A Virtual Private Network (VPN) is an encrypted connection between two or more peers (devices).

The two main types of VPN provide secure connections using IPSec or SSL/TLS.

IPSec protocols work at the Network & Transport layer (layer 3) of the OSI model where as SSL VPNs work at the application level (7).

IPSec

IPSec is a group of protocols that set up secure tunnels across insecure networks. It provides:

  • end to end encryption, protecting the contents of the data so only the peers (devices, client & server) involved can read the data and
  • authenticates the source of the packets

At a high level IPSec is a collection of protocols connecting two or more secure networks across the public internet.

This is useful for cases when you want to secure traffic like connecting to infrastructure in public clouds, ie AWS or Azure, or connecting infrastructure that is geographically separated that belongs to the same business and share information/data.

IPSec referes to interesting traffic which is traffic that matches specific rules. They can take the form of traffic type, network prefixes among other attributes. The payload of the data being transmitted is irrelevant to the classification of interesting traffic, the rules define what is interesting.

The logical abstraction of this end to end encryption which verifies the sender is referred to as a Virtual Private Network (VPN) tunnel. To instantiate this tunnel there is the process of VPN Negotiation; this happens over two phases.

VPN negotiations

IPSec has two phases:

  1. set up a secure encrypted channel which allows phase 2 negotiations
  2. agree a set of parameters that define what traffic can use the tunnel along with how to encrypt, decrypt and authenticate the traffic

For communication to happen over an IPSec VPN tunnel, phase 1 must happen before phase 2.

After the payload has been delivered or operation complete, the phase 2 tunnel can be torn down and the phase 1 tunnel remains.

Phase 1 is independent and decoupled of phase 2, but 2 is dependent and loosely coupled on 1; a new phase 2 tunnel and so new state can reuse phase 1. Retaining Phase 1 speeds up communication later as the intensive component is already in place.

The parameters include VPN modes & encryption methods.

VPN Modes & Encryption Methods

Symmetric vs Asymmetric Encryption

Symmetric encryption and decryption are faster and less resource intensive than asymmetric, that is it’s quicker for both peers to encrypt and decrypt data using the same key rather than asymmetric algorithms that use different keys.

Ideally we want both peers to have the same symmetric key, but how do you share the key without bad actors intercepting and exploiting it? Answer: Diffie-Hellman key exchange.

Transport vs Tunnel mode

In transport mode, only the payload of the packet is encrypted, not the source or desination addresses. If the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value. The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers.

In tunnel mode the whole packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).

Tunnel mode supports NAT traversal.

Phase 1: Internet Key Exchange, set up a secure encrypted channel

  1. Agree on the Internet Key Exchange (IKE) version to use (IKEv1 or IKEv2). Each device can use IKEv1 or IKEv2. The IKE version for both devices must match.
  2. Prove identity through pre-shared keys or certificates.
  3. Devices identify each other through IP address, domain name, domain information, or an X500 name.
  4. Genereate the same symmetric key for each peer which is used to encrypt data via a Diffie-Hellman key exchange:
    • Each peer (device, think communication going left to right) creates a private key along with a corresponding public key.
    • Public keys are exchanged over the internet to the opposing peer.
    • Each side generates the same symmetric Diffie-Hellman key which will be used to encrypt and decrypt packets by each peer.
  5. Parameters and information are encrypted using the common key and shared. This two way communication allows agreements to be made in Phase 2.

Phase 2: Create an IPSec Security Association

  1. Using the symmetric Diffie-Hellman Key created on both sides by each peer to encrypt and exchange information to agree on how, when and what can be sent.
  2. Symmetric key encrypts agreements and other material which is sent between peers. This lets the other peer know which cypher suits they support and what encryption methods can be used.
  3. Second peer chooses the best encryption method that they both support.
  4. The symmetric IPSec key is used to encrypt and decrypt data.
  5. Security addociation pairs are created; these are used to transfer data bidirectionally in the VPN tunnel.

Route vs Policy Based VPNs

The difference is how they match interesting traffic.

Policy based IPSec VPNs

  • use a set of rules to match traffic with a pair of assosciations
  • different rules match different security settings
  • often used in dynamic routing

Each policy has a security association pair and a unique IPSec key for different types of traffic. They are more complex to configure being more granular but this can mean there is less exposure risk should a key be discovered when compared with a route based VPM.

Route based VPN

  • target matching using a prefix. Sends traffic to a specific CIDR range over the VPN.
  • single pair of security associations for each network prefix.
  • all traffic types between those networks use the same pair of security associations.
  • provides less functionality but is simpler to set up.

A single pair of security associations are created using a single IPSec Key. This phase 2 tunnel runs over the phase 1 tunnel and handles traffic in both directions, with understanding of the route followed e.g A -> B & B-> A.

Route based are useful for a large pool of connections where the CIDR range rarely changes.

VPN Services: Is my traffic secret?

There are two main components when people are concerned with secrecy:

  • The destination network or address you are connecting to.
  • Encrypting and hiding the information being transmitted.

Even though you may have encrypted the information, to route your traffic to the right destination you still require DNS resolution. Routers must understand where to send your request to ie how do I reach dewberry.dev?

Through DNS resoltion there is a lookup from root, top level domain to authoritative nameserver which provides the IP address of dewberry.dev.

If you want to hide all traffic, the VPN used should use their own DNS servers to reduce exposing the intended destination and source to other parties which could be shared or sold.

If you use a VPN service like NordVPN, they use their own DNS servers for that added secrecy however you are relying on them not passing this information on or experiencing data breaches where it may be stolen and potentially sold to other interested parties.

It is difficult to hide all information using a VPN, unless you maintain your own DNS servers and create your own IPSec VPN tunnel (which isn’t feasible for most!).