VPN
A VPN (Virtual Private Network) is a secure, encrypted connection between a user and a private network over the public internet. It allows users to access network resources as if they were directly connected to a private network, while hiding their traffic from eavesdroppers.
Why Use a VPN
From a system design perspective, VPNs are used to:
- Secure data transmission over untrusted networks (like public Wi-Fi)
- Enable remote access to private corporate networks
- Protect sensitive services (e.g., internal APIs, databases)
- Mask IP addresses and protect user privacy
- Segment networks for better access control
How VPN Work
| Component | Role |
|---|---|
| Client Device | The user's laptop/phone that connects to the VPN |
| VPN Server | The endpoint that authenticates, encrypts, and forwards traffic |
| Tunneling Protocol | Defines how data is encapsulated (e.g., OpenVPN, IPSec, WireGuard) |
| Encryption | Protects data inside the tunnel (e.g., AES-256) |
VPN Workflow
- VPN Client initiates a connection to the VPN Server.
- Authentication is performed (using username/password or digital certificates).
- A secure tunnel is established (using SSL/TLS or IPSec).
- All traffic from the client is encrypted and routed through the VPN server.
- The VPN server forwards the traffic to its destination (e.g., internal app, internet).
- Responses are encrypted back through the tunnel to the client.
VPN Types
| Type | Description |
|---|---|
| Remote Access VPN | Connects individual users to a private network from anywhere |
| Site-to-Site VPN | Connects entire networks (e.g., branch offices) across the internet |
| SSL VPN | Uses SSL/TLS, often through a browser |
| Split Tunneling | Some traffic goes through VPN; rest goes directly to the internet |
VPN Tunneling Protocols
| Protocol | Encryption | Use Case |
|---|---|---|
| OpenVPN | SSL/TLS | Very secure, widely used |
| IPSec | AES | Used in site-to-site VPNs |
| WireGuard | ChaCha20 | Modern, lightweight, fast |
| L2TP | With IPSec | Older, less secure without IPSec |
Example of VPN
Scenario: A company has internal tools (like admin.internal-corp.com) that should only be accessed by employees.
Problem: Remote employees need secure access to internal systems.
+--------------------+ Encrypted VPN Tunnel +-----------------------+
| Remote Employee | <-------------------------------> | VPN Server |
| (VPN Client) | | (Inside Corp Network) |
+--------------------+ +-----------+-----------+
|
v
+----------------------------+
| Internal Web App (Admin) |
+----------------------------+
Steps
- Employee opens VPN client → connects to VPN server.
- VPN server authenticates the user using username + certificate.
- A secure tunnel is created.
- The employee accesses admin.internal-corp.com via internal IP.
- External users cannot access the internal service, even if they know the domain.
VPN Authentication Methods
| Method | Description |
|---|---|
| Username + Password | Basic auth, usually combined with MFA |
| Certificates | Client certificates issued by a CA |
| Token-based | Integrated with SSO providers like Okta, Azure |
| MFA (TOTP/SMS) | Enhances security |
Network Security and VPN Integration
VPN often works with other system components:
- Firewall: Only allow traffic from VPN IPs to sensitive systems
- Access Control: Users get access based on roles after VPN login
- Monitoring/Logging: Track who accessed what and when