Virtual Private Networks (VPNs) may have a somewhat seedy reputation, but there are plenty of legitimate reasons to consider using one. And besides, no one needs an excuse to keep their internet browsing history secret. We all have a right to privacy online. But how does a VPN protect you anyway? And how specifically does a VPN work? It’s not magic, it’s cryptography. Let’s go over the basics of how a VPN works before diving deeper.
How it Works
A VPN protects your privacy by creating a secure “tunnel” across the Internet between you and your Internet destination. This tunnel is created by first authenticating your client–a PC, tablet, or smartphone–with a VPN server. The server, which you can run yourself with programs such as OpenVPN, then uses one of several encryption protocols to make sure that everything sent between you and websites and Internet services can’t be monitored. It does this by creating an encrypted tunnel, which is like putting a package into a box and then sending it to someone. Nobody can see what it’s inside the box until it’s opened/decrypted.
These VPN protocols run as a lightweight server program. VPN providers run multiple VPN servers on virtual machines (VMs) or containers. This enables them to serve tens of thousands of clients from their data centers without spending a fortune on servers. You normally can’t choose which protocol to use within the VPN software itself, but you can certainly choose a VPN that offers one of the more secure protocols.
The main VPN protocols are:
- Point-to-Point Tunneling Protocol (PPTP ): While popular, I can’t recommend this Microsoft-created protocol. It’s fast, but that’s because it has no built-in security to speak of. Typically, PPTP is paired with Microsoft Point-to-Point Encryption (MPPE) protocol to create a “secure” VPN. I say “secure,” because most PPTP/MPPE implementations have been crackable since 2012. It may be easy to deploy and fast, but without real security neither of its virtues make it worth using.
- Layer 2 Tunneling Protocol (L2TP): Microsoft, working in concert with Cisco, did better the second time around. L2TP, itself has no security. It simply creates a virtual tunnel which prevents trivial hacking on public Wi-Fi and the like, but it’s mindlessly simple to pop open if someone really wants to see what you’re up to. That’s good, but not good enough. Typically it’s combined with IPSec to make a relatively secure connection.
- Internet Protocol Security (IPsec): This Internet Engineering Task Force (IETF) standard encrypts network traffic at a low level. IPSec is used by many vendors, such as Cisco, Juniper, and Microsoft and open-source projects, like Openswan, as the foundation for VPNs. It’s secure and works well enough.
- Secure Socket Layer VPN (SSL VPN) aka Secure Socket Tunneling Protocol (SSTP): This method uses the same protocols that websites use to secure themselves, with the same SSL and its successor Transport Layer Security (TLS). This is also an acceptable solution
- Secure Shell (SSH): SSH, as all the sysadmins out there know, is typically used to secure remote terminal sessions. You can use it as a VPN when you combine it with a SOCKS proxy. It’s difficult to do though. For example, you must configure every application you use—web browser, email client, Skype, etc.,–to use your SOCKS proxy. It works well.
- OpenVPN: This popular open-source encryption program combines an SSL VPN for session authentication and IPSec Encapsulating Security Payload (ESP) over User Datagram Protocol (UDP) for a secure data transfer.
- Chameleon: This is a proprietary add-on to the open-source OpenVPNVPN program. It’s available as part of Golden Frog’s VyprVPN. The company claims, by scrambling OpenVPN packet metadata your communications can’t be recognized by deep packet inspection (DPI). This should make it harder for Internet censoring countries, such as China, to block its traffic. Chameleon relies on OpenVPN’s 256-bit IPSec ESP protocol for its underlying data encryption.
One question you might have is, “Can’t your ISP tell what you’re up to even if you are using a VPN?” The answer is not really. Your ISP can tell that you’re using a VPN, but they can’t see where you’re going or what you’re doing within it since all your traffic is encrypted.
Finally, if you want to make life harder for any snoopy, bored ISP staffers, stop using your ISP’s Domain Name Servers (DNS). I recommend switching your DNS to Google Public DNS or Cisco’s OpenDNS. Also, the better VPN services provide their own DNS and make it easy for you to switch. Technical details aside, if you value your privacy, you need to use a VPN. Just be aware, as I said at the beginning, that they’re not magic. Encryption protocols can be broken, a cut-rate VPN may not properly protect your traffic, and some VPNs are over-subscribed so your connection speed could be significantly impaired.