Logo for expressVPN

How Do VPNs really work

You learn pretty quickly when you get into tech that the moment your computer hist the internet you have lost your privacy. There are numerous reasons why you would want to remain somewhat anonymous while surfing the net but for me personally, I really don’t like how big tech sells my data for profit and gives me f$@k all back in return.

The VPN is often explained as this magical encrypted tunnel that “protects” your identity. While it does protect you to a degree there is still some level of exposure. Most of the hype comes from people selling their software or affiliates who are getting money from pumping the product. The general image VPNs have is a little misleading but we will explore this on this article.

On my team, I am in no way shape or form the computer networking guy. But saying that I can explain networks and VPNs to another engineer without talking out of my butt. I’ve also included a less technical explanation lower down this article.

Just before we dive in, I want to share the VPN software that I’ve been using for some time. For anyone of any technical level, you can get started in about 3 minutes and protect 5 devices with the lowest plan. There is no pressure to buy this but it’s well worth at least knowing the options for staying safe online.

Top Pick
Logo for expressVPN

Top Pick Express VPN

The Everyday VPN software

Every day since 2017 I’ve used ExpressVPN. For home browsing, Privacy at work and streaming from my home TV Express VPN is easy to use and has a generous plan for the everyday use case.
I know I’m safe when using ExpressVPN on the World Wide Web.

Try Express VPN Yourself

To know how VPN works, here is a simple example using an HTTP server.

Let’s say you want to connect to Google (e.g. IP 1.2.3.4) port 80 let us assume your source IP is 6.6.6.6.

This is really your public router IP and not your private laptop IP so I’m going to skip NAT to simplify this explanation.

How do VPNs work overview 1

Normally with no VPN, your client would send a SYN segment to port 80 that goes into an IP packet with a destination IP 1.2.3.4 and source IP 6.6.6.6 and Google replies back directly to you with a SYN/ACK destination IP 6.6.6.6 and source IP 1.2.3.4 and this goes on. The diagram makes it a lot easier to follow the flow.

Your Internet Service Provider sees the IP packet that you are sending back and forth to 1.2.3.4. They can choose to deep inspect it, and see the content, they (the ISP and pretty much anyone in between) can do that in case of plaintext HTTP (port 80) but not really on HTTPS (port 443).

Now say you deploy a UDP-based VPN, and you use a VPN server on IP 3.3.3.3. The client still produces the SYN IP packet with destination 1.2.3.4 and source ip 6.6.6.6 but then the VPN client captures that IP packet, encrypts it and puts it on a new UDP datagram with VPN info and that UDP goes into a new IP packet destination ip is 3.3.3.3 source is 6.6.6.6.

So you are protected from 90% of the internet but there’s 10% of people who know how to inspect and see what’s actually happening with your web browsing. Lets carry on.

VPNs work like this overview 2

That IP packet is what leaves your NIC, your ISP sees you going to 3.3.3.3 and not (1.2.3.4) because that is encrypted and encapsulated in that outer IP packet VPN server receives the IP packet unpack decrypt it (complex logic must find the key etc) then sees that aha this guy wants to go to 1.2.3.4 and creates a brand new ip packet (or reuse for zero-copy) changing the source IP to its own 3.3.3.3 so the SYN reaches Google.

Google replies back to 3.3.3.3 with SYN/ACK the VPN server which knows that this packet must go to you (6.6.6.6)*, so it creates a new IP packet with its source IP as 3.3.3.3 and destination IP 6.6.6.6 and puts the SYN/ACK in it.

How VPNs communicate part 3

How does the VPN server know that this packet needs to go to 6.6.6.6? there might be many others who sent packets through the VPN to 1.2.3.4. That is why the VPN keeps a table of who is connected to what.

The IP address might not be enough to do the lookup so the VPN might use the source port to identify. And in some rare cases if two clients used the source source port, the VPN might have to change the source port too and not just the IP address.

If this is way too technical then let’s look at it this way:

Imagine you’re sending a letter to a friend, but you want to make sure that no one can read it while it’s on its way. You decide to put the letter inside a special envelope with a lock and send it through a secret tunnel.

Now, let’s relate this to the online world:

  1. Regular Internet Connection:
  • Your internet connection is like sending a postcard – anyone can see what you’re doing.
  1. VPN (Virtual Private Network):
  • The VPN is like that special envelope and secret tunnel for your internet connection.
  • When you connect to the internet through a VPN, it creates a secure, encrypted tunnel for your data to travel through.
  • This means that even if someone tries to peek at your internet activities, all they see is the encrypted information.
  1. Benefits of Using a VPN:
  • Privacy: Just like your letter is private inside the envelope, your online activities are private from prying eyes.
  • Security: The encryption adds a layer of protection, making it harder for hackers or snoopers to intercept your data.
  • Access: VPNs also let you pretend you’re in a different location. It’s like saying your letter is coming from a different post office. This can be useful for accessing content that might be restricted in your actual location.
  1. Choosing a VPN:
  • There are different VPN services, just like there are different kinds of envelopes. Some are more secure than others, so it’s essential to pick a trustworthy one.

Remember, while a VPN adds a layer of security and privacy, it’s not a magic shield. It’s always a good idea to follow other best practices for online safety, like using strong passwords and being cautious about the websites you visit.

So in summary the VPN does not terminate the TCP it simply passes the SYN all the way through so you get an end-to-end TCP connection between you and Google but through this encrypted tunnel.

Remember the same thing happens when you use TLS, the TLS client hello is forwarded all the way to Google through the VPN just like any other packet. That is why you also get an end-to-end encryption and the VPN cannot really read HTTPS traffic as well. That means yes you take the hit of double encryption and decryption when using a VPN.

Why UDP and not TCP for VPN? You can but you might get a TCP meltdown as the two congestion algorithms fight each other (outer and inner TCP connection). With UDP it is easy to retransmit only the lost packets and have a simpler retry logic without all the complexity of TCP.

Keep in mind that this is just one implementation you can build your own VPN protocol to achieve the same result. Sending some love to this guy for his perspective on how VPNs work I borrowed your images sorry dude but thanks and here’s a link.

Author


by