Host-to-network VPNs are commonly used by organisations to allow off-site users secure access to an office network over the internet.[2][3] Site-to-site VPNs connect two networks, such as an office network and a datacenter.Provider-provisioned VPNs isolate parts of the provider's own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. Individuals also use VPNs to encrypt andanonymize theirnetwork traffic, withVPN services selling access to their own private networks.
VPNs can enhance usage privacy by making an ISP unable to access the private data exchanged across the VPN. Throughencryption, VPNs enhanceconfidentiality and reduce the risk of successfuldata sniffing attacks.
Arepeater is an electronic device that receives a networksignal, cleans it of unnecessary noise and regenerates it. The signal isretransmitted at a higher power level, or to the other side of obstruction so that the signal can cover longer distances without degradation.
An Ethernet repeater with multiple ports is known as anEthernet hub. In addition to reconditioning and distributing network signals, a hub assists with collision detection and fault isolation for the network. Hubs and repeaters in LANs have been largely obsoleted by modern network switches.
Unlike hubs, which forward communication to all ports,network switches forward frames only to the ports involved in the communication. Switches normally have numerous ports, facilitating a star topology for devices, and for cascading additional switches.Network bridges are analogous to a two-port switch.
Bridges and switches operate at thedata link layer of theOSI model and bridge traffic between two or morenetwork segments to form a single local network. Both are devices that forwardframes of data betweenports based on the destination MAC address in each frame.Network segmentation through bridging and switching helps break down a large, congested network into an aggregation of smaller, more efficient networks.
Arouter is an internetworking device that forwards packets between networks by processing the addressing or routing information included in the packet.
Modems (modulator-demodulator) are used to connect network nodes via wire not originally designed for digital network traffic, or for wireless.
In aprotocol stack, often constructed per theOSI model, communications functions are divided into protocol layers, where each layer leverages the services of the layer below it until the lowest layer controls the hardware that sends information across the media. The use of protocol layering is ubiquitous across the field of computer networking. An important example of a protocol stack isHTTP, theWorld Wide Web protocol. HTTP runs overTCP overIP, the Internet protocols, which in turn run overIEEE 802.11, the Wi-Fi protocol. This stack is used between awireless router and a personal computer when accessing the web.
Most modern computer networks use protocols based onpacket-mode transmission. Anetwork packet is a formatted unit ofdata carried by apacket-switched network. Packets consist of two types of data: control information and user data (payload). The control information provides data the network needs to deliver the user data, for example, source and destinationnetwork addresses,error detection codes, and sequencing information. Typically, control information is found inpacket headers andtrailers, withpayload data in between.
TheInternet protocol suite, also called TCP/IP, is the foundation of all modern networking and the defining set of protocols for the Internet. It offers connection-less and connection-oriented services over an inherently unreliable network traversed by datagram transmission using Internet protocol (IP). At its core, the protocol suite defines the addressing, identification, and routing specifications forInternet Protocol Version 4 (IPv4) and forIPv6, the next generation of the protocol with a much enlarged addressing capability.[6]
Split tunneling allows a user to access distinctsecurity domains at the same time, using the same or different network connections.[7] This connection state is usually facilitated through the simultaneous use of a LANnetwork interface controller (NIC), radio NIC,Wireless LAN NIC, and virtual private network client software application. Split tunneling is most commonly configured via the use of a remote-access VPN client, which allows the user to simultaneously connect to a nearbywireless network, resources on an off-sitecorporate network, as well as websites over the internet.
Not every VPN allows split tunneling.[8][9][10] Advantages of split tunneling include alleviatingbottlenecks, conservingbandwidth (as internet traffic does not have to pass through the VPN server), and enabling a user to not have to continually connect and disconnect when remotely accessing resources..[citation needed] Disadvantages includeDNS leaks and potentially bypassing gateway-level security that might be in place within the company infrastructure.[11]Internet service providers often use split tunneling to that implement forDNS hijacking purposes.
Ahost-to-network configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides computer access to alocal area network of a remote site, or any wider enterprise networks, such as anintranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed forremote workers, or to enable people accessing their private home or company resources without exposing them on the public Internet.[citation needed]
Asite-to-site configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other. In the context of site-to-site configurations, the termsintranet andextranet are used to describe two different use cases.[12] Anintranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas anextranet site-to-site VPN joins sites belonging to multiple organizations.[citation needed]
Trusted VPNs do not use cryptographic tunneling; instead, they rely on the security of a single provider's network to protect the traffic.[14]Multiprotocol Label Switching (MPLS) often overlays trusted VPNs, often with quality-of-service control over a trusted delivery network. A secure VPN either trusts the underlying delivery network or enforces security with an internal mechanism. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.[citation needed]
Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a singleIP address, but instead roams across various networks such as data networks from cellular carriers or between multipleWi-Fi access points without dropping the secure VPN session or losing application sessions.[15] Mobile VPNs are widely used inpublic safety where they give law-enforcement officers access to applications such ascomputer-assisted dispatch and criminal databases,[16] and in other organizations with similar requirements such asfield service management and healthcare.[17][need quotation to verify]
DMVPN provides the capability for creating adynamic-mesh VPN network without having to statically pre-configure all possible tunnel end-point peers, such asIPsec andISAKMP peers.[20] DMVPN is initially configured to build ahub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes; no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes are dynamically built on demand without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.[citation needed]
In practice, MPLS is mainly used to forwardIPprotocol data units andVirtual Private LAN Service Ethernet traffic. Major applications of MPLS are telecommunications traffic engineering andMPLS VPN. MPLS works in conjunction with theInternet Protocol (IP) and its routing protocols, usuallyinterior gateway protocols (IGPs) and supports the creation of dynamic, transparent virtual networks with support for traffic engineering, the ability to transport layer VPNs with overlapping address spaces, and for layer-2pseudowires that are capable of transporting a variety of transport payloads (IPv4,IPv6, ATM, Frame Relay, etc.).[24][25]
Virtual Private LAN Service (VPLS) is a virtual private network technology that provides Ethernet-based multipoint-to-multipoint communication overIP orMPLS networks. It allows geographically dispersed sites to share an Ethernetbroadcast domain by connecting sites (including both servers and clients) throughpseudowires.[26] The technologies that can be used as pseudo-wire can beEthernet over MPLS,L2TPv3 or evenGRE. There are twoIETF standards-trackRFCs (RFC 4761 and RFC 4762) describing VPLS establishment. In contrast to L2TPv3, which allows onlypoint-to-pointOSI layer 2 tunnels, VPLS allows any-to-any (multipoint) connectivity.[27][28]
Aprovider-provisioned VPN (PPVPN) is a virtual private network (VPN) implemented by a connectivity service provider or large enterprise on a network they operate on their own, as opposed to a "customer-provisioned VPN" where the VPN is implemented by the customer who acquires the connectivity service on top of the technical specificities of the provider.
Internet Protocol Security (IPsec) is a standards-based security protocol, initially developed by theInternet Engineering Task Force (IETF) forIPv6, and was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.[29] It is also widely used withIPv4.
The design of IPSec meets most security goals:availability, integrity, and confidentiality. IPsec uses encryption,encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination. IPsec is also often supported by network hardware accelerators,[30] which makes IPsec VPN desirable for low-power scenarios, like always-on remote access VPN configurations.[31][32]
IPsec tunnels are set up by theInternet Key Exchange (IKE) protocol. IPsec tunnels made with IKE version 1 (also known as IKEv1 tunnels, or often just "IPsec tunnels") can be used alone to provide VPN but are often combined with theLayer 2 Tunneling Protocol (L2TP) to reuse existing L2TP-related implementations for more flexible authentication features (e.g.Xauth).
IKE version 2, which was created by Microsoft and Cisco, can be used alone to provide IPsec VPN functionality. Its primary advantages are the native support for authenticating via theExtensible Authentication Protocol (EAP) and that the tunnel can be seamlessly restored when the IP address of the associated host is changing, which is typical of a roaming mobile device, whether on3G or4GLTE networks.
Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in theOpenVPN project andSoftEther VPN project[33]) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through TLS. A VPN based on TLS can connect from locations where the usual TLS web navigation (HTTPS) is supported without requiring additional configuration.
OpenSSH offers VPN tunneling (distinct fromport forwarding) to secure[ambiguous] remote connections to a network, inter-network links, and remote systems. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.[34] SSH is more often used to remotely connect to machines or networks instead of a site to site VPN connection.
WireGuard is a protocol. In 2020, WireGuard support was added to both the Linux[35] and Android[36] kernels, opening it up to adoption by VPN providers. By default, WireGuard utilizes theCurve25519 protocol forkey exchange andChaCha20-Poly1305 for encryption and message authentication, but also includes the ability to pre-share asymmetric key between the client and server.[37]
Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registeredtrademark "MPVPN".[relevant?][40]
Crypto IP Encapsulation (CIPE) is a free and open-source VPN implementation for tunnelingIPv4 packets overUDP viaencapsulation.[41] CIPE was developed forLinux operating systems by Olaf Titz, with aWindowsport implemented by Damion K. Wilson.[42] Development for CIPE ended in 2002.[43]
Desktop, smartphone and other end-user device operating systems usually support configuring remote access VPN from theirgraphical orcommand-line tools.[47][48][49] However, due to the variety of, often non standard, VPN protocols, there exist many third-party applications that implement additional protocols not yet or no longer natively supported by the OS. For instance,Android lacked nativeIPsec IKEv2 support until version 11,[50] and users needed to install third-party apps in order to connect that kind of VPN. Conversely, Windows does not natively support plain IPsec IKEv1 remote access native VPN configuration (commonly used byCisco andFritz!Box VPN solutions).
Network appliances, such as firewalls, often include VPN gateway functionality for either remote access or site-to-site configurations. Their administration interfaces often facilitate setting up virtual private networks with a selection of supported protocols. In some cases, like in the open source operating systems devoted to firewalls and network devices (likeOpenWrt,IPFire,PfSense orOPNsense), it is possible to add support for additional VPN protocols by installing missing software components or third-party apps.[citation needed]
Commercial appliances with VPN features based on proprietary hardware or software platforms usually support a consistent VPN protocol across their products, but do not allow customizations outside the use cases they implement. This is often the case for appliances that rely on hardware acceleration of VPNs to provide higher throughput or support a larger number of simultaneously connected users.[citation needed]
^Cisco Systems, Inc. (2004).Internetworking Technologies Handbook. Networking Technology Series (4 ed.). Cisco Press. p. 233.ISBN978-1-58705-119-7. Retrieved15 February 2013.[...] VPNs using dedicated circuits, such as Frame Relay [...] are sometimes calledtrusted VPNs, because customers trust that the network facilities operated by the service providers will not be compromised.
^E. Jankiewicz; J. Loughney; T. Narten (December 2011).IPv6 Node Requirements.Internet Engineering Task Force.doi:10.17487/RFC6434.ISSN2070-1721.RFC6434.Obsolete. p. 17. Obsoleted byRFC 8504. ObsoletesRFC 4294.Previously, IPv6 mandated implementation of IPsec and recommended the key management approach of IKE. This document updates that recommendation by making support of the IPsec Architecture RFC4301 a SHOULD for all IPv6 nodes.
Benjamin Dowling, and Kenneth G. Paterson (12 June 2018). "A cryptographic analysis of the WireGuard protocol".International Conference on Applied Cryptography and Network Security.ISBN978-3-319-93386-3.
^"OpenConnect".Archived from the original on 29 June 2022. Retrieved8 April 2013.OpenConnect is a client for Cisco's AnyConnect SSL VPN [...] OpenConnect is not officially supported by, or associated in any way with, Cisco Systems. It just happens to interoperate with their equipment.
^Titz, Olaf (20 December 2011)."CIPE - Crypto IP Encapsulation".CIPE - Crypto IP Encapsulation.Archived from the original on 18 May 2022. Retrieved8 September 2022.
