VPNs and Secure Tunneling: Protecting Data in Transit (Part 5)

Share:

Creating Trust in Untrusted Networks

vpn ipsec wireguard openvpn tunneling encryption

Creating Trust in Untrusted Networks

The internet is a public highway. Every packet you send travels through routers, ISPs, and infrastructure you don’t control. Coffee shop WiFi? Hostile territory. Hotel networks? Assume they’re compromised.

Virtual Private Networks (VPNs) create encrypted tunnels through these untrusted networks, ensuring confidentiality and integrity of data in transit.

---

What is a VPN?

A VPN extends a private network across a public network, allowing users to send and receive data as if they were directly connected to the private network.

Core Properties

1. Encryption: Data is unreadable to eavesdroppers.
2. Authentication: Verify the identity of both endpoints.
3. Integrity: Detect any tampering of data.
4. Tunneling: Encapsulate private traffic in public packets.

---

VPN Use Cases

1. Remote Access VPN

Connect remote workers to corporate network.

[Remote User] →→→ [VPN Tunnel] →→→ [Corporate Network]
     (Home/Coffee Shop)      (Encrypted)         (Private Resources)

2. Site-to-Site VPN

Connect two office locations permanently.

[Office A] ←→→ [VPN Tunnel] ←→→ [Office B]
  10.0.0.0/8                      172.16.0.0/12

3. Privacy/Anonymity

Mask your IP address and encrypt traffic from ISP.

[User] → [VPN Provider] → [Internet]
         (Your traffic appears    (Websites see VPN
          encrypted to ISP)        server's IP)

---

VPN Protocols

IPsec (Internet Protocol Security)

Industry standard for site-to-site and enterprise VPNs.

Components:

• IKE (Internet Key Exchange): Negotiates encryption keys.
• ESP (Encapsulating Security Payload): Encrypts and authenticates data.
• AH (Authentication Header): Authentication only (rarely used).

Modes:

• Transport Mode: Only payload is encrypted (host-to-host).
• Tunnel Mode: Entire packet encrypted and encapsulated (gateway-to-gateway).

Original IP Packet:
[IP Header][TCP Header][Data]

IPsec Tunnel Mode:
[New IP Header][ESP Header][Original IP Header][TCP Header][Data][ESP Trailer]
                |<------ Encrypted and Authenticated ------>|

SSL/TLS VPN

VPN over HTTPS (Port 443). Works through most firewalls.

Types:

• Portal-based: Access web apps through browser.
• Tunnel-based: Full network access via client.

Examples: Cisco AnyConnect, Pulse Secure, GlobalProtect.

OpenVPN

Open-source SSL-based VPN. Highly configurable.

# Server configuration (server.conf)
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
cipher AES-256-GCM
auth SHA256

# Client configuration (client.ovpn)
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
cipher AES-256-GCM
auth SHA256

WireGuard

Modern, minimal VPN protocol. Faster and simpler than OpenVPN/IPsec.

Advantages:

• ~4,000 lines of code (vs. 400,000+ for OpenVPN).
• Built into Linux kernel.
• State-of-the-art cryptography (ChaCha20, Curve25519).
• Roaming support (works great on mobile).

# WireGuard server configuration
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

# WireGuard client configuration
[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

# Bring up WireGuard interface
wg-quick up wg0

# Check status
wg show

---

VPN Architecture Patterns

Hub-and-Spoke

All traffic flows through central hub.

        [Branch A]
             ↓
[Branch B] ← [HQ Hub] → [Branch C]
             ↓
        [Branch D]

Pros: Centralized control, easier monitoring. Cons: Hub is bottleneck and single point of failure.

Full Mesh

Every site connects to every other site.

[A] ←→ [B]
 ↕  ╲ ╱  ↕
 ↕   ╳   ↕
 ↕  ╱ ╲  ↕
[C] ←→ [D]

Pros: Optimal routing, no single point of failure. Cons: Complex, $n(n-1)/2$ tunnels needed.

Split Tunnel vs. Full Tunnel

Split Tunnel:

• Only corporate traffic goes through VPN.
• Internet traffic goes direct.
• Better performance, privacy concerns.

Full Tunnel:

• ALL traffic goes through VPN.
• More secure but higher latency.
• Required for zero-trust environments.

---

VPN Security Considerations

1. Authentication

• Certificates: Most secure, hard to manage.
• Username/Password: Easy, weaker.
• MFA: Always enable for remote access.

2. Encryption Strength

• AES-256-GCM: Current standard.
• ChaCha20-Poly1305: Mobile-friendly alternative.
• Avoid: DES, 3DES, RC4.

3. Perfect Forward Secrecy (PFS)

Each session uses unique keys. Compromising one session doesn’t compromise others.

4. Kill Switch

If VPN drops, block all traffic. Prevents accidental exposure.

5. DNS Leak Prevention

Ensure DNS queries go through VPN, not ISP.

---

VPN Attack Vectors

1. Credential Theft

Stolen VPN credentials = network access.

Defense: MFA, certificate-based auth.

2. VPN Vulnerabilities

Critical CVEs in VPN appliances (Pulse Secure, Fortinet).

Defense: Patch immediately, monitor advisories.

3. Man-in-the-Middle

Intercepting key exchange.

Defense: Certificate pinning, mutual authentication.

4. Traffic Analysis

Even encrypted, metadata (timing, size) leaks information.

Defense: Padding, traffic shaping.

---

Zero Trust: Beyond VPN

Traditional VPNs assume: “Once inside the network, you’re trusted.”

Zero Trust assumes: “Never trust, always verify.”

Zero Trust Network Access (ZTNA)

• Per-application access, not network access.
• Continuous authentication.
• Device posture checks.
• Identity-based policies.

Solutions: Cloudflare Access, Zscaler, BeyondCorp.

Traditional VPN:
[User] → [VPN] → [Full Network Access]

ZTNA:
[User] → [Identity Provider] → [Policy Engine] → [Specific App Only]

---

Setting Up a WireGuard VPN (Lab)

Server Setup (Ubuntu)

# Install WireGuard
apt update && apt install wireguard

# Generate keys
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
chmod 600 /etc/wireguard/private.key

# Configure interface
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.0.0.1/24
PrivateKey = $(cat /etc/wireguard/private.key)
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
EOF

# Enable IP forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p

# Start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Client Setup

# Generate client keys
wg genkey | tee client_private.key | wg pubkey > client_public.key

# Create client config
cat > client.conf << EOF
[Interface]
PrivateKey = $(cat client_private.key)
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = server_ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF

---

Summary

• VPNs create encrypted tunnels through untrusted networks.
• IPsec for enterprise, OpenVPN for flexibility, WireGuard for speed.
• Full tunnel for security, split tunnel for performance.
• Zero Trust (ZTNA) is replacing traditional VPN access models.

This concludes the Computer Networks & Security series. We’ve journeyed from the OSI model through subnetting, firewalls, IDS/IPS, and now VPNs. Understanding these fundamentals is essential for any security professional.

Tharunaditya’s Security Note: A VPN protects your traffic in transit, but it doesn’t make you anonymous. The VPN provider can still see your traffic. Choose wisely, or run your own.

Discussion