VPN (virtual private network)

Contributor(s): John Burke

A virtual private network (VPN) is programming that creates a safe, encrypted connection.  Typically, it is used over a less secure network, such as the public internet. It uses tunneling protocols to encrypt data at the sending end, and decrypt it at the receiving end.  The originating and receiving network addresses are also encrypted to provide better security for online activities.

It can also be used to provide remote employees, gig economy freelance workers and business travelers with access to software applications hosted on proprietary networks. To gain access to a restricted resource through a VPN, the user must be authorized to use the virtual private network app.  They must provide one or more authentication factors.  These can be passwords, security tokens or biometric data.

Content Continues Below

VPN apps are often used to protect data transmissions on mobile devices.  They can also be used to visit web sites that are restricted by location. However, secure access through a mobile VPN should not be confused with private browsing. Private browsing does not involve encryption; it is simply an optional browser setting that prevents identifiable user data from being collected.

How a VPN works

At its most basic level, VPN tunneling creates a point-to-point connection that cannot be accessed by unauthorized users. To actually create the tunnel, the endpoint device needs to be running a VPN client (software application) locally or in the cloud. The client runs in the background.  It is not noticeable to the end user, unless there are performance issues.

The performance can be affected by many factors, like speed of users' internet connections, the protocol types an internet provider may use, and the type of encryption it uses. In the enterprise, performance can also be affected by poor quality of service (QoS) outside the control of an organization's information technology (IT) department.

VPN protocols

VPN protocols ensure an appropriate level of security to connected systems, when the underlying network infrastructure alone cannot provide it. There are several different protocols used to secure and encrypt users and corporate data. They include:

  • IP security (IPsec)
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
  • Point-To-Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)
  • OpenVPN

Types of VPNs

Network administrators have several options when it comes to deploying a VPN. They include:

Remote access VPN

Remote access clients connect to a VPN gateway server on the organization's network. The gateway requires the device to authenticate its identity before granting access to internal network resources. This type usually relies on either IP Security (IPsec) or Secure Sockets Layer (SSL) to secure the connection.

Site-to-site VPN

In contrast, a site-to-site VPN uses a gateway device to connect an entire network in one location to a network in another location. End-node devices in the remote location do not need VPN clients because the gateway handles the connection. Most site-to-site VPNs connecting over the internet use IPsec. It is also common for them to use carrier MPLS clouds rather than the public internet as the transport for site-to-site VPNs. Here, too, it is possible to have either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (virtual private LAN service) running across the base transport.

Mobile VPN

In a mobile VPN, the server still sits at the edge of the company network, enabling secure tunneled access by authenticated, authorized clients. Mobile VPN tunnels are not tied to physical IP addresses, however. Instead, each tunnel is bound to a logical IP address. That logical IP address sticks to the mobile device no matter where it may roam. An effective mobile VPN provides continuous service to users, and can switch across access technologies and multiple public and private networks.

Hardware VPN

Hardware VPNs offer a number of advantages over strictly software-based. In addition to enhanced security, hardware VPNs can provide load balancing for large client loads. Administration is managed through a Web browser interface. A hardware VPN is more expensive than software-based. Because of the cost, hardware VPNs are more viable for larger businesses. Several vendors, including Irish vendor InvizBox, offer devices that can function as hardware VPNs.

VPN appliance

VPN appliance, also known as a VPN gateway appliance, is a network device with enhanced security features. Also known as an SSL (Secure Sockets Layer) VPN appliance, it is a router that provides protection, authorizationauthentication and encryption for VPNs.

Dynamic multipoint virtual private network (DMVPN)

A dynamic multipoint virtual private network (DMVPN) exchanges data between sites without needing to pass through an organization's headquarter VPN server or router. A DMVPN creates a mesh VPN service that runs on VPN routers and firewall concentrators.  Each remote site has a router configured to connect to the company’s headquarters device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a VoIP telephone call, for example -- the spoke will contact the hub, obtain the needed information about the other end, and create a dynamic IPsec VPN tunnel directly between them.

VPN Reconnect

VPN Reconnect is a feature of Windows 7 and Windows Server 2008 R2 that allows a virtual private network connection to remain open during a brief lapse of Internet service. Usually, when a computing device using a VPN connection drops its Internet connection, the end user has to manually reconnect. Reconnect keeps the tunnel open for a configurable amount of time.  So, when Internet service is restored, the VPN connection is automatically restored as well. The feature was designed to improve usability for mobile employees.

Security limitations of a virtual private network explained

Any device that accesses an isolated network through a VPN presents a risk of bringing malware to that network environment.  That is, unless there’s a requirement in the VPN connection process to assess the state of the connecting device. Without an inspection to determine whether the connecting device complies with an organization's security policies, attackers with stolen credentials can access network resources, including switches and routers.

Security experts recommend that network administrators consider adding software-defined perimeter (SDP) components to their VPN protection infrastructure in order to reduce potential attack surfaces. The addition of SDP programming gives medium and large organizations the ability to use a zero trust model for access to both on-premises and cloud network environments.

VPN Kill Switches

A kill switch is a last-resort security feature in some VPN products.  If the VPN connection is disrupted, the kill switch will automatically disconnect the device from the internet.  This way, there is no chance of IP address exposure. 

There are two types of kill switches:

  • Active kill switch protocols prevent devices from connecting to unsafe networks when the device is connected to the VPN. Apart from server disruptions, it is disabled when not connected to the VPN. 
  • Passive kill switch protocols are more secure. They keep the device from connecting to non-VPN connections even while disconnected from the VPN server.
This was last updated in June 2020

Continue Reading About VPN (virtual private network)

Dig Deeper on Network Access Control

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

SSL is the best, it is beast.
No, we are not using any VPN services.
Does your organization use SSL VPN or IPsec VPN?
Yes, we're using SSL to secure websites.
Both are good.
If I'm using a L2TP for my VPN and it doesn't allow me to remotely access some of my Server service for instance call server. What could be the problem?
Yes, we're using VPN. Our small business is using Astrill since the app is user-friendly. It also has a lot of options which allows us to tweak different settings, too. I would recommend it to users and businesses, whether they know much about PCs or not, as the app is very flexible. We didn't have any problems with it so far.
If I'm using a L2TP for my VPN and it doesn't allow me to remotely access some of my Server service for instance call server. What could be the problem?
Why are SSTP/SSL and IPSec still the standard? Isn't OpenVPN way more safe. I read somewhere that both SSTP and IPSec are questionable in terms of security. I think I read somewhere that Edward Snowden said that IPSec was compromised by the NSA/the government.
I'm using SaturnVPN. They will accept bitcoin which is great for staying anonymous. They provide many servers from different locations.
Yes, I have been using VPN applications for a long time, I used different ones.
At the moment I like the new application VeePN the most, I recommend it
I use a VeePN and it is great, absolutely satisfies me. Secure and fast, the best choice for me!!
Hey, Thanks for informing us about VPN Reconnect. I had no idea it even existed!
where can i use ru vpn like in what countries

Hey, thanks for this article , it is very informative to us .
Thanks for sharing the article. I found it very informative.
VPN is still a valid support for the network infrastructure but these latest year the MPLS Technology is taking the place of the first.
In particular MPLS allows to use a unique firewall disposed in the main office.
what are the steeps that a network administrator follows while configuring a secure VPN from an android phone to a certain university?
Does your organization use SSL VPN or IPsec VPN???

File Extensions and File Formats

Powered by: