So what is a VPN? Maybe you’ve heard some of your tech-savvy friends or co-workers talk about a VPN. Perhaps you even use one and want to know a little bit about what a VPN is and how it works. (If you already know the basics and would like to know more about the algorithms and cryptography underlying VPNs, check out the links below.)
VPN is short for Virtual Private Network. Let’s unpack each of those terms. We’ll start with the last word first. (Each of these sections provides a very basic overview of each term accompanied by a more in-depth explanation indicated by the icon. Just click on that icon to expand that section.)
Network (The “N” in VPN)
A network, in the context of computing, is a collection of devices which all share a membership in the same group. For example, all computers and related equipment in an office might comprise a network.
In the example of a company, different departments might exist within this one company, and each of these could be considered subnetworks (in computer networking, this term is usually shortened to “subnet”). If the employees of this company needed to interact with employees from another company, they might form a relationship, an inter-network. Inter-network can be shortened to “internet”, which, when capitalized, refers to the Internet most of us are familiar with. The Internet is an inter-network of thousands of distinct, connected computer networks and subnetworks.
Private (The “P” in VPN)
When we refer to a network being Private, we are often referring to a local segment of a network, sometimes called a Local Area Network (LAN). A network is usually kept private by setting it up behind a device called a firewall, which helps to protect the LAN from the public Internet.
To understand what a private network is, it might help to think of the difference between sending a report to a colleague at your office versus sending a report to a colleague in a remote office in another city. If you need to send a report to your work colleague in the same office, you might just address it to that person by name, maybe department. Anyone in your office would probably know how to get that report to “Julie in Accounting”, for example. But if you wanted to mail that report to “Eartha in Accounting” at your remote office, you’ll need a different addressing scheme if you wanted someone to successfully deliver your report.
Similarly, computers that are a part of a network will have an address. Addresses for devices on a network (called “IP addresses”) are made up of a series of digits that looks a bit like a phone number, except in the format of “nnn.nnn.nnn.nnn”. So, for example, a well known Google IP address is “126.96.36.199”. This address is a public address, the computer equivalent of a mailing address. So if you wanted to send a packet (in our post office metaphor, think of a packet like an envelope) to that address, any device that is properly connected to the Internet should know how to get it there.
There are certain IP address ranges, though, that are set aside and never used as a part of the public Internet. These are reserved, instead, for private use. If you’ve ever set up a home router, you’ve probably seen an example of this sort of private address (something like “192.168.0.1” or “192.168.1.1”). In the example above, “Julie in Accounting” would be the equivalent of a private address.
Virtual (The “V” in VPN)
Often a private network is physically self-contained. All devices that are part of the same network might be in the same geographical area (maybe a computer closet, a cabinet in a data center, or even an entire building, for example). It is possible, though, to create a private network between devices which might be within separated areas, such as different rooms in a building, different buildings in a city, or even different locations around the globe. This is where the “virtual” part comes into play, via a process called “encapsulation”. Data on a virtual private network can be sent to another private target by disguising it to appear to be public traffic. (This encapsulation process also often involves encryption to further protect it.) You might also hear a VPN referred to as a “tunnel”. In a sense, private messages are being sent within a public network as though it were traversing a private tunnel within that public network.
Imagine that you work in a building whose security department is in the basement. You have just been transferred to security, and on your tour of the department, they show you that there is a tunnel leading to another section of the security department that is located in the basement of a nearby but separate building. This tunnel acts to link these two separate buildings so, from the point of view of someone who works in this security department, the whole security section is one unit (a “network”). And since only authorized security personnel are allowed in this department, it can be considered a private tunnel. This example, though, features a physical tunnel. How do you make that virtual?
Creating a “virtual” tunnel involves a form of encapsulation. In most cases, this means that private traffic, before leaving one portion of a private network, is encapsulated to look like ordinary traffic on the publicly accessible Internet. When it reaches the destination specified in its encapsulation data, it sheds that encapsulation and resumes its travel to its final destination on this separate portion of the private network. In our example with the security department, imagine that we open a new security office across town. It wouldn’t be practical to build a physical tunnel all the way across town, but we could utilize a delivery service to send private messages there, similarly to how inter-office mail between geographically separate remote offices works. So, for example, we would place a report in an envelope addressed to “Burgess in Remote Security Services”, and then we could place that envelope in a larger package (encapsulating it) addressed to our remote security office with its full mailing address. We send the package via a courier to the remote office, and once it gets there, Frank the mail clerk opens the package (de-encapsulation), and he can then deliver the envelope to “Burgess in Remote Security Services” (private address). It could be said that we have “tunneled” this message through the courier service.
Also, since our department is concerned with security, we’d want to be sure that our message to Burgess isn’t tampered with or peaked at while it’s in transit. We might place a lock (which only we and our colleagues at the remote office could unlock) on the package before handing it over to the courier. The “lock” for traffic on a VPN would be an encryption algorithm. In VPN terminology, the device that handles the encapsulation and any encryption is called a “VPN gateway” or “VPN peer”. Not every VPN utilizes encryption, but it is prevalent when it’s important to keep data secure or private.
Putting It Together
Broadly speaking, a VPN keeps data traffic “within” a private network while it is sent over a public network. It is addressed so that it can be delivered over the Internet (encapsulation) and gets locked so no one can peek at the contents while it’s in transit (encryption).
Why Use a VPN?
The example above demonstrates one way VPNs are employed to maintain private communication over a public network. VPNs can also be used to offer a degree of privacy on a public network.
Ordinarily, your Internet Service Provider (ISP) assigns to your connection a public address so that the sites and services you request online can know how to send information back to you. This public address can be used to provide an approximate location for your Internet connection. It is also possible that anyone with the appropriate means can see the websites you are going to, as well as the content you are requesting (especially when you visit a website whose URL begins with “http:” and whose contents are sent unencrypted).
So another use of a VPN is to offer a degree of privacy from snooping. In this case, rather than having both ends of a tunnel linking two ends of a private network, it’s possible to have one end act as a public access point to the Internet. In this way, someone who directly connects to the Internet in Chicago can appear to be accessing it from New York, for example.
VPN encryption techniques involve some pretty complicated mathematics, but if you’d like to read a little more about these techniques–and don’t have the time to earn an advance mathematics degree–check out these articles:
Part 1: Symmetrical Encryption Algorithms
Part 2: Public Key Cryptography
Part 3: Shared Key Exchange