Table of Contents
What is a VPN?
The Virtual private network or VPN is a kind of connection that allows a remote client to connect to a distant local network in such a way that the client can enjoy the benefit same as the remote local area connection nodes. VPNs have various types and uses including various security and encryption methods that are discussed. VPNs can encapsulate traffic under different protocols available. VPNs are used for secure connection to a remote network but it can also be used to bypass internet censorship by virtually connecting to a geographical location where there is little or no internet censorship so that the traffic is routed from a censored country to an uncensored country allowing the use of internet freely just as a citizen. But also encrypting the traffic in between which obfuscate network traffic from government nd ISP enforced firewalls.
Types of VPN
There are various types that may be used to categorize a VPN connection. VPNs can date back to dial-up modems. Frame Relay was such a technique that allows a organization to rent infrastructure from an ISP. Since it would be hard to buy and setup your own wires and infrastructure, companies used the infrastructure of the ISP. ISP give leased lines to companies and in return a company could establish a virtual circuit on top of that on which only their own people can communicate in between different branches of the company located at different places such as in different cities. With time new advancements and research has been done in the field of VPN and new protocols and encryption methods have been introduced with new internet infrastructure VPN functionality has been far greatly flexible in today’s time.
Two of the main classifications for the VPN are as follows:
- Site to Site VPN
- Remote Access VPN
Further classification may be considered over protocol and encryption differences.
i. SITE TO SITE VPN
The site to site VPN is company to company or branch to branch secure access link. As the name suggests Site to Site VPN is a connection that is used to create a secure and separate connection between two or more companies department located at different geographical locations. Site to Site VPN is large scale implementation and usually involve Internet service provider’s help to set up as previously discussed such as frame relay. This can also be termed as router to router VPN.
ii. Remote Access VPN
Remote Access VPN is usually installed where individual needs to access a company’s network. A remote-access VPN allows individual users to establish secure connection with a remote computer network. The users then can access the system resources on that network securely as if they were directly connected in to that local area network.
In remote access VPN the first thing that is needed is the server that hosts all the clients that wants access to the network. VPN server have all the necessary configuration and protocol information as well as includes the encryption type that will be used. On the other hand the client needs a ‘client configuration’ information and a client software to initiate a connection with the remote server with proper keys and configurations. If the encryption is symmetric, the connection will only established when the key information for encryption matches on the other side. If the encryption is asymmetric there must be some mechanism for the key exchange prior to the start of VPN connection. After key information is known, the client can initiate the connection between itself and the server.
A remote access VPN can also be used to anonymize one’s true IP address. Several companies offer paid VPN plans that offer anonymity and other security features. Due to government surveillance and intelligence agencies many people opt in for such paid VPN plans that hide users network traffic. It can also provide security and reliability over a less secure network such as a public Wi-Fi. VPN service can also be used to access geographical dependent content or bypass internet censorship.
Various encryption techniques are included in order to secure the connection. Different encryption provide different extent of security and same goes for the VPN protocols. There are two main encryption techniques:
VPN Encryption
i. Symmetric Key Exchange
Symmetric key cryptography is the type where both parties share the same keys to encode and decode a message. The process that both parties have to have the same key first in order to start secure communication is a little complicated, because you have to first devise a way that is secure enough to share the keys between both parties even before the start of the encryption.
Symmetric key algorithms are installed as either using block ciphers or stream ciphers. Some of the popular installations examples include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, Kuznyechik, RC4, 3DES, Skipjack, Safer+/++ (Bluetooth), and IDEA.
ii. Asymmetric Key Exchange
In Asymmetric key algorithm the two parties, who needs to communicate with each other, has to have two different keys. It involves two types of keys public key and a private key. Private key is kept secure and hidden while public key is shared.
RSA (Rivest, Shamir and Adleman) is a well known cipher based on asymmetric key algorithms.
Data Integrity
For packet or data integrity in VPN there is a universal method that is known as hashing, is used.
Hashing is a mechanism that is used for data integrity. Basically it is a mechanism of checking errors while message is in transit. Also it can recognize if the message has been changed in the medium. A good hash is the one that can have a avalanche effect if only one digit or symbol is changed. Avalanche effect is if you move one smallest particle the whole chaos is started. Commonly used hash algorithms produce digests in the range of 128 to 512 bits in length. Digest is just a number calculated through a hashing algorithm.
The popular hashing algorithms are MD5, SHA 1, SHA 2.
For VPNs people can use SHA-512( a child of SHA 2) . It is considered a better option because it offers broad spectrum of possible values and thus avoiding collision. Hash do not provide data security it only provides message authentication technique. All the data that is passed in the VPN can then be verified that no change or error occurred during the transit of the message.
VPN Protocols
In VPN, entire data packet is placed within another packet before it’s transported over the Internet. All VPN setups have a tendency to establish a tunnel effect. It means all the traffic of the computer is being encapsulated under the specific type of VPN protocol with encryption. As we know in networking the data packet that is to travel to different location passes through series of layer of TCP/IP stack. Each layer of the model adds a particular header and the encapsulates the actual data payload. The VPN protocol encapsulates the packet with encryption in between these steps and when the packet leaves your computer, it is encrypted with VPN encryption.
The tunnel interfaces can be the two ends who have a VPN setup in between their communication. The inner packet still remains the same and is decapsulated at the receiving edge by first opening the VPN encapsulation. VPN packet decapsulation would result in a encrypted payload that would be decrypted by the chosen method of encryption and then they can see the rest of the packet data. There are several VPN protocols that can be used to tunnel the network traffic.
PPTP( Point-to-Point Tunneling Protocol )
Compatible and built facility for all operating systems. It is easy to setup.
Insecure and there are speculations that its made vulnerable by US security agency known as NSA. PPTP VPN traffic is easy to block since it uses a specific port.
L2TP/IPsec( Layer 2 Tunneling Protocol )
Easy to Setup, Fast just as OpenVPN or even more than it. Available on all Operating Systems. This protocol allows Multi threading for encryption processing.
Hard to implement. It can also be blocked with restrictive firewalls. Limited number of ports.
SSTP( Secure Socket Tunneling Protocol )
It is considered very secure. It can also bypass firewalls. Built-in support in Windows operating systems. It uses SSL 3.0 and it can run on TCP/port 443.
Proprietary. Only supported by Microsoft. Thought to be Compromised by NSA.
IKEv2( Internet Key Exchange version 2)
Fast and secure. Resilient to changing networks and maintain sessions. Good for mobile networks.
Not natively supported on Linux systems which also includes Android devices.
OpenVPN
Open source, fast and secure. It offers wide range of configuration options including using a TCP/port 443. This is popularly used in ‘unblock web’ VPN apps.
It needs third party software for some of the platforms.
Bypass Government Censorship
As living in Iran, China or other countries who have strict internet censorship policy, poses great challenge to access learning materials over usual places like Google and video site like Youtube as well as several other news related sites. Even if you setup a VPN, the government such as of China performs a deep packet inspection up to internet layer(TCP/IP stack) and filter out any known VPN protocol traffic. As mentioned earlier each packet have a layer of information known as headers. When you encapsulate a data packet into a VPN packet, the VPN protocol attaches its header and enclose the actual data payload inside. Thus it is quite easy to discover if there is any VPN related data flowing through firewalls and routers.
Sometimes they just block a certain known port that is used to transfer VPN data packets e.g OpenVPN or IKEv2 packets. By blocking the port they effectively stop the company’s or individual’s VPN traffic.
Workaround for VPN ban
There is a workaround proven to bypass censorship and certain firewalls that make it difficult to stop VPN traffic. Which is configuring your VPN server to pass all traffic through TCP/port 443. SSL ( Secure Socket Layer ) encryption uses TCP/port 443 . And if you recall all the internet websites that uses HTTPS protocol to serve web pages uses TCP/port 443. For example a bank site or online shopping website like aliexpress.com & amazon.com uses HTTPS and thus works on SSL by using TCP/port 443.
If a government now blocks TCP/port 443 it is stopping the functionality of secure connections for other organizations as well which would results in tremendous loss of internet capabilities with current standards
That is why all those VPN protocols that can talk over TCP/port 443 can successfully bypass like normal SSL web traffic over any firewalls. Unfortunately, communication is not possible if IP address of your VPN server is explicitly blocked.
Benefits of Using a VPN
Data Security
VPN has several benefits most of all is security. Since encapsulation of data packets provides extra layer of security. Using encryption, the security and integrity of your communications increase far greatly.
Traffic Isolation and access management
VPN also provide you with ease of management since it allocates certain amount of your network to a specific portion. Your organization can decide what level of your employees enjoy what level of access to company’s network. This can help you prioritize some network resources and provide quality of service.
Reliability
VPN offer reliability since it creates a tunnel between the end of a client and the end of the company’s network. You can scale this model to any considerable size.
Anonymity
VPN can give you the possibility of masking your real IP address from services you use.
Access to blocked content
This also gives you access to geographical content that would otherwise be blocked in your country. You can potentially evade government censorship and restrictions imposed by your Internet service provider (ISP).
Summary
For people who want to avoid censorship VPNs offer a great solution. But I will advise using a trusted VPN provider or make your own VPN server over various cloud services because having your own servers ensure security and reliability. Paid VPN services are best to stay anonymous.
If you want to make your own VPN then for best security use IKEv2 protocol with at least the block cipher AES set to run on 256-bit key. You can also use OpenVPN protocol to have the similar level of security. If your connection is unable to establish communication and keeps dropping that could indicate that your government or internet service provider is filtering out VPN traffic over conventional ports. OpenVPN works best over UDP however when trying to evade firewalls’ filtering you need to use a port which can blend in quite well with other seemingly normal traffic. One of the way is to use the SSL tcp/port 443. If you want to try this method, you can view these tutorials.