User Login      + Register  

VPN Overview and Selection  SecureOffice  xoops  29-Nov-2020 17:40  0  2775 reads


1        What Are Virtual Private Networks

Virtual private network (VPN) is a technology that creates private encrypted connections over a less secure network, such as the internet. VPN technology was developed to allow remote users and branch offices to securely access corporate applications and other resources. To ensure safety, data travels through secure (encrypted) tunnels and VPN users must use authentication methods including passwords, tokens and other identification methods to gain access to the VPN.

Due to its complexity, much has been written about VPN. SecureOffice attempts to simplify and make VPN (and all functionality) as "user friendly" as possible.

A typical VPN connection is shown below. What happens with your connection stays with your connection. Completely private. Snoops hate privacy and, if allowed, will outlaw VPN as they failed with encryption (for all but themselves).

Figure 1: VPN Connection

For SecureOffice client VPN, "Your Device" is SecureOffice which can be configured to provide a VPN connection via WiFi or a dedicated ethernet port for all connected clients.

For SecureOffice server VPN (remote access), "Your Device" is a remote cellphone, PC or other device connected to the internet with a VPN tunnel to the "VPN Server" which is SecureOffice. Clients have full remote access to SecureOffice and all resources, as if you were at home, connected locally.

SecureOffice can simultaneously be a VPN client (providing VPN connections via Wifi, dedicated ethernet ports) and VPN server (providing secure remote access).

1.1    Benefits Of VPN

There are many reasons why people choose to use VPN. These belong, for the most part, to the categories: privacy, security and freedom on the internet. This section explains the value of using VPN.

Using a VPN has many advantages. A quick summary:

  • IP addresses are hidden, and the user becomes anonymous.
  • Data traffic is encrypted, which allows securely connecting using public WiFi hotspots or corporate networks without the boss "snooping".
  • Geographic restrictions can be bypassed, allowing access to restricted streaming services in other jurisdictions such as Netflix.
  • Users can download information securely and anonymously, unknown to censors and others concerned with enforcing the "legality" of what you are "allowed" to know / view.
  • Government or any censorship (information control) is bypassed.
  • It is possible to save money while shopping online in lower cost / tax juristictions.

1.1.1      IP Address Is Hidden

Because communications use the IP address of a VPN server, and therefore hides user's IP address, users becomes anonymous on the internet. This is because the IP address is a unique number which allows people to be identified on the internet. An IP address allows others to track our online behavior step-by-step. With the use of a new, incognito IP address, it is no longer possible for governments, hackers or the websites that we visit to link us to our personal identity (unless we login using our real identity). The observed IP address (the address of the VPN server), is no longer linked to us. To determine users IP addresses requires "legal" action.

1.1.2      Encrypted Data Traffic

A safe internet connection. VPN encrypts the data traffic. This prohibits hackers and other malicious parties from intercepting our data, including identity theft, login credentials and sites visited. This allows users to safely connect using otherwise insecure public WiFi hotspots (or, work network), which may, for nefarious purposes be collecting user data.

1.1.3      Bypass Geographic Restrictions

With a VPN it is possible to connect to a server in a different country and to therefore allow all the data traffic to pass through this other country and fool servers (such as NetFlix / Hulu) into believing you are a local client. This allows certain blocked websites, streaming services, VoIP services and social media to become accessible. To do so it is necessary to make a connection with a VPN server in a country or with a VPN service that has not been restricted. VPN providers and streaming service providers are in a continuous state of war, with streaming service providers identifying and blocking VPN providers and VPN providers finding ways to bypass this. In practice, this means that any VPN connection may need to be occasionally reconfigured to use the latest workarounds / servers to access streaming services in other jurisdictions.

1.1.4      Anonymously Browse And Download Safely

Because the IP address is hidden and the connection encrypted, it is no longer possible to know what is being downloaded through the secured VPN-connection, and by whom. When sensitive or important files are being downloaded (say for work), nobody has an insight to this information. Privacy and anonymity are achieved.

1.1.5      Bypass Government Censorship

Some countries, such as China have firewalled the entire internet to "protect" their subjects from being "influenced" by "unapproved" information (a futile attempt to keep people stupid and uninformed). A VPN connection allows these restrictions to be bypassed.

In countries where the government regulates the internet, most often not all websites are available. This is how totalitarian regimes make a habit of silencing critical media outlets by blocking them in a country. These restrictions can be bypassed like all other geographical restrictions using VPN. VPN is therefore a crucial tool in the war for information / press freedom.

1.1.6      Save Money Online

Prices for shopping online often differ based on the country someone is shopping from. When visiting an internet vendor using a connection within England, prices can sometimes be drastically more expensive for the exact same product or service versus shopping from another country. A VPN connection allows the user to connect using VPN servers from around the world. This causes websites to consider users as visitors from the country where the VPN server is located, thus allowing the user to profit from the best international prices and rates.

In addition, vendors in most jurisdictions are legally obligated to collect sales taxes from local, but not external "subjects".

1.2    VPN Selection Criteria

Be very careful when selecting a commercial VPN provider, some of which keep logs and identity information. Many VPN users have received copyright violation notices and some have been charged for inadvertently downloading material or stumbling on "unapproved" websites. For example, Canada has "modernized" their copyright act to "legally" obligate ISP's and VPN providers to log user activities discussed here, effectively killing the "honest" business case for VPN providers in Canada. If it is your intent to not take this risk, it is crucial that you select a commercial VPN provider with a "no log" policy in a jurisdiction that respects information freedom. Because of the chilling effect of these "laws", many VPN providers lie to their customers regarding their privacy policies. You have been warned.

Some VPN users, because of computer or VPN misconfiguration / bugs are subject to DNS leaks, where it is possible to determine the real IP address (and, therefore user identity) from a user computer. A brief explanation of DNS leaks and, how they originate is discussed here. As part of VPN provider research, it is suggested to subscribe to free (or refund if not satisfied) trials, which many providers offer and perform an internet based DNS leak test prior to committing to any VPN service contract. Note that VPN client devices (and not SecureOffice) may be the cause of the DNS leak. Tips for fixing this are available at the previous leak test link.

Using VPN to access personal services such as email and banking where real identity is known allows these service providers to link your VPN IP address to you, defeating the privacy purpose of VPN, especially if these service providers collect and provide (and may be "legally" bound to do so) information to "big brother / sister". It may be necessary for travellers to use VPN (with a connection to their home jurisdiction) to access their services when travelling, since personal service providers such as banks use the geographic location of clients as part of their defense from being hacked.

It is a SecureOffice requirement that the VPN provider support OpenVpn, as most do. Some also provide OpenVpn configuration files for OpenWrt routers such as SecureOffice.

Another requirement (if you want to avoid the minor expense of subscribing to the custom SecureOffice package / script repository) is that the chosen VPN provider support TAP devices (discussed below), to allow bridging to SecureOffice WiFi and ethernet ports to provide secure internet connections to clients.

It is possible, using custom VPN scripts ($, discussed later) to use a TUN device and custom routing to mimic bridging from a TAP interface to a network device such as WiFi or ethernet port.

2        VPN Connection Types

SecureOffice recommends using OpenVpn for all VPN applications.

It is possible to configure SecureOffice to use older, less secure VPN protocols such as PPTP, L2TP / IPsec and SSTP, compared here. To configure SecureOffice to use alternate VPN protocols is beyond the scope of this document. Users wishing to do so will have to consult the OpenWrt Wiki, and / or, do some internet research.

A VPN connection is basically a virtual network adapter, which can be used (with some minor limitations) the same as any other network adapter. To create a VPN connection is a two-step process. First create the VPN network adapter connection. Second, configure network, DNS, routing and firewall to use the connection.

SecureOffice instructions are provided to configure OpenVpn and PPTP VPN connections. Wireguard VPN (much faster) is on the development / documentation roadmap.

2.1    OpenVPN

2.1.1      TUN Versus TAP Network Adapters

There are two types of OpenVPN adaptors TAP and TUN. Which one to use depends on the application and the nature of the data to be transported.

From the OpenVPN Wiki.(absolutely necessary knowledge, to understand how the advanced VPN scripts provided by SecureOffice work.):

TAP benefits:

  • behaves like a real network adapter (except it is a virtual network adapter)
  • can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc)
  • Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
  • Can be used in bridges

TAP drawbacks:

  • causes much more broadcast traffic overhead on the VPN tunnel
  • adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
  • scales poorly

TUN benefits:

  • Lower traffic overhead, transports only traffic which is destined for the VPN client
  • Transports only layer 3 IP packets

TUN drawbacks:

  • Broadcast traffic is not normally transported.
  • Can only transport IPv4 (OpenVPN 2.4, used by SecureOffice adds IPv6)
  • Cannot be used in bridges. This means: use TAP (or custom VPN scripts) if you are configuring a VPN WiFi hotspot or wish to bridge VPN to a real ethernet port.

2.1.2      Commercial VPN Providers And TAP

From the perspective of most VPN service providers, client requirements are best met using TUN devices. Providing connections using TAP adapters is considered a minor, niche market, not worthy of servicing. They are correct in this, although many, as they are harvesting new customers will incorrectly allege they support TAP (practical experience). It is the opinion of the SecureOffice team that attempting to find a VPN provider that correctly supports TAP is a waste of time. Best to use their mainstream (and far better supported) TUN offerings.

The only use of SecureOffice VPN for TAP from commercial VPN providers is to easily create bridged VPN connections over WiFi (or any network adapter), without using (paying for access to) the custom VPN scripts. There are no other, including performance advantages.

Given the difficulty of determining in advance whether a VPN service supports TAP adapters, the best approach is to "try it".

To do so:

  • create a working connection using TUN ("dev tunX" in config)
  • change to TAP adapter ("dev tapX" in VPN config) and restart the connection
  • the connection may appear to be working, but there may be DNS and other hard to debug, impossible to fix problems.
  • Check the OpenVpn log file. If the VPN provider (or specific server) does not support TAP, the OpenVpn logfile will contain an entry like "WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'".

If TAP is not supported, and you really need bridging functionality (dedicated VPN WiFi or ethernet port), several options exist:

  • Create a support request for the VPN provider to support or fix their TAP implementation. Good luck.
  • Change VPN service providers until you find one that does support TAP. Please report your success and config by sending a message (Contact Us) with subject "VPN providers"
  • Subscribe ($) to the custom SecureOffice package / script repository for access to advanced VPN scripts which achieve VPN bridging functionality using TUN devices.
  • Use a less secure PPTP connection.
  • Figure out how to do it yourself.

2.1.3      VPN Providers Supporting TAP

TODO: Create list. None identified yet.

2.2    PPTP L2TP IPsec And SSTP

Most commercial VPN providers as well as SecureOffice / OpenWrt support these older, less secure VPN protocols. Instructions are provided for configuring SecureOffice as a PPTP client, providing faster, but less secure connections for users connected to the internet via SecureOffice.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team