From the course: Learning VPN

How VPN works

From the course: Learning VPN

Start my 1-month free trial

How VPN works

- [Instructor] IP networking allows information to flow between networks, crossing from your local network to intermediate networks to the publicly available resources on the destination network. This is how regular online activity, like browsing the Web or checking your e-mail works, but if we need to access resources on a protected network, where the hosts aren't exposed directly to the Internet, we need a different approach. A protected network, like your home or office network, by definition doesn't let traffic from the Internet access devices on the network without there already being an outgoing connection to the same host. This is due, in part, to firewall rules, but mostly due to the fact that devices on a protected network are usually operating in a local IP address space, which is not routable across the Internet, and most of the time it's a pretty bad idea to make protected resources directly accessible on the Internet, so to access these hosts, our traffic needs to come from the same protected network. To do this, we need to cheat a little bit and set up a connection that can travel across the Internet, through which we can send local traffic from our system to a remote system. That's done by setting up a connection between the local device and a device that's attached to the protected network, using the software that allows the traffic to travel through that tunnel and act as though it's coming from within the protected network. This connection is a network connection, and as we'll soon see, it's a private network between virtual network interfaces, so it's a network that's virtual and private to those two endpoints, a virtual private network: it's a VPN. I should note here that the private part of the virtual private network refers to the nature of the network. It's a private network between two hosts, rather than being a public network that other clients can join. Private here doesn't refer to data privacy or security, just to the topology of the virtual network. The other kind of privacy, the data security kind, is provided in different ways by different VPN protocols, as we'll see in a little bit. In fact, you can create a VPN that offers no actual data security, not that you'd ever really want to do that. For now we'll focus on the network part of a VPN. VPNs work on the principles of routing or bridging, and encapsulation. When we need to send network packets from our computer to a remote system, off of our own network, our system uses a route to determine where to send those packets. Usually we'll only have one route, configured to send any packets not intended for clients on our same network, to a router on the network which handles sending the packets to their destination on other networks through other routers. While it works a little bit different in practice, you can think of a VPN as plugging in a network cable from a network adapter on your computer to the VPN server you're connecting to, but across the Internet. Luckily, we don't need actual cables that long. When clients connect to a VPN server, a new virtual network interface is configured on the client, and it's given an IP address by the VPN server. With Layer 3 VPNs, a new route is also added to the system, using this virtual adapter to route data to a virtual adapter on the VPN server. Another type of VPN uses Layer 2, and instead of routing data between network devices, it behaves as though the devices are physically connected to the same network, like the local and remote networks are bridged. We'll see more about how these layers work in a little bit. The other component of a VPN that's important here is encapsulation, which describes the idea that information is wrapped up inside of other information. When it comes to VPNs, that usually means that network traffic that normally wouldn't be able to travel between two networks gets wrapped in packets that can be sent between networks, so on a client system, traffic sent to the local endpoint of the VPN tunnel gets wrapped up in a protocol that can be routed to another network, and those packets are then sent through the tunnel. On the other end, VPN software running on the server unwraps these packets and sets them free on the remote side's local network, and any traffic coming back to the client is wrapped up by the server, sent through the tunnel, and unwrapped on the client. In this course, I'll use two virtual machines that share a protected network, like a corporate or academic network. One of these VMs has a public IP address, and will act as a VPN server, which we'll connect to from my client here. The other VPN is hosting a web page that's only visible to clients of that protected network, so it's not accessible from the Internet directly. We'll need to use a VPN to access it.

Contents