tags : Networking, Security
Basics
From what I’ve read on the internet it seems like, it is hard to categorize VPN into different groups because it depends combination of topology, protocol, routing technique used etc and all of these can be mixed and matched. So it’s more like okay these are the things you have create the network you want out of it.
Protocols
There are a handful of protocols that can be used to create a VPN. Following are some common names. These can be mixed and matched with how you want the network to work like, eg. with any of these protocols you can decide whether to have full tunneling or split tunneling, this routing decision is not part of the protocol.
- PPTP: fast, lowest security, old outdated
- L2TP/IPsec: not fast as PPTP, better security but still bad, outdated
- IKEv2: faster than L2TP, more secure than L2TP, can be used with IPSec for encryption
- OpenVPN: low speed, secure than IKev2, supports forward secrecy
- SoftEther: lower speed than OpenVPN, secure than OpenVPN
- WireGuard
- IPsec: Internet Protocol Security (IPsec) was initially developed by the Internet Engineering Task Force (IETF) for IPv6
- Others. See wikipedia or something.
Routing
Tunnels
These are not functions of the protocol or the VPN software, more of a routing concern.
- Full tunnel: Route everything this machine does through the VPN. If you really want full tunnel, make sure to have some VPN failsafe mechanism, eg. If the VPN breaks down, because the connection is interrupted, traffic will be not send without the VPN.
- Split tunnel: Set of specific destinations will be routed through the VPN. You might want anything internet based goes out over their normal connection, can help in reducing VPN usage
Layer
- If we really consider VPN by its literal meaning than it can be L2 and L3. L2 because we can use VLANs which also will create a VPN in itself. But the more popular is usually L3 VLAN.
- Multi-protocol label switching (MPLS) functionality blurs the L2-L3 identity. Eg. Jio provides MPLS. MPLS is simply a protocol for tagging and label switching packets.
Network Protocol
- Wireguard operates on UDP
- VPN encapsulates other traffic. That means that applications which would normally require the delivery security of TCP will still be using TCP inside the tunnel. Applications which would normally use UDP will still use UDP inside the tunnel. (This is actually why VPN software typically operates over UDP).
- What happens on a dropped packet? As such the consequences of a dropped packet are exactly what they would be outside a VPN. In the case of TCP traffic (such as web traffic) , the packet will be requested for redelivery inside the tunnel. In the case of UDP traffic (VOIP, Video Streaming), youll probably not even notice it, due to the way video/sound is uncompressed, but maybe drop in quality.
- Worst case
control packets
for the VPN connection itself might be missed, in which case you might see your VPN connection drop. - For this minor inconsistency, though, you see a massive decrease in overhead, which leads to better speeds over the VPN.
- Why TCP Over TCP Is A Bad Idea
- Also see Wireguard over TLS
Anonymity
The most important thing to understand is that VPN is a security tool. It’s not an privacy/anonymity tool. It will not provide you anonymity. It does not make your Internet “private”. You can still be tracked through tracking cookies and device fingerprinting, traffic fingerprinting, CSS can be used to track you etc. Basically don’t use a VPN thinking it’ll provide you anonymity.
You turn on VPN meanwhile your OS, Adobe CC, Office, etc is busy phoning home with all kinds of fingerprintable if not personally identifiable data. Even Firefox phones home with tons of data at launch and exit with telemetry off. Things like simplewall (Windows) and Little Snitch (Mac) can help but again things will LEAK.
X-Forwarded-for
Your source IP address may not be hidden from the destination webserver depending of how the X-Forwarded-For
header is set. Eg. Cloudflare Warp is a free VPN for people who don’t want their ISP to see what kind of traffic is going in and out. It doesn’t hide your IP from the sites that you’re visiting, they are forwarded.
Torrenting
In Germany. Just a few seconds of uploading a somewhat popular movie or porn without a VPN will get you a C&D + fees letter. It’s mostly a scare letter and a small fee, you could possibly get away with.
Resources
- VPN Advice (November 2021 Edition) - IvyMike.dev
- Template:VPN - Wikipedia
- Mullvad on Tailscale: Privately browse the web · Tailscale
- Virtual private network - Wikipedia
- Long reads
- On the Security and Privacy Properties of Public WiFi
- An overview of browser privacy features
- How to hide your IP address : Thing to keep in mind while reading this is that online profiling is generally way more detailed than an IP.
- What you downloaded : This is not accurate though but it tells you how you can be tracked on the internet. It just scrapes public trackers. If you don’t use public trackers, you wont show up. But you get the point.