What exactly are VPN secure tunnels?

Most of us have used a VPN at least once—maybe to bypass website restrictions or securely access private company resources.

But how exactly do VPNs achieve this? In this article, we’ll dive into virtual private networks and explore:

• Why do we need VPNs?
• How do VPNs secure data?
• How are VPN connections established?
• How do VPN tunnels actually work?

Why do we need VPNs?

As we continue to transmit more sensitive information over the internet, we need a secure channel to protect this data from prying eyes. VPNs meet these needs in several ways:

• Secure Access: To work remotely, employees must safely access private resources. Organizations need to bridge offices in different regions together.
• Privacy and Anonymity: Users want to hide their IP address and encrypt their internet traffic to prevent eavesdropping by anyone.
• Geo-Restrictions: Internet users want to access geographically restricted resources from any location.

How VPNs secure data

VPNs establish an encrypted connection between your device and a VPN server. This ensures that any data traveling between these two points is protected.

• Encryption: VPNs use strong encryption such as AES (Advanced Encryption Standard) to scramble data before sending it over the internet. It ensures that only the VPN server can unscramble it.
• Integrity: Message Authentication Codes (MACs), such as HMAC, verify that packets haven’t been altered during transmission.
• Authentication: VPNs ensures you’re connected to the correct VPN server and that unauthorized clients can’t join the network. Methods include username/password, certificates, or multi-factor authentication.

How are VPN connections established

VPNs first authenticate user and server, then create a virtual network interface (e.g., tun0) and modify routing table to direct traffic through the secure tunnel.

Let's deep dive in to OpenVPN 's steps:

1. Connection Establishment: Client and server establish a TLS connection. They negotiate and exchange ephemeral keys encrypting the data channel.
2. Authentication: Server authenticate user via certificate or username/password.
3. Virtual network interface: VPNs software create a TUN (or TAP) network interface (e.g., tun0 on Linux). The OS assigned an IP address allocated by server (for example, 10.0.0.3) to this network interface.
4. Routing table: VPNs software modify the system’s routing table so that traffic destined for certain networks (or all internet traffic) will be routed through the corresponding virtual adapter.

How do VPN tunnels work

Once the VPN tunnel is established, all data is securely exchanged between the client and server using encryption. Let’s consider an OpenVPN setup with a TUN interface over UDP:

1. Routing: When the client sends an IP packet to a resource (e.g., an internal server behind the VPN - 10.0.05 ), OS check the routing table and send the packet to the corresponding TUN interface, which forwards packet to VPN program.
2. Encryption and Enscapsulation: The VPN program firstly encrypt packets with data channel key. The encrypted packet is then wrapped in a UDP header and sent to the VPN server’s public IP address (e.g., 45.3.20.8) over the internet.
3. Decapsulation and Decryption: The OpenVPN server's OS receives the UDP packet and passes it to the OpenVPN program. The program decrypts the payload using the established data channel key and extracts the original IP packet.
4. Fowarding: The server then forwards the original IP packet (with source and destination private IP) to the target resource though local network.
5. Reverse Path: Responses from the resource follow the opposite path: they arrive at the server, are routed to the server's TUN interface, and then encrypted and sent back to the client via the same data channel.

Key Takeaways

• Usecases: VPNs provide secure remote access, protect user privacy, and bypass geo-restrictions.
• Security: Encryption (e.g., AES) keeps data confidential. Integrity checks (e.g., HMAC) ensure data remains unaltered. Authentication (e.g., certificates, MFA) prevents unauthorized access.
• Connection: VPNs create a virtual network interface (e.g., tun0) and modify routing table to direct traffic through the secure tunnel.
• Tunnel: Client packets are encrypted and encapsulated, travel over public networks, then get decrypted on the server side before reaching the intended private network.

References:

• https://www.youtube.com/watch?v=Dw-SQ48jbGY
• https://www.youtube.com/watch?v=32KKwgF67Ho