VPN
VPNs clients and VPN providers/services are super useful tools that I lean on all the time.
I wrote this page to help friends and family understand what they are, how they work, when and why to use them, and what the pitfalls of VPNs are.
Short and simplified:
- VPNs re-route all your internet traffic to a remote server over an encrypted connection
- This can be useful to make sure everything coming out of your computer is encrypted so the local network and anyone along the path to the remote server cannot see what you’re doing; only that you’re connected to this server.
- The value of this has fallen because websites use HTTPS and DNS can be configured now to be encrypted by default.
- By moving all your traffic to the remote server with a VPN you move where you place your trust to whoever runs the remote server because now they can see everything you’re doing.
- Unless connected to something like a travel router or similar it’s impossible to be 100% sure everything is going over the VPN (if that matters to you; probably not).
- VPNs and similar tools are extremely useful for managing servers and limiting who can talk to them.
What is a VPN? Link to heading
For most people, a VPN is a tool used to access the internet via someone else’s computer/server and the location of that computer.
There are lots of misunderstandings of how much privacy VPNs give you and from whom they protect you against.
From a technical perspective using a VPN Service + either their software or open-source clients only hides the content of your internet usage from whoever is providing the internet connection. VPNs shift the trust from your internet provider to the VPN provider. So if you want to protect/hide your activity on principle then who you shift that trust to matters.
If you just want to appear to be coming from another country then it matters a lot less. You’ll likely only care if the servers you’re connected to work for accessing the services you want to use.
The best way to think of a VPN is like a giant digital ethernet cable: when you connect via a VPN your computer configures itself to send internet traffic over this virtual/digital cable.
Why VPNs? Link to heading
Inside your private network there is a limited number of devices with visibility on the packets flowing and what they contain. Usually only your Router or Router+Modem have this access and you are in control of them. You can also replace them somewhat easily. On the open internet however there are many routers and switches which make up the connections on the internet and inspecting packets is an important part of security, ad profiling, and intelligence gathering on the web.
Besides that because of Cell Phones and etc we are constantly moving around. While maybe before we could use IP addresses for security that’s no longer good enough because our IPs are being constantly changed as we change networks or cell towers.
Plus putting things like web servers on the internet without something like IP Address Blocking makes it so anyone can attempt to access it, brute force passwords, spam it to fail (DoS/DDoS), or exploit it to get access to the underlying system (SQL Injection, RCE, etc.). Software has bugs and using firewalls to prevent access in the first place makes it much easier to secure without needing to thoroughly scrutinize every piece of software.
VPNs use encryption to allow us to securely send data to/from our private networks over possibly hostile public networks. It also acts as a way to authenticate and authorize access to services in our private networks from anywhere without needing to open them up to everyone.
Zero Trust Networking (No VPNs) Link to heading
VPNs can be annoying sometimes and part of that is that they need to be configured, updated, and sometimes lead to a sense of false security. Just because it’s behind a VPN doesn’t mean the computer connected couldn’t be compromised and giving access to attackers. That’s why you’ll still need things like HTTPS/TLS and passwords for things inside your private network.
Zero Trust Networking is the idea that we should maybe use VPNs where it makes sense, but still act as if the servers were public. In this paradigm even private networks are treated as public and servers use cryptography inside of them to authenticate and authorize every other computer talking to it. This can be kind of overwhelming to setup and maintain.
Thankfully there are tools out there like Tailscale which provide solid building blocks to enable creating a true Virtual Private Network of all your devices from anywhere. Installing and authenticating Tailscale on every device lets that device join your network and use Tailscale to figure out the best path between each device. Tailscale piggy-backs off the security of things like Google or Microsoft accounts for authenticating users and then uses Wireguard to secure the traffic between devices. Tailscale manages expiring devices regularly, rotating their encryption keys, and deploying ACL rules to each device to control who can access what; even inside the virtual network they are authenticated into.
VPN Services Link to heading
Tailscale is not a VPN service. The provide infrastructure for securing and managing a private network(s), but a VPN Service typically means a service that lets you access the internet via a VPN which hides your traffic from the company/service providing you internet. For example: Comcast/Xfinity, AT&T, or T-Mobile.
They allow you to access public servers on the internet, but over their connections so it looks like you’re where their servers are. It also means only the VPN Service can see what you’re doing because between your computer and the VPN Service everything is encrypted.
If the VPN Service does not log which connections were made by you, or meant for you, then in the future if someone was watching the traffic coming out of the VPN Service’s servers it would be very difficult to attribute that to you. This is what makes VPN Services attractive for privacy reasons, but is also why they make for great targets.
It’s difficult-to-impossible to know if a provider is both actually not logging and also not accidentally logging in some other way.