Secure Communication -- VPNs

Core Network Security Concepts

Authentication: Verifying the identity of the party you are communicating with.
Integrity: Ensuring data has not been altered in transit.
Confidentiality: Preventing unauthorized parties from reading transmitted data.
Spoofing: Forging protocol messages or packet fields to impersonate another system.
Routing attacks: Manipulating routing information to redirect or intercept traffic.

TLS (Transport Layer Security): A protocol that provides authenticated, encrypted, integrity-protected communication between applications.
TLS handshake: The setup phase, where peers authenticate, negotiate algorithms, and establish symmetric keys.
Cipher suite: A defined set of algorithms for key exchange, encryption, and integrity in a TLS or VPN session.
Diffie–Hellman key exchange: A method for establishing a shared secret over an untrusted channel.
Certificate Authority (CA): A trusted entity that signs certificates to bind identities to public keys.
AEAD: Authenticated encryption that provides confidentiality and integrity in one operation.
AES-GCM: An AEAD mode that provides fast authenticated encryption using AES.
ChaCha20-Poly1305: An AEAD construction using the ChaCha20 stream cipher and Poly1305 MAC.
Client authentication (TLS): Optional mechanism where the server verifies the client via a certificate.
TLS limitations: TLS only protects individual application connections and does not secure entire networks.

Virtual Private Network (VPN): A secure tunnel that protects all traffic between networks or hosts.
Tunneling: Encapsulating an IP packet inside another packet to send it across an untrusted network.
Private network: An internal network that is isolated from the public Internet.
Encryption (VPN): Protecting tunneled traffic so outsiders cannot read it.
Integrity protection (VPN): Detecting changes to tunneled packets using message authentication codes.
Authentication (VPN): Ensuring that each endpoint of the tunnel is the legitimate peer.
Tunnel mode: VPN mode that encapsulates the entire original IP packet.
Transport mode: VPN mode that protects only the transport-layer payload of an IP packet.
Site-to-site VPN: A tunnel that securely connects two networks through their gateways.
Remote-access VPN: A tunnel connecting an individual device to a network.
Privacy VPN: A commercial VPN service that relays a user’s Internet traffic through the provider.
Split tunneling: Routing only corporate-destined traffic through a VPN while sending other traffic directly.

IPsec: A suite of protocols that secure IP traffic at the network layer.
Authentication Header (AH): Provides integrity and authentication for IP packets but no encryption.
Encapsulating Security Payload (ESP): Provides encryption, authentication, and integrity for tunneled packets.
NAT traversal issues: IPsec can conflict with NAT devices because it uses non-TCP/UDP protocol numbers.

OpenVPN: A user-space VPN protocol that uses TLS for key exchange and authentication.
TUN interface: A virtual network interface used to send and receive IP packets via a VPN process.
Control channel (OpenVPN): TLS-protected channel that handles authentication and key negotiation.
Data channel (OpenVPN): The encrypted tunnel that carries actual VPN traffic using symmetric keys.
Pre-shared key authentication: A simpler authentication mechanism using a shared secret.
Certificate-based authentication: Authentication using X.509 certificates and private keys.

WireGuard: A modern, minimal VPN protocol using a fixed suite of cryptographic algorithms.
ChaCha20 (WireGuard): WireGuard’s default symmetric encryption algorithm.
Poly1305: The MAC algorithm WireGuard uses for message authentication.
BLAKE2s: A fast hash used for key derivation inside WireGuard.
Public-key identities: Each WireGuard computer is identified solely by its public key. The system never reveals its private key.
Key rotation: WireGuard regenerates session keys frequently to limit exposure.
Minimal codebase: A small implementation designed for clarity and formal verification.

Endpoint compromise: A VPN cannot protect a device that is already infected with malware.
Provider visibility: VPN providers or corporate gateways can see unencrypted traffic exiting the tunnel.
Metadata exposure: Even encrypted tunnels reveal timing and size information.
Traffic analysis: Observers can infer behavior from encrypted packet patterns.
False sense of security: VPN users may assume they are protected from threats that VPNs do not address.

Encryption overhead: CPU cost of encrypting traffic, usually small on modern hardware.
Encapsulation overhead: Extra header bytes added when wrapping packets inside the VPN tunnel.
Routing/latency overhead: Longer paths through remote gateways increase round-trip time.
Gateway bottlenecks: VPN servers may become performance bottlenecks for large organizations.