, they must (the internal letters, that is the "
Netz Bonly be understood by the VPN partners" -Netzwerkprotokolle), but not of the intervening network components from
Netz A. They only need to understand the transport data of the outer envelope, i.e. know the network protocol used for the transport.
Compared to other types of tunnels in a TCP / IP network, the VPN tunnel is distinguished by the fact that it forwards all network packets independently of higher protocols ( HTTP , FTP etc.) . In this way it is possible to transport the data traffic of two network components practically unrestricted through another network, which is why even complete networks across one or more neighboring networks (referred to as in the figure ) can be connected to one another.
As soon as this
VPN-Gateway 1recognizes that a message is addressed to a participant
PC A2-...), it is symbolically inserted into the second envelope and sent to, according to the mode of operation described above
VPN-Gateway 2 . If, on the other hand
VPN-Gateway 2, recognizes that a message is addressed to a participant
PC A1-...), it sends it to the according to the same principle
In the example figure, there are two virtual networks (here and ) in
Netz Aaddition to its usual participants (e.g. ). Each of these is a private (self-contained) network that follows its own rules, starting with the type of addressing and distribution to the communication protocol used. Nevertheless, they share (at least partially) the same physical line and infrastructure, which is made possible symbolically by the second envelope according to the mode of operation described above .
In relation to the
VPN-Partner, including the
VPN-Gateway, one can say that VPN is an independent network, encapsulated in another network.
This can refer to the entire network if it consists exclusively of VPN partners, as is the
Netz Bcase. However, it can also refer to only part of the communication path, as is the
Netz Ccase. There the VPN ends in its own physical network; When
Netz Ca subscriber connected directly to the connected subscriber (e.g.
C1) communicates with a "
Netz C" VPN partner (e.g.
C6), the encapsulation begins or ends (return route) here on
According to their origins, VPNs form such closed virtual networks within a public dial-up network. These include voice communication networks , X.25 , Frame Relay and ISDN , which thanks to this concept can be operated in parallel over one and the same physical infrastructure, the public switched network. They are physically (at least partially) embedded in the dial-up network above, but to the participants it looks as if each network has its own line.
Properties of a VPN
VPN forms its own logical network, which is embedded in a physical network and uses the addressing mechanisms customary there, but transports its own network packets in terms of data technology and thus works separately from the rest of this network. It enables communication between the VPN partners in it and the assigned network, is based on tunnel technology , can be configured individually, is customer-specific and is self-contained (therefore " private ").
Practical uses of a VPN
As soon as a computer establishes a VPN connection, the process is comparable to changing its network cable from its original network to the newly assigned network, with all the effects such as changed IP addresses and differences in routing .
For example, if the computer calls up a website, the request is now routed from the newly assigned network to the Internet. The request is therefore subject to the restrictions of the assigned network and no longer those of the original network. Journalists in countries where free access to the Internet is not possible, for example, use this to circumvent the access restrictions. The only requirement is that the computer can establish a connection to the VPN gateway from its original network . The VPN gateway is usually located in another country or a network with free internet access. It is said that the Internet requests (as well as all other network requests) are tunneled via VPN .
Another reason to tunnel Internet access is to protect privacy. For cell phones, notebooks, tablets and other devices, the data traffic can be easily read by third parties as soon as public access is used for internet access. Not all access can be set up encrypted via the direct route, and even if the user uses an encrypted connection for certain processes, the information about where he has established a connection remains visible. A VPN tunnel solves both problems, since (depending on the VPN protocol) all network packets up to the exit of the VPN tunnel can be encrypted . In addition, anyone who may be reading the data traffic of the public access can only see a connection to the VPN gateway. The actual destination remains hidden to him because he cannot see where the connection is being forwarded from there.
These are just two examples, which on the one hand show the benefits of changing networks and on the other hand address the benefits of a possible encryption. The resulting possible applications are diverse.
- Local networks of several branch offices can be connected to one another in a secure manner via the Internet (a so-called site-to-site connection).
- An employee's computer can gain secure access to the company network from home via VPN. To do this, he establishes a connection to the Internet. Then he starts a VPN software (the VPN client that virtually simulates the structure of the company network on the local computer). This establishes a connection to the company's VPN gateway via the Internet . After authentication, the employee has access to the company network - just as if he were sitting in the middle of it. This type of connection is called end-to-site . The procedure is also used to secure WLAN and other radio links.
- In contrast to end-to-site VPN, some manufacturers (for example at MSDN , at VoIP-Info.de, at tomsnetworking.de) use Mobile VPN as a name for a VPN that allows seamless roaming between, for example, GPRS , UMTS and WiFi supported. This should enable a permanent network connection without constant re-dialing.
- It is also possible that the employee's computer is not connected to a remote physical company network via VPN, but rather is linked directly to a server. VPN is used here for secure access to the server. This type of connection is end-to-end ( English end-to-end ) called. In this way, it is also possible to set up a logically (but not physically) encapsulated virtual network, which only consists of other VPN partners who have also connected to the server. The VPN partners can now communicate securely with one another.
- There is also the possibility that two servers via VPN can talk to each other without the communication can be viewed by third parties (which corresponds to an end-to-end connection, which for such a case sometimes host-to-host named becomes).
FreeS / WAN and its successors, Openswan and strongSwan , also offer the option of so-called “opportunistic encryption” : A tunnel is set up to every computer with which your own computer exchanges data if it provides a key via DNS .
- Similar to dialing into a company network from home, any clients from the company network can also dial into a separate, specially secured network within the company via VPN: a private (data-encapsulated) network within the company network in which the clients up to Use the same physical line to the VPN gateway as all other clients in the network - with the difference that all VPN network packets can be transmitted in encrypted form up to the gateway.
- Computer games whose original infrastructure is no longer available over the Internet, but which have a LAN-based multiplayer mode, can continue to be played over the Internet using VPN. VPN solutions for this purpose are e.g. B. LogMeIn Hamachi and Tunngle .
- With the freely available game platform Voobly, which offers a simple administration of multiplayer games (mainly Age of Empires II), the "Fast Proxy" can be prevented when using a VPN. This is especially useful for players who have NAT enabled in their local network.
Depending on the VPN protocol used, the network packets can usually be encrypted . Since this makes the connection tap-proof and tamper-proof, a connection to the VPN partner can be established through an insecure network without incurring an increased security risk. Alternatively, unsecured plain text connections can be established via VPN.
Inclusion of third-party computers in the VPN
Certain VPN connections are established using separately operated servers. This is used, among other things, to make the mutual accessibility of the subnetworks connected via VPN easy for the user, even with changing IP addresses. Even if the VPN connection is not in use, it can happen that background programs installed with such VPN software continuously exchange data with the externally operated server. The redirection of sensitive data through such a system requires an assessment of the additional risks for data security, e.g. B. regarding the location and trustworthiness of the service provider as well as the encryption method to be used.
Interaction with other security components
The software for establishing the VPN connection works independently of certain security settings of the device physically used to establish the connection. For example, software in the firewall settings of a router can be expressly excluded from being allowed to use Internet connections, but still establish the VPN connection.
Limits of the VPN
However, the encrypted packets also reveal which VPN remote stations are involved in the communication; the number and size of the data packets can u. U. conclusions about the type of data. Therefore, a parable that is sometimes used with a tunnel that cannot be seen is misleading; a comparison with a milk glass tube is more accurate. Even if a VPN can be set up quickly and easily with modern software, the operation of a VPN always requires a properly carried out risk assessment with regard to data security.
VPNs are based on the following underlying protocols:
- DMVPN for setting up IPsec-based VPNs.
- fastd written by Matthias Schiffer that operates at Layer 2 or Layer 3 VPN with small resource requirements, and therefore good suitability for embedded systems , in particular in mesh - networks such. B. Freifunk .
- getVPN developed by the company Cisco to set up the IPsec tunnels practically automatically on all routers belonging to the network with the help of a central key server.
- IPsec is suitable for both site-to-site VPNs and end-to-site VPNs.
- PPPD (PPP daemon ) and SSH in combination can route all IP traffic through a tunnel . The solution is similar to PPTP without its security problems.
- PPTP (broken) and L2TP ( Layer 2 VPN protocols)
- SSTP Secure Socket Tunneling Protocol introduced by Microsoft in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an SSL 3.0 channel.
- TLS / SSL are mainly used for end-to-site VPNs.
- ViPNet is particularly suitable for end-to-end VPNs, but also allows end-to-site and site-to-site VPNs.
- SVR is suitable for site-to-site VPNs, the session-based concept was derived from the SBC
Many modern operating systems contain components that can be used to set up a VPN. Linux has an IPsec implementation since Kernel 2.6, older kernels require the KLIPS-IPsec kernel module, which is provided by Openswan and strongSwan . Also BSD , Cisco IOS , z / OS , macOS and Windows are IPsec-capable.
The virtual network adapter of a VPN session
The VPN software used usually provides the entrance to the VPN tunnel as an additional virtual (not hardware) network adapter. In this way, from the point of view of the operating system and the application software, there is no difference between the VPN tunnel and a physically existing network. The virtual network adapter can be included in the routing in exactly the same way as the real network adapter and, just like this, can transport packets from all services.
- Closed tunnel
- The default route (standard gateway) to the VPN network adapter can be changed. This is often desirable because it ensures that all connections of the application software are actually routed via the VPN network adapter and thus into the VPN software, which encrypts them before they are then transferred from the computer to the VPN via a network adapter available as hardware Remote station (VPN gateway / dial-in node). Internet inquiries are still possible, but no longer direct. These are now first routed to the assigned network (e.g. the company network). If the assigned network allows Internet access, the request is sent from there to the Internet server contacted. Depending on the type of Internet interface, the user may not even notice this difference (to him it looks like he can still access the Internet directly).
- Split tunneling
- Difficulties arise if you only want to reach individual communication partners via the VPN tunnel (e.g. computer in a company network), but have to address other communication partners without VPN in parallel (printer or computer in your own LAN). Here you have to adapt the routing tables for reaching the company network and leave the default route on the network adapter in the hardware.
- If the VPN software switches the name server to be used to a name server in the VPN, the difficulty is that it cannot resolve names outside the VPN. Here, too, manual configuration is necessary by adding another name server from your own LAN to the network adapter. However, this can lead to a so-called DNS leak, which enables the user to be identified from outside the network. This happens when the requests for name resolution are not first sent via the secure network, but continue to be made via the unsecured network. In this case - despite the VPN connection - there is the option of recording the entire request for a party outside the network. As a result, it is therefore possible to read out the user's IP address. The problem can be rectified by assigning the network adapter a DNS server from the VPN network that has a higher priority than the DNS server of the local LAN.
- See also: split tunneling
Cons of a VPN
Using a VPN service means additional work, as all communication is encrypted. For this reason, the bandwidth is always a bit lower when using VPN. How big the difference in performance is mainly depends on the VPN service used and the distance from the provider.
Despite the use of VPN, the user cannot assume 100% anonymity. The VPN provider has the option of tracking all of the activities that take place on his server. There is also the risk of a data leak on the VPN server side. That is why the trustworthiness of the provider plays a major role, especially with sensitive data.
VPN on routers
With the increasing use of VPNs, many companies have begun to use VPN connectivity on routers for additional security and encryption of data transmission using various cryptographic techniques. Home users typically use VPNs on their routers to protect devices such as smart TVs or game consoles that are not supported by local VPN clients. Supported devices are not limited to those that can run a VPN client.
Many router manufacturers deliver routers with integrated VPN clients. Some use open source firmware like DD-WRT , OpenWRT, and Tomato to support additional protocols like OpenVPN .
SSL VPNs use the secure SSL or TLS protocol for the transmission of your data.
However, this does not apply to end-to-site VPNs. A so-called fat client SSL VPN (a fully comprehensive conventional VPN) can, for example, give a mobile computer access to a company network. This is a common VPN variant because it also works in environments in which an employee can not set up an IPsec tunnel due to the limitations of a customer . As is usual with other conventional VPNs, it is also necessary here to install VPN client software on the computer that virtually simulates the assigned network (see VPN adapter ). It is then possible to transfer the entire network traffic of the VPN partner via the encrypted SSL connection and thus to bind the PC to the remote network.
With all other SSL VPNs, the installation of the otherwise usual VPN client software is at least partially omitted.
A Thin Client SSL VPN only needs a plug-in (a kind of expansion module) for a web browser , whereby the browser is already pre-installed on the most common operating systems . The downloaded plug-in works on the client as a proxy and thus enables access to the corresponding network services from the remote network.
A clientless SSL VPN accesses the web pages of a company's internet server via a browser without special software extensions . Remote access is only possible to the server's web applications. The company's web server can internally implement an implementation for communication with other company applications and thus act as an interface to these applications. However, web access to them is often only possible to a limited extent if these applications are not also web-based.
- Joseph Davies, Elliot Lewis: Virtual Private Networks with Windows Server 2003. (Secure network connection with VPNs). Microsoft Press, Unterschleißheim 2004, ISBN 3-86063-962-5 ( specialist library ).
- Kai-Oliver Detken , Evren Eren: Extranet. VPN technology for building secure company networks. Addison-Wesley, Munich a. a. 2001, ISBN 3-8273-1674-X ( Datacom Academy ).
- Gerhard Lienemann: Virtual Private Networks. Structure and use. Vde-Verlag, Berlin a. a. 2002, ISBN 3-8007-2638-6 .
- Manfred Lipp: VPN - Virtual Private Networks. Construction and security. Completely revised and expanded edition. Addison-Wesley, Munich a. a. 2006, ISBN 3-8273-2252-9 ( net.com ).
- Ralf Spenneberg : VPN with Linux. Basics and application of virtual private networks with open source tools. 2nd fully updated edition. Addison-Wesley, Munich a. a. 2010, ISBN 978-3-8273-2515-0 ( Open Source Library )
- Daniel Bachfeld: VPN etiquette . In: c't , 07/06, p. 114
- Comparison of the most important anonymization tools for the Internet - Tor, JonDo, VPN and web proxies. July 31, 2013
- Risks in connection with virtual private networks (VPN) - information from the Reporting and Analysis Center for Information Assurance MELANI of the Swiss Federal Administration
- Paul Ferguson, Geoff Huston: What is a VPN? (PDF; 652 kB) April 1998
- tunneling protocols for VPN from tcp-ip-info.de
- Making way for the new VPN In: Network World of December 23, 2002, limited preview in Google Book Search). , Volume 19, No. 51, p. 64 (
Example of using the term “VPN” in the sense of “Reverse Web Proxy”: Cisco ASA: Clientless SSL VPN (WebVPN) on ASA Configuration Example . Retrieved on October 20, 2013: “Clientless SSL VPN […] A remote client needs only an SSL-enabled web browser to access http or https-enabled web servers on the corporate LAN. [...] A good example of http access is the Outlook Web Access (OWA) client. "
- Example of using the term “VPN” in the sense of “Reverse Web Proxy”: Citrix Access Gateway: How to Configure Clientless VPN to Sharepoint Access . Retrieved on October 20, 2013: "Clientless mode VPN access to SharePoint provides a secure, feature-rich, and zero client footprint solution to accessing company resources." ( Page no longer available , search in web archives ) Info: The link was automatically saved as marked defective. Please check the link according to the instructions and then remove this notice.
- Example of using the term “VPN” in the sense of “Reverse Web Proxy”: Check Point: Access Web Portal Check Point Remote Access Solutions . Retrieved October 20, 2013: “The Mobile Access Portal is a clientless SSL VPN solution. [...] The Mobile Access Portal supplies access to web-based corporate resources. "
- Choosing the right VPN technology , by Jürgen Hill, Computerwoche, November 2, 2007, archived on tecchannel.de
- End-to-Site VPNs from Virtual Private Networks - Worldwide LANs by Tobias Zimmer, 1999, teco.edu
- End-to-end VPNs from virtual private networks - worldwide LANs by Tobias Zimmer, 1999, teco.edu
- Site-to-Site VPNs from Virtual Private Networks - Worldwide LANs by Tobias Zimmer, 1999, teco.edu
- Secure data transmission despite the Internet - Virtual Private Networks by Marcel Binder, March 2008, on tomshardware.de
- VPN: virtual private network: Virtual private network. In: itwissen.info. April 8, 2012, accessed February 9, 2015 .
- Mobile VPN. In: msdn.microsoft.com. Retrieved February 9, 2015 .
- 3GSM: SafeNet with a new VPN client for mobile devices ( Memento from February 11, 2010 in the Internet Archive ) In: voip-info.de
- Götz Güttich: Test NetMotion Wireless Mobility XE 8.5: VPN without stuttering. In: tomsnetworking.de. June 26, 2009, accessed February 9, 2015 .
- Sudhanshu Chauhan, Nutan Kumar Panda: Hacking Web Intelligence: Open Source Intelligence and Web Reconnaissance Concepts and Techniques . Syngress, 2015, ISBN 978-0-12-801912-2 , pp. 167 ( limited preview in Google Book search).
- Mitch Tulloch: SSTP Makes Secure Remote Access Easier. In: biztechmagazine.com. January 22, 2008, accessed February 9, 2015 .
- Fixing the Internet Using Secure Vector Routing. In: 128 Technology. June 8, 2017, Retrieved February 10, 2020 (American English).
- Avoid DNS leak. In: spyoff.com. Retrieved February 4, 2016 .
- m whites: Complete guide to the advantages and disadvantages of VPNs. In: Medium. April 25, 2017. Retrieved February 5, 2019 .
- How VPNs Work. April 14, 2011, accessed February 7, 2019 .
- How to install a VPN on your router
- VPN. Retrieved February 7, 2019 .
- Daniel Bachfeld: VPN etiquette - VPN protocols and standards . c't . April 13, 2006. Retrieved March 7, 2011.