Virtual private network

Template:Short description Template:Redirect Template:Use dmy dates Template:Use American English

Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not controlled by the entity aiming to implement the VPN) or need to be isolated (thus making the lower network invisible or not directly usable).<ref name="NIST">Template:Cite web</ref>

A VPN can extend access to a private network to users who do not have direct access to it, such as an office network allowing secure access from off-site over the Internet.<ref name="Cisco">Template:Cite web</ref> This is achieved by creating a link between computing devices and computer networks by the use of network tunneling protocols.

It is possible to make a VPN secure to use on top of insecure communication medium (such as the public internet) by choosing a tunneling protocol that implements encryption. This kind of VPN implementation has the benefit of reduced costs and greater flexibility, with respect to dedicated communication lines, for remote workers.<ref>Template:Cite book</ref>

The term VPN is also used to refer to VPN services which sell access to their own private networks for internet access by connecting their customers using VPN tunneling protocols.

The goal of a virtual private network is to allow network hosts to exchange network messages across another network to access private content, as if they were part of the same network. This is done in a way that makes crossing the intermediate network transparent to network applications. Users of a network connectivity service may consider such an intermediate network to be untrusted, since it is controlled by a third-party, and might prefer a VPN implemented via protocols that protect the privacy of their communication.

In the case of a Provider-provisioned VPN, the goal is not to protect against untrusted networks, but to isolate parts of the provider's own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. This situation makes many other tunneling protocols suitable for building PPVPNs, even with weak or no security features (like in VLAN).

How a VPN works depends on which technologies and protocols the VPN is built upon. A tunneling protocol is used to transfer the network messages from one side to the other. The goal is to take network messages from applications on one side of the tunnel and replay them on the other side. Applications do not need to be modified to let their messages pass through the VPN, because the virtual network or link is made available to the OS.

Applications that do implement tunneling or proxying features for themselves without making such features available as a network interface, are not to be considered VPN implementations but may achieve the same or similar end-user goal of exchanging private contents with a remote network.

Virtual private networks configurations can be classified depending on the purpose of the virtual extension, which makes different tunneling strategies appropriate for different topologies:

Remote access

A host-to-network configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides that computer access to local area network of a remote site, or any wider enterprise networks, such as an intranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for remote workers, or to enable people accessing their private home or company resources without exposing them on the public Internet. Remote access tunnels can be either on-demand or always-on. Because the remote host location is usually unknown to the central network until the former tries to reach it, proper implementations of this configuration require the remote host to initiate the communication towards the central network it is accessing.

Site-to-site

A site-to-site configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other.

In the context of site-to-site configurations, the terms intranet and extranet are used to describe two different use cases.<ref>Template:Cite IETF</ref> An intranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an extranet site-to-site VPN joins sites belonging to multiple organizations.

Typically, individuals interact with remote access VPNs, whereas businesses tend to make use of site-to-site connections for business-to-business, cloud computing, and branch office scenarios. However, these technologies are not mutually exclusive and, in a significantly complex business network, may be combined.

Apart from the general topology configuration, a VPN may also be characterized by:

• the tunneling protocol used to tunnel the traffic,
• the tunnel's termination point location, e.g., on the customer edge or network-provider edge,
• the security features provided,
• the OSI layer they present to the connecting network, such as Layer 2 link/circuit or Layer 3 network connectivity,
• the number of simultaneous allowed tunnels,
• the relationship between the actor implementing the VPN and the network infrastructure provider, and whether the former trusts the medium of the former or not

A variety of VPN technics exist to adapt to the above characteristics, each providing different network tunneling capabilities and different security model coverage or interpretation.

Operating systems vendors and developers do typically offer native support to a selection of VPN protocols. These are subject to change over the years, as some have been proven to be unsecure with respect to modern requirements and expectations, and others have emerged.

Desktop, smartphone and other end-user device operating systems usually support configuring remote access VPN from their graphical or command-line tools.<ref>Template:Cite web</ref><ref>Template:Cite web</ref><ref>Template:Cite web</ref> However, due to the variety of, often non standard, VPN protocols there exists many third-party applications that implement additional protocols not yet or no longer natively supported by the OS.

For instance, Android lacked native IPsec IKEv2 support until version 11,<ref>Template:Cite web</ref> and users needed to install third-party apps in order to connect that kind of VPN. Conversely, Windows does not natively support plain IPsec IKEv1 remote access native VPN configuration (commonly used by Cisco and Fritz!Box VPN solutions).

Network appliances, such as firewalls, do often include VPN gateway functionality for either remote access or site-to-site configurations. Their administration interfaces do often facilitate setting up virtual private networks with a selection of supported protocols which have been integrated for an easy out-of-box setup.

In some cases, like in the open source operating systems devoted to firewalls and network devices (like OpenWrt, IPFire, PfSense or OPNsense) it is possible to add support for additional VPN protocols by installing missing software components or third-party apps.

Similarly, it is possible to get additional VPN configurations working, even if the OS does not facilitate the setup of that particular configuration, by manually editing internal configurations of by modifying the open source code of the OS itself. For instance, pfSense does not support remote access VPN configurations through its user interface where the OS runs on the remote host, while provides comprehensive support for configuring it as the central VPN gateway of such remote-access configuration scenario.

Otherwise, commercial appliances with VPN features based on proprietary hardware/software platforms, usually support a consistent VPN protocol across their products but do not open up for customizations outside the use cases they intended to implement. This is often the case for appliances that rely on hardware acceleration of VPNs to provide higher throughput or support a larger amount of simultaneously connected users.

Whenever a VPN is intended to virtually extend a private network over a third-party untrusted medium, it is desirable that the chosen protocols match the following security model:

• confidentiality to prevent disclosure of private information or data sniffing, such that even if the network traffic is sniffed at the packet level (see network sniffer or deep packet inspection), an attacker would see only encrypted data, not the raw data
• message integrity to detect and reject any instances of tampering with transmitted messages, data packets are secured by tamper proofing via a message authentication code (MAC), which prevents the message from being altered or tampered without being rejected due to the MAC not matching with the altered data packet.

VPN are not intended to make connecting users anonymous or unidentifiable from the untrusted medium network provider perspective. If the VPN makes use of protocols that do provide those confidentiality features, their usage can increase user privacy by making the untrusted medium owner unable to access the private data exchanged across the VPN.

In order to prevent unauthorized users from accessing the VPN, most protocols can be implemented in ways that also enable authentication of connecting parties. This secures the joined remote network confidentiality, integrity and availability.

Tunnel endpoints can be authenticated in various ways during the VPN access initiation. Authentication can happen immediately on VPN initiation (e.g. by simple whitelisting of endpoint IP address), or very lately after actual tunnels are already active (e.g. with a web captive portal).

Remote-access VPNs, which are typically user-initiated, may use passwords, biometrics, two-factor authentication, or other cryptographic methods. People initiating this kind of VPN from unknown arbitrary network locations are also called "road-warriors". In such cases, it is not possible to use originating network properties (e.g. IP addresses) as secure authentication factors, and stronger methods are needed.

Site-to-site VPNs often use passwords (pre-shared keys) or digital certificates. Depending on the VPN protocol, they may store the key to allow the VPN tunnel to establish automatically, without intervention from the administrator.

A virtual private network is based on a tunneling protocol, and may be possibly combined with other network or application protocols providing extra capabilities and different security model coverage.

• Internet Protocol Security (IPsec) was initially developed by the Internet Engineering Task Force (IETF) for IPv6, and was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.Template:Ref RFC This standards-based security protocol is also widely used with IPv4. Its design meets most security goals: availability, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination. IPsec tunnels are set up by Internet Key Exchange (IKE) protocol. IPsec tunnels made with IKE version 1 (also known as IKEv1 tunnels, or often just "IPsec tunnels") can be used alone to provide VPN, but have been often combined to the Layer 2 Tunneling Protocol (L2TP). Their combination made possible to reuse existing L2TP-related implementations for more flexible authentication features (e.g. Xauth), desirable for remote-access configurations. IKE version 2, which was created by Microsoft and Cisco, can be used alone to provide IPsec VPN functionality. Its primary advantages are the native support for authenticating via the Extensible Authentication Protocol (EAP) and that the tunnel can be seamlessly restored when the IP address of the associated host is changing, which is typical of a roaming mobile device, whether on 3G or 4G LTE networks. IPsec is also often supported by network hardware accelerators,<ref>Template:Cite web</ref> which makes IPsec VPN desirable for low-power scenarios, like always-on remote access VPN configurations.<ref>Template:Cite web</ref><ref>Template:Cite web</ref>
• Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project<ref>Template:Cite web</ref>) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through TLS. A VPN based on TLS can connect from locations where the usual TLS web navigation (HTTPS) is supported without special extra configurations,
• Datagram Transport Layer Security (DTLS) – used in Cisco AnyConnect VPN and in OpenConnect VPN<ref>Template:Cite web</ref> to solve the issues TLS has with tunneling over TCP (SSL/TLS are TCP-based, and tunneling TCP over TCP can lead to big delays and connection aborts<ref>Template:Cite web</ref>).
• Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
• Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL/TLS channel (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1).
• Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark "MPVPN".Template:Relevance inline<ref>Template:Cite web</ref>
• Secure Shell (SSH) VPN – OpenSSH offers VPN tunneling (distinct from port forwarding) to secureTemplate:Ambiguous remote connections to a network, inter-network links, and remote systems. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.<ref>Template:Cite web
• Template:Cite web
• Template:Cite web</ref> SSH is more often used to remotely connect to machines or networks instead of a site to site VPN connection.
• WireGuard is a protocol. In 2020, WireGuard support was added to both the Linux<ref>Template:Cite web</ref> and Android<ref>Template:Cite web</ref> kernels, opening it up to adoption by VPN providers. By default, WireGuard utilizes the Curve25519 protocol for key exchange and ChaCha20-Poly1305 for encryption and message authentication, but also includes the ability to pre-share a symmetric key between the client and server.<ref>Template:Cite journalTemplate:Dead linkTemplate:Cbignore
• Template:Cite journal</ref>
• OpenVPN is a free and open-source VPN protocol based on the TLS protocol. It supports perfect forward-secrecy, and most modern secure cipher suites, like AES, Serpent, TwoFish, etc. It is currentlyTemplate:Current event inline being developed and updated by OpenVPN Inc., a non-profit providing secure VPN technologies.
• Crypto IP Encapsulation (CIPE) is a free and open-source VPN implementation for tunneling IPv4 packets over UDP via encapsulation.<ref>Template:Cite book
• Template:Cite book</ref> CIPE was developed for Linux operating systems by Olaf Titz, with a Windows port implemented by Damion K. Wilson.<ref>Template:Cite web</ref> Development for CIPE ended in 2002.<ref>Template:Cite web
• Template:Cite web</ref>

Trusted VPNs do not use cryptographic tunneling; instead, they rely on the security of a single provider's network to protect the traffic.<ref>Template:Cite book </ref>

• Multiprotocol Label Switching (MPLS) often overlays VPNs, often with quality-of-service control over a trusted delivery network.
• L2TP<ref>Layer Two Tunneling Protocol "L2TP" Template:Webarchive, Template:IETF RFC, W. Townsley et al., August 1999</ref> which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F)<ref>IP Based Virtual Private Networks Template:Webarchive, Template:IETF RFC, A. Valencia et al., May 1998</ref> (obsolete Template:As of) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).<ref>Point-to-Point Tunneling Protocol (PPTP) Template:Webarchive, Template:IETF RFC, K. Hamzeh et al., July 1999</ref>

From a security standpoint, a VPN must either trust the underlying delivery network or enforce security with a mechanism in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.Template:Fact

Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points without dropping the secure VPN session or losing application sessions.<ref name="Phifer">Phifer, Lisa. "Mobile VPN: Closing the Gap" Template:Webarchive, SearchMobileComputing.com, 16 July 2006. </ref> Mobile VPNs are widely used in public safety where they give law-enforcement officers access to applications such as computer-assisted dispatch and criminal databases,<ref>Willett, Andy. "Solving the Computing Challenges of Mobile Officers" Template:Webarchive, www.officer.com, May, 2006. </ref> and in other organizations with similar requirements such as field service management and healthcare.<ref name="Cheng">Cheng, Roger. "Lost Connections" Template:Webarchive, The Wall Street Journal, 11 December 2007. </ref>Template:Qn

A limitation of traditional VPNs is that they are point-to-point connections and do not tend to support broadcast domains; therefore, communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported as on a local area network. Variants on VPN such as Virtual Private LAN Service (VPLS) and layer 2 tunneling protocols are designed to overcome this limitation.<ref>Template:Cite web</ref>

Template:Anchor

Template:Portal bar Template:Div col

• VPN service - list of VPN service providers
• Anonymizer
• Dynamic Multipoint Virtual Private Network
• Ethernet VPN
• Internet privacy
• Mediated VPN
• Opportunistic encryption
• Provider-provisioned VPN
• Split tunneling
• Virtual private server
• VPNLab

Template:Div col end

Template:Reflist

• Template:Cite journal

Template:VPN Template:Cryptographic software Template:Internet censorship circumvention technologies