Virtual Private Networks – The Basics

Virtual Private Networks (VPNs) can extend a local area network (LAN) over the Internet to remote networks and remote client machines. A VPN uses the Internet to route LAN traffic from one location to another by encapsulating the data inside encrypted IP packets. The encrypted packets are unreadable by intermediary Internet devices and can contain any kind of network communications – such as file and printer sharing, e-mail, remote procedure calls, and database access.

VPNs can be setup using server computers, firewalls or routers. Client access to the VPN can be made using client-side VPN software or by connecting to an ISP that supports the VPN protocol.

VPNs solve the problem of accessing private servers over the Internet through a combination of IP encapsulation, cryptographic authentication and data payload encryption.

IP Encapsulation

IP encapsulation provides a way to protect the data while in transit between the remote client and the private LAN. Computers outside the VPN should not be able to snoop on the traffic exchanged between the remote client and private server or be able to insert their own data into the communication stream. This is accomplished by creating what people refer to as a private and protected “tunnel” through the public Internet. When an IP packet contains another IP packet this is called IP encapsulation, and it provides a mechanism to refer to a host within a private network when a direct network connection may not exist. When this is combined with data encryption then we’ve effectively created our virtual tunnel.

Cryptographic Authentication

Cryptographic Authentication is used to securely validate the identity of the remote client so that the private LAN can determine what level of security should be applied to that user. VPNs use the authentication process to determine whether or not a remote user can participate in the encrypted tunnel, and for exchanging the public key that will subsequently be used for data encryption.

Data Payload Encryption

Data Payload Encryption uses a public key to encrypt the data field of the IP encapsulated packet. That is, data payload encryption is exactly like normal IP except that the data has been encrypted. It does not encrypt the header information, so details of the private network can be gleaned by analyzing the header information.

Advantages and Disadvantages

Compared to Wide Area Networks (WANs), VPNs offer some advantages but, also, present some disadvantages.

- cheaper than WANs
- easier to setup than WANs
- slower than WANs
- less reliable than WANs
- less secure than isolated WANs


Although there are a number of ways to configure a VPN here is an example of one scenario that is fairly common — an employee wishes to work from home and exchange data between their home machine and a private web server on the corporate network. There are two important processes here — the process of negotiating and building a VPN session, and the process of protecting and handling the data within an existing VPN connection. Here I’ll briefly describe the latter and leave the former as a potential topic for a future article.

Suppose we have the following:

(a) a VPN client with a public IP address of and a private IP address of (provided by the corporation’s DHCP server).

(b) a VPN server on the corporate network with two interfaces — a public interface to the Internet that uses and an interface to the private network with an IP of

(c) a web server on the corporate network with an IP address of

Prior to creating a VPN session the client host has one interface and a connection to the Internet through an ISP. The client machine can communicate with any host on the Internet but can not access the web server on the private network 192.168.0.X. After the VPN session has been created then the client host has 2 interfaces — the original interface to the Internet and a new VPN interface. The new VPN interface becomes the default gateway — that is, all packets will initially travel through the new interface. However, the VPN interface is not a physical network card — it doesn’t physically connect to anything. The VPN interface is used to encrypt and encapsulate packets that are subsequently sent as the payload of a new, outer packet. It is the outer packet that is sent out over the Internet (using the original interface) to the corporate VPN server.

The inner packet will use the client’s private IP of as the source IP address and the web server’s private IP of as the destination address. The VPN client encrypts the data field of the inner packet and this inner packet then becomes the payload of an outer packet. The outer packet uses the client’s public IP of as the source IP address and the public interface of the VPN server ( as the destination IP. The IP encapsulated packet is then sent to the ISP and out over the Internet.

When the IP encapsulated packet reaches the VPN server at the edge of the private network it will unwrap the inner packet and decrypt its data field. Since the VPN server also has an interface to the private network it will then be able to forward the inner packet to the destination web server. When data is sent from the web server back to the client then the process is reversed — that is, the VPN server handles the encryption/encapsulation and the VPN client is responsible for unwrapping/decoding.

Source by Steve Leytus