Really, you don’t. Actually, the entire concept of a “VPN” that most people know of isn’t even close to the actual definition. I refuse to call this one a rant, but know that this is me adding some facts.
A Virtual Private Network (VPN) is, put simply, a method of allowing a computer to appear as if it is connected to the receiving network directly. Where the actual traffic might cross multiple points of the internet, end end result is that the computer with the VPN active is now part of the network it’s VPN’d into.
For example, my network has a defined boundary, many things are visible internally, but only a very small subset have I chosen to expose to the internet. If I was out somewhere, a coffee shop, friend’s house, visiting family, I would have no way of accessing those internal services since I’m not on the network, I’m outside of it. If I enabled VPN services, then by connecting to that and giving it the right data to verify that it’s me, then for all intents and purposes, my computer is now on-network, and I’m capable of accessing everything like I was at my bedroom desk again.
VPNs can also be used in what’s called site-to-site, say, for multiple branch locations of a business to be connected to the internal corporate network. Each one has a VPN connecting it to, say, the HQ. In this mode, an entire network is being connected to another network.
This is it. That’s all a VPN does.
VPNs usually (but do not have to) employ some form of encryption, to keep private network traffic… private. This can come in many forms, just like VPNs can come in many forms. VPN is not the name of a specific technology, but of a category of technologies all designed to provide the same results.
Types of VPNs
- IPsec (Internet Protocol Security) can be used for VPN services, by encapsulating a standard IP packet inside the IPsec packet, where both IPsec endpoints essentially become routers. A common pairing is with the Layer 2 Tunneling Protocol (L2TP), which doesn’t provide any security (that’s IPsec’s job), but provides the framework for tunneling connections like this would require.
- Standard SSL/TLS. Literally the same technology behind just about every webpage you visit, and also the most common type of VPN by far. There’s nothing special about this at all, it’s a standard TLS session, with the same strengths, and same vulnerabilities.
- SSH (which I’ll get to in another post), despite being named Secure SHell, can do so much more, including port forwarding, passing graphical desktop sessions, and, yes, a shell. The OpenSSH implementation does allow for someone to pass their network traffic through an active SSH connection, essentially creating an ad-hoc VPN.
- WireGuard (again, more later), the name of a specific protocol, supported by both Linux and Android at the OS level, but has clients for other OSes like Mac and Windows.
What a VPN Is NOT
A VPN is not a magical tool that will bounce your traffic to some other country. That, my friends, is a secure proxy server. The service that is being offered everywhere, especially on YouTube by companies like NordVPN, and… any VPN really, are just fancy proxies. Take your traffic, and ask some other computer to request it, then give you the response. The result? Everything traces back to that computer instead. That is the definition of a proxy. Not a VPN. The VPN part of this comes in the fact that by activating a VPN on whatever device you choose, it will configure itself to tunnel everything that you do. This tunnel’s endpoint, the network that you’ve joined, is one with a proxy in another country.
Why You Don’t Need One
The majority of our internet traffic is encrypted. Web surfing (HTTPS), email (IMAPS and SMTPS), just about everything is, in some way, passing through a security layer, and in 99% of cases, this is called TLS. While I’m not going to get into Transport Layer Security here, all you need to know for this is that TLS doesn’t care what you’re passing through it, but it’s a widely used and tested method for establishing an encrypted link between two computers for a single connection session. Remember that the most common type of VPN is an SSL/TLS VPN… literally the same methods that are already in use. The best they’re doing is masking the connection setup and actual address that you’re connecting to.
For those nerds in the crowd, I assume at least one person is going to mention how DNS is unencrypted. And we have caught ISPs in the past snooping in on and then forging DNS responses to known queries. This is why DNSSEC and DNS-over-HTTPS exist. The former prevents forgeries by cryptographically signing each result in a way that if something is tampered from the real value, you’ll know, and the second is a way of using a normal secured web connection to send and receive DNS results so they can’t be spied upon. Both aren’t mainstream though, and this is the one area where a “VPN” offers any form of improvement.
But why don’t you need one? Nobody cares about your traffic. The everyday script kiddie definitely can’t break TLS, and also definitely has not properly set up everything so that they can sit in the middle and watch your traffic, unencrypted. The people that can are more of the government agency types, say you get placed on a watchlist somewhere and they’re checking your every move… in which case, a VPN is just not going to help. In the end, as they’re presented, they either do nothing or not enough.
The One Reason Why You Should
Since VPN is now synonymous with a cross-country proxy, it’s possible for region-locked content to be accessed by changing the effective location of your network traffic. Besides this though, I can’t see a reason why anyone would need a VPN.