What Is a Virtual Private Network (VPN)?

A virtual private network (VPN) creates a private network to separate the user’s traffic from the rest of a public or shared network. There are both hardware and software versions.

Virtual Private Network Basics

VPNs are primarily used for remote access to a private network. For example, employees at a branch office could use a VPN to connect to the main office’s internal network. Alternatively, a remote worker, who may be working from home, could need to connect to their company’s internet or restricted applications.

The majority of these virtual networks use encryption to provide a secure connection. With a software version, the software client on the user’s device encrypts the device’s connection request sent to the associated VPN server. Once the connection is established, requests for information are encrypted and go from the user’s device to the VPN server. The VPN server decrypts the request and uses the internet to obtain the information. Once obtained, the VPN server then encrypts and returns the information, which is decrypted by the client software.

A hardware version is a standalone device that runs all needed networking functions, such as encryption. In addition, hardware VPNs often have additional baked-in data security features.

VPN Protocols

There are many different protocols that can be used for VPNs. What follows is a brief summary of four common protocols.

Layer 2 Tunneling Protocol (L2TP) does not offer encryption itself and must work with other protocols. For example, when combined with IPsec the resulting protocol is much more secure than L2TP on its own. This is because IPsec performs encryption and authentication functions. L2TP locates endpoints and creates a layer 2 connection to tunnel through. IPsec ensures a secure exchange of packets.

OpenVPN is an open source protocol and VPN service. It uses the Advanced Encryption Standard (AES) 256-bit key encryption and a 160-bit SHA1 hash algorithm.

Secure Socket Tunneling Protocol (SSTP) is fully integrated with several Microsoft operating systems (OSs). This is because it is proprietary to Microsoft. It uses a 2048-bit SSL/TLS certificate for authentication. Additionally, it uses 256-bit keys for encryption.

Internet Key Exchange version 2 (IKEv2) is unique because it focuses on creating a secure key exchange session. It is commonly used with IPsec for the encryption and authentication processes. Other capabilities include re-establishing links after temporary connection loss. It is also capable of switching connections across network types, such as WiFi and mobile broadband.

Software VPNs

Software VPNs use a software client on a user’s device to connect to a VPN server. For the remote access use case, the client can connect from a branch office to a server in the main office, or connect a remote worker to any office with a server. These servers can alternatively be cloud-based and hosted by the service provider.

This diagram shows how a remote worker can use an encrypted tunnel over the internet to access a private network via a VPN server. Source: OpenVPN

A device’s client may already exist in its OS. This can take the place of a client from a third-party provider. Having a client built into the OS allows users to, in most cases, enter the type of VPN connection, the server address, the account name, and then authenticate themselves with their credentials. With that information provided, the connection is established.

Hardware VPNs

A hardware VPN is set up by placing a hardware-based device in a server rack and then having an IT professional configure it. These standalone devices have processors dedicated to running all necessary functions. In some cases, they can run additional security functions.

This hardware-based form of secure network connection has waned in popularity over time after experiencing years of considerable use in the early 2000s. The reason for the rise and fall is because initially, computers were not powerful enough to run a VPN program alongside other applications.

As time went on, devices gained improved processing power. That meant the devices could multitask and run a software VPN at the same time as other software programs. Because hardware VPNs have vendor lockin and a considerable capex, the software alternative’s opex model became more attractive to organizations.

Vendors that still offer hardware-based VPNs include Fortinet and Cisco. Fortinet doesn’t have hardware that is strictly dedicated to VPNs. Instead, the FortiGate next-generation firewall (NGFW) product line is VPN-enabled. Cisco’s AnyConnect was a mainstay in hardware VPNs, though now includes a mobility client and the devices the VPN runs on can be software-based.

A form of hardware VPN that is being used more recently is VPN routers. Instead of having multiple VPN instances at an office for each employee, this kind of router can be used to provide a secure connection with all employee traffic funneled into the secure connection established by the router.

Virtual Private Networks: Key Takeaways

1. Virtual private networks are a virtual security tool that create a secure connection between the user’s device and the desired private network by using encryption.
2. Common virtual private network protocols include Layer 2 Tunneling Protocol, IPsec, OpenVPN, Secure Socket Tunneling Protocol, and Internet Key Exchange version 2.
3. Software-based virtual private networks create a secure connection between a software client on a user’s device and a virtual private network server.
4. Hardware-based virtual private networks are a standalone device present at an office that create encrypted tunnels between it and users.

Updated September 2020 by Ashley Wiesner