Terms and basics

- [Instructor] Before we look specifically at VPN protocols, we need to understand a little more about the basic concepts that most VPNs rely on. VPNs can operate on two different layers of the network stack: layer two and layer three. So when we talk about different protocols, you'll see these mentioned. I won't go too far into the details here. If you want to learn more about the layers of the network stack, take a look at our networking courses. Briefly though, layer two is called the data link layer, and it handles the transmission of frames of data between devices. This includes ethernet frames, the information containers that travel across ethernet networks to carry information between devices. A VPN established at layer two is called a bridged VPN, and it makes the networks seem physically connected as they might be over ethernet. When a layer two connection is represented on a system, the virtual device is called a TAP. One step above layer two is layer three which is called the network layer. This is where protocols like IP operate with IP addresses and IP routes. Information here is transmitted in packets. A VPN established at layer three is called a routed VPN because it relies on IP routing to move packets between networks. A layer three virtual device is called a TUN, short for tunnel device. In a VPN, the transfer of data between networks is based on getting data from one place to another, from one point to another point, and this is made possible at the very core by PPP, or point-to-point protocol. PPP sets up a connection between two hosts and creates a virtual network adapter at each end with IP addresses that represent each endpoint. This virtual network creates a connection that's used to carry traffic back and forth between hosts. PPP is used in many more applications than just VPN. Many ISPs use it to create a network link over media-like phone lines to carry ethernet frames between IP networks, but that's a topic for another course. In many VPN protocols, PPP sets up the connection between hosts by providing the adapters and addresses through which traffic between networks is routed. VPNs also rely on a secure channel being established, and this is handled by key exchange. Different protocols approach this differently. Some rely on a pre-shared key, often abbreviated PSK, existing in the client and being used during the connection, and some protocols will set up and define keys when a connection is made. Both hosts involved in a connection negotiate back and forth to determine what security protocol to use, and then they agree on parameters and establish a secure channel. For many VPNs, this negotiation back and forth will include the generation of a session key which is used to encrypt and decrypt data sent between the systems. For many systems that use this strategy, the result is what's called forward secrecy or perfect forward secrecy. What this means is that the current and subsequent sessions are encrypted with new keys generated at the beginning of each connection so that either if the key for one session or message is leaked or the keys that are used to establish the identity of the client or server are leaked, those can be used to decrypt any past messages or sessions. So if someone recorded the encrypted session between you and the server and then was somehow able to capture a key from a later encrypted session, they wouldn't be able to use that later key to decrypt the previously recorded session. As we go forward in time, new keys maintain the secrecy of previous sessions. Some of the algorithms that some protocols use to set up this key exchange are fundamentally broken or compromised, but many are still considered secure. So when you set up a VPN server, be sure you're using one of the secure ones. We're just about ready to explore protocols, but before we do, I want to make the point that going forward when I discuss ports that are used, those are the ports that need to be open on the server end of the connection. When a client connects to a server, it needs to connect to a specific port. The port that a connection comes from on the client side is less important. That's handled by the system. The important ones are the server ports, and they need to be opened up both on a host system and forwarded through firewalls between that system and the internet.