- Oct 23, 2012
A virtual private network is a secure tunnel between two or more computers on the internet, allowing them to access each other as if on a local network. In the past, VPNs were mainly used by companies to securely link remote branches together or connect roaming employees to the office network, but today they're an important service for consumers too, protecting them from attacks when they connect to public wireless networks. Given their importance, here's what you need to know about VPNs:
VPNs are good for your privacy and security
Open wireless networks pose a serious risk to users, because attackers sitting on the same networks can use various techniques to sniff web traffic and even hijack accounts on websites that don't use the HTTPS security protocol. In addition, some Wi-Fi network operators intentionally inject ads into web traffic, and these could lead to unwanted tracking.
In some regions of the world, governments track users who visit certain websites in order to to discover their political affiliations and identify dissidents -- practices that threaten free speech and human rights.
By using a VPN connection, all of your traffic can be securely routed through a server located somewhere else in the world. This protects your computer from local tracking and hacking attempts and even hides your real Internet Protocol address from the websites and services you access.
Not all VPNs are created equal
There are different VPN technologies with varied encryption strengths. For example, the Point-to-Point Tunneling Protocol (PPTP) is fast, but much less secure than other protocols such as IPSec or OpenVPN, which uses SSL/TLS (Secure Sockets Layer/Transport Layer Security). Furthermore, with TLS-based VPNs the type of encryption algorithm and key length used is also important.
While OpenVPN supports many combinations of ciphers, key exchange protocols and hashing algorithms, the most common implementation offered by VPN service providers for OpenVPN connections is AES encryption with RSA key exchange and SHA signatures. The recommended settings are AES-256 encryption with a RSA key that's at least 2048 bits long and the SHA-2 (SHA-256) cryptographic hash function, instead of SHA-1.
It's worth noting that VPNs introduce overhead, so the stronger the encryption is, the bigger the impact will be on the connection speed. The choice of VPN technology and encryption strength should be made on a case-by-case basis, depending on what kind of data will be passed through it.
The security needs of corporations are different than those of most consumers, who typically only need to protect themselves against opportunistic traffic snooping attacks -- unless they're concerned about mass surveillance by the U.S. National Security Agency and similar intelligence agencies, in which case very strong encryption is needed.
VPNs can bypass geoblocking and firewalls
Consumers also use VPNs to access online content that's not by available in their region, although this depends on how well the content owners enforce restrictions. VPN service providers usually run servers in many countries around the world and allow users to easily switch between them. For example, users might connect through a U.K.-based server to access restricted BBC content or through an U.S.-based server to access Netflix content that's not available in their region.
Users in countries like China or Turkey, where the governments regularly block access to certain websites for political reasons, commonly use VPNs to bypass those restrictions.
Free vs. paid
While companies set up their own VPNs using special network appliances, consumers have a wide selection of commercial and free VPN services to choose from. Free VPN offerings usually display ads, have a more limited selection of servers, and the connection speeds are slower because those servers are overcrowded. However, for the occasional user this just might be enough.
Another downside of free VPN servers, though, is that that it's more likely that the IP addresses they use will be blocked or filtered on various websites: Free VPN services are commonly abused by hackers, spammers and other ill-intentioned users.
Commercial VPN services work on a subscription-based model and differentiate themselves by an absence of download speed throttling or data limits. Some of them also pride themselves on not keeping any logs that could be used to identify users.
A few antivirus vendors also offer VPN services and these could serve as a middle ground between free and the more expensive commercial solutions, as users could get better deals if they also have antivirus licenses from those vendors. Also these VPN solutions already have reasonably secure settings, so users don't have to worry about configuring them themselves.
Beware the local laws
When deploying VPNs internationally, make sure you check out their local laws and regulations, because VPNs may be restricted there. Notably, China earlier this year issued VPN regulations that are vague, but can be interpreted to mean that they are illegal. The rules may be aimed at consumers trying to reach banned Web sites, but they might also be applied to businesses connecting to branches elsewhere. There have been proposals in Russia as well to ban VPNs, but so far they haven’t gone anywhere. The bottom line is to check out the laws in whatever countries will host a node of a VPN to make sure it’s legal and whether there are rules that could undermine privacy.
Build your own
Finally, there's the option to run your own VPN server at home so you can tunnel back and access services and devices on your home network from anywhere. This is a much better option than exposing those services directly to the internet, which is how hundreds of thousands of internet-of-things devices have recently been compromised and used to launch distributed denial-of-service attacks.
The general rule is that the fewer ports are opened in your router, the better. You should disable UPnP (Universal Plug and Play) so that your poorly designed IP camera, for example, doesn't punch a hole through your firewall and becomes available to the whole world.
Some consumer routers have built-in VPN server functionality these days, so you don't even have to set up a separate dedicated VPN server inside your network. Although, if your router doesn't have this sort of feature, a cheap mini computer like Raspberry Pi can do this job just fine.