Home Add to Favorite Contact Submit  
             20 January, 2021

Category:  Articles » Communications » Broadband Internet


Virtual Private Networks - The Basics

         Views: 1895
2007-07-31 13:15:43     
Article by Steve Leytus

Virtual Private Networks (VPNs) can extend a local area network (LAN) over the Internet to remote networks and remote client machines. A VPN uses the Internet to route LAN traffic from one location to another by encapsulating the data inside encrypted IP packets. The encrypted packets are unreadable by intermediary Internet devices and can contain any kind of network communications - such as file and printer sharing, e-mail, remote procedure calls, and database access.

VPNs can be setup using server computers, firewalls or routers. Client access to the VPN can be made using client-side VPN software or by connecting to an ISP that supports the VPN protocol.

VPNs solve the problem of accessing private servers over the Internet through a combination of IP encapsulation, cryptographic authentication and data payload encryption.

IP Encapsulation
IP encapsulation provides a way to protect the data while in transit between the remote client and the private LAN. Computers outside the VPN should not be able to snoop on the traffic exchanged between the remote client and private server or be able to insert their own data into the communication stream. This is accomplished by creating what people refer to as a private and protected "tunnel" through the public Internet. When an IP packet contains another IP packet this is called IP encapsulation, and it provides a mechanism to refer to a host within a private network when a direct network connection may not exist. When this is combined with data encryption then we've effectively created our virtual tunnel.

Cryptographic Authentication
Cryptographic Authentication is used to securely validate the identity of the remote client so that the private LAN can determine what level of security should be applied to that user. VPNs use the authentication process to determine whether or not a remote user can participate in the encrypted tunnel, and for exchanging the public key that will subsequently be used for data encryption.

Data Payload Encryption
Data Payload Encryption uses a public key to encrypt the data field of the IP encapsulated packet. That is, data payload encryption is exactly like normal IP except that the data has been encrypted. It does not encrypt the header information, so details of the private network can be gleaned by analyzing the header information.

Advantages and Disadvantages
Compared to Wide Area Networks (WANs), VPNs offer some advantages but, also, present some disadvantages.

- cheaper than WANs
- easier to setup than WANs
- slower than WANs
- less reliable than WANs
- less secure than isolated WANs

Although there are a number of ways to configure a VPN here is an example of one scenario that is fairly common -- an employee wishes to work from home and exchange data between their home machine and a private web server on the corporate network. There are two important processes here -- the process of negotiating and building a VPN session, and the process of protecting and handling the data within an existing VPN connection. Here I'll briefly describe the latter and leave the former as a potential topic for a future article.

Suppose we have the following:
(a) a VPN client with a public IP address of and a private IP address of (provided by the corporation's DHCP server).
(b) a VPN server on the corporate network with two interfaces -- a public interface to the Internet that uses and an interface to the private network with an IP of
(c) a web server on the corporate network with an IP address of

Prior to creating a VPN session the client host has one interface and a connection to the Internet through an ISP. The client machine can communicate with any host on the Internet but can not access the web server on the private network 192.168.0.X. After the VPN session has been created then the client host has 2 interfaces -- the original interface to the Internet and a new VPN interface. The new VPN interface becomes the default gateway -- that is, all packets will initially travel through the new interface. However, the VPN interface is not a physical network card -- it doesn't physically connect to anything. The VPN interface is used to encrypt and encapsulate packets that are subsequently sent as the payload of a new, outer packet. It is the outer packet that is sent out over the Internet (using the original interface) to the corporate VPN server.

The inner packet will use the client's private IP of as the source IP address and the web server's private IP of as the destination address. The VPN client encrypts the data field of the inner packet and this inner packet then becomes the payload of an outer packet. The outer packet uses the client's public IP of as the source IP address and the public interface of the VPN server ( as the destination IP. The IP encapsulated packet is then sent to the ISP and out over the Internet.

When the IP encapsulated packet reaches the VPN server at the edge of the private network it will unwrap the inner packet and decrypt its data field. Since the VPN server also has an interface to the private network it will then be able to forward the inner packet to the destination web server. When data is sent from the web server back to the client then the process is reversed -- that is, the VPN server handles the encryption/encapsulation and the VPN client is responsible for unwrapping/decoding.

Steve Leytus is a senior software engineer and develops applications for NutsAboutNets.com. For more information about low cost, PC-based diagnostic tools for installing, optimizing and trouble-shooting 802.11 (Wi-Fi) wireless networks please visit http://www.NutsAboutNets.com

Specialized in: Rf Spectrum Analyzer - Spectrum Analyzer Software - Wifi Spectrum Analyzer - Spectrum Analyzer - Wireless Spectrum Analyzer - Wifi Analyzer - Low Cost Spectrum Analyzer - Pc Based - Wlan
URL: http://www.nutsaboutnets.com
Print article      Bookmark this page
Related Articles 
Dial Up Access Numbers (Popularity: ): Dial-up is a way of accessing the Internet with the help of a telephone line and a modem. The telephone line is connected to the modem, which in turn dials the number of the Internet Service Provider (ISP) to access the Internet. Most ISPs have a set of local or national numbers that users can dial to get connected to the Internet. These are known as the dial up access ...
Call It The 'Universal Slush Fund' (Popularity: ): The Universal Service Fund is a $7 billion federal program in search of a purpose.Politicians and lawmakers don't know exactly what they want to do with the money they collect from millions of American telephone bills every year, but they know one thing: They don't want to stop collecting it. So they are bound and determined to find something to do with all that cash - probably something involving broadband, ...
How to Get the Cheapest Satellite Internet Service (Popularity: ): If you are from a place with no cable internet facility and have to rely on dial-up connection only - satellite internet is your best bet. The cheapest satellite internet connection although will be a bit costlier than the regular cable connection, serves effectively and with higher speed. Like their cable-operated counterparts, satellite internet connections come in various plans that depend upon download and upload speeds. So, before you go ...
How Can I Find Out Who Owns an Email Address? (Popularity: ): Threats and fear are the underlying factor why people conduct research to find out who owns an email address although the damages caused by this technological invention might not be publicized but we know that a lot of people are being scammed day in day out and so as not to be taken for a fool keep they their suffering innocence to themselves.Don't find yourself in this situation before you ...
Internet Safety For Kids - 4 Important Tips For Parents (Popularity: ): All around the globe, the Internet and computers have become indispensable. We communicate with friends, search for information, shop online, use online banking to pay our bills and many other things that make our lives easier. However, there are also certain dangers that come with Internet usage. Aside from viruses, the Internet could also pose threats to our children if they are allowed to use it without proper monitoring and ...

Related Business 
SecurityDogs.com (Popularity: ): Links and information on firewall security, virtual private networks, network address translation, and quality of service.
Paktronix Systems: Network Security (Popularity: ): Design, supply, and implement secure networks. Provide secure border Firewall systems for connecting networks to the Internet or each other. Offer Network Address Translation (NAT), Virtual Private Networking (VPN), with IPSec, and custom port translation capabilities.
Shiva (Popularity: ): Intel's Shiva Virtual Private Networks provide VPN, remote access, and secure internetworking.
Virtual Private Network (Popularity: ): A Virtual Private Network (or VPN) is a specialized service which has gained immense popularity in today’s on-the-move Internet connectivity. Professional VPN services can offer a viable alternative to personal dedicated networks for personal and corporate use on a global basis. This is due to the fact that secure VPN is actually built on a work that has public access. But it utilizes a different means of security and encryption ...
INetU (Popularity: ): Dedicated and advanced web hosting provider. Windows 2000/NT and Unix platforms, multiserver configurtations, firewall security, virtual private networks, and server co-location.
computer equipment fire walls FreeBSD consulting (Popularity: ): A general site for providing information on computers unix consulting Virtual private networks
NetActive Internet (Popularity: ): Offers Internet access, Web hosting, domain registration, virtual private networks, and general Internet connectivity.
Network Plumbing, LLC. (Popularity: ): We are focused on providing computer network connectivity to small and medium business. This includes LAN's, WAN's, Intranets, and Virtual Private Networks's (VPN's)
Network Security Software by Onix Networking (Popularity: ): Specializing in technologies supporting secure network connectivity, business intelligence, call center and help desks, and virtual private networks.
Strong Internet Security (Popularity: ): A Swiss company offering consulting services in virtual private networks, SSL-based server applications, X.509 certificates and security on wireless LANs.