Module 15: VPNs & Tunneling VPNs (Virtual Private Networks) create secure, encrypted connections over public networks. This module covers VPN types, tunneling protocols, and real-world implementations.
Estimated Time : 3-4 hoursDifficulty : IntermediatePrerequisites : Module 7 (Security basics), Module 10 (NAT)
15.1 What is a VPN? A VPN extends a private network across a public network, allowing users to send and receive data as if connected to the private network directly.
Without VPN ┌─────────────────┐ ┌─────────────────┐ │ Remote Worker │ │ Company Network │ │ (Coffee Shop) │ │ │ │ │ ───INSECURE───► │ Internal Apps │ │ Public WiFi │ (can be │ Can't access! │ │ (untrusted) │ intercepted) │ │ └─────────────────┘ └─────────────────┘
With VPN ┌─────────────────┐ ┌─────────────────┐ │ Remote Worker │ Encrypted │ Company Network │ │ (Coffee Shop) │ Tunnel │ │ │ │ ════════════════► │ Internal Apps │ │ VPN Client │ (secure) │ Full access! │ │ │ │ VPN Gateway │ └─────────────────┘ └─────────────────┘
15.2 VPN Types Remote Access VPN Individual users connect to a corporate network.
┌──────────────┐ │ Employee A │──┐ │ (Home) │ │ ┌─────────────────┐ └──────────────┘ │ │ │ ├───►│ VPN Gateway │──► Corporate Network ┌──────────────┐ │ │ │ │ Employee B │──┘ └─────────────────┘ │ (Hotel) │ └──────────────┘
Use Cases:
Work from home
Traveling employees
Contractors accessing internal systems
Site-to-Site VPN Connects two networks together permanently.
┌─────────────────────┐ ┌─────────────────────┐ │ HQ Office │ │ Branch Office │ │ New York │ │ London │ │ │ │ │ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │ │ VPN Gateway │◄══╪═════════╪══►│ VPN Gateway │ │ │ └─────────────┘ │ Always │ └─────────────┘ │ │ │ On │ │ │ 192.168.1.0/24 │ │ 192.168.2.0/24 │ └─────────────────────┘ └─────────────────────┘
Use Cases:
Connect branch offices
Connect on-premises to cloud (AWS VPN)
Merge networks after acquisition
Client-to-Site vs Site-to-Site Aspect Client-to-Site Site-to-Site Initiator Individual user Network device Connection On-demand Permanent Software VPN client needed Router/firewall config Scale Per user Per network
15.3 Tunneling Protocols IPsec (Internet Protocol Security) Industry standard for site-to-site VPNs.
Two Modes: TRANSPORT MODE (host-to-host): ┌────────────────────────────────────────┐ │ Original IP Header │ IPsec │ Payload │ └────────────────────────────────────────┘ (encrypted) TUNNEL MODE (gateway-to-gateway): ┌──────────────────────────────────────────────────┐ │ New IP Header │ IPsec │ Original IP │ Payload │ └──────────────────────────────────────────────────┘ (entire original packet encrypted)
IPsec Components: Component Purpose IKE (Internet Key Exchange) Negotiates security parameters, establishes SA ESP (Encapsulating Security Payload) Encryption + authentication AH (Authentication Header) Authentication only (no encryption) SA (Security Association) Set of security parameters for the connection
IPsec Phases: Phase 1 (IKE SA): - Authentication (pre-shared key or certificates) - Establish secure channel for Phase 2 Phase 2 (IPsec SA): - Negotiate encryption algorithms - Establish tunnel for data
OpenVPN Open-source, widely used for remote access.
Characteristics:
Uses OpenSSL library
TCP or UDP (UDP preferred)
Port 1194 by default (can use 443 to bypass firewalls)
Certificate-based authentication
┌─────────────────────────────────────────────────┐ │ OpenVPN Architecture │ ├─────────────────────────────────────────────────┤ │ │ │ Client Server │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ .ovpn file │ │ server.conf │ │ │ │ client.crt │ TLS/SSL │ server.crt │ │ │ │ client.key │◄────────────►│ server.key │ │ │ │ ca.crt │ │ ca.crt │ │ │ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────┘
WireGuard Modern, fast, simple VPN protocol.
Advantages:
~4,000 lines of code (vs 100,000+ for OpenVPN)
Built into Linux kernel
Faster than IPsec and OpenVPN
Uses modern cryptography (Curve25519, ChaCha20)
# WireGuard configuration example [Interface] PrivateKey = < client-private-ke y > Address = 10.0.0.2/24 DNS = 1.1.1.1 [Peer] PublicKey = < server-public-ke y > Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0 # Route all traffic through VPN
SSL/TLS VPN VPN over HTTPS - works through any firewall.
Types:
Portal VPN : Browser-based access to web appsTunnel VPN : Full network access (like OpenVPN)
Advantage : Uses port 443 (HTTPS) - almost never blocked.Protocol Comparison Protocol Speed Security Firewall Bypass Complexity IPsec Fast High Poor (uses UDP 500, 4500) Complex OpenVPN Medium High Good (can use TCP 443) Medium WireGuard Very Fast High Medium (UDP only) Simple SSTP Medium High Excellent (TCP 443) Medium L2TP/IPsec Medium Medium Poor Medium PPTP Fast Broken Good Simple
Never use PPTP. Its encryption has been broken and traffic can be decrypted.
15.4 Split Tunneling Full Tunnel All traffic goes through VPN.
Your Device │ ▼ ┌─────────┐ ┌──────────────┐ │ VPN │───────►│ VPN Server │──► google.com │ Client │ │ │──► company.com └─────────┘ │ │──► netflix.com └──────────────┘ ALL traffic encrypted
Pros: Maximum security, all traffic protected
Cons: Slower, uses company bandwidth for everythingSplit Tunnel Only specific traffic goes through VPN.
Your Device │ ├───────────────────────────────────► google.com (direct) │ netflix.com (direct) ▼ ┌─────────┐ ┌──────────────┐ │ VPN │───────►│ VPN Server │──► company.com (VPN) │ Client │ │ │ └─────────┘ └──────────────┘
Configuration Example (WireGuard): # Full tunnel - route everything AllowedIPs = 0.0.0.0/0 # Split tunnel - only company network AllowedIPs = 10.0.0.0/8, 192.168.1.0/24
Pros: Faster, saves bandwidth
Cons: Non-VPN traffic is unprotected15.5 VPN in the Cloud AWS Site-to-Site VPN Connect on-premises network to AWS VPC.
┌─────────────────────────────────────────────────────────────┐ │ AWS │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ VPC │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Private │ │ Virtual │ │ │ │ │ │ Subnet │ │ Private │ │ │ │ │ │ 10.0.1.0/24 │ │ Gateway │ │ │ │ │ └─────────────┘ └──────┬──────┘ │ │ │ │ │ │ │ │ └──────────────────────────────────┼───────────────────┘ │ │ │ │ └─────────────────────────────────────┼────────────────────────┘ │ VPN Connection │ (IPsec tunnels) │ ┌─────────────────────────────────────┼────────────────────────┐ │ On-Premises │ │ │ ┌─────────────────┴──────────────┐ │ │ │ Customer Gateway │ │ │ │ (Your router/firewall) │ │ │ └────────────────────────────────┘ │ │ │ │ 192.168.1.0/24 │ └──────────────────────────────────────────────────────────────┘
Components:
Virtual Private Gateway (VGW) : AWS side endpointCustomer Gateway (CGW) : Your side endpointVPN Connection : Two IPsec tunnels (for redundancy)
AWS Client VPN For remote access to AWS resources.
┌────────────────────────────────────────────────────────────┐ │ AWS │ │ ┌───────────────────────────────────────────────────┐ │ │ │ VPC │ │ │ │ │ │ │ │ ┌────────────────────┐ ┌────────────────┐ │ │ │ │ │ Client VPN │ │ Subnet │ │ │ │ │ │ Endpoint │───►│ Resources │ │ │ │ │ │ │ │ │ │ │ │ │ └─────────┬──────────┘ └────────────────┘ │ │ │ │ │ │ │ │ └─────────────┼─────────────────────────────────────┘ │ │ │ │ └────────────────┼────────────────────────────────────────────┘ │ ┌────────────┴────────────┐ │ │ ┌───┴────┐ ┌─────┴────┐ │ Remote │ │ Remote │ │ User 1 │ │ User 2 │ └────────┘ └──────────┘
15.6 VPN Security Considerations Authentication Methods Method Security Complexity Pre-Shared Key (PSK) Medium Simple Certificates (PKI) High Complex Username/Password Medium Simple Multi-Factor (MFA) High Medium
Best Practices
Use Strong Encryption AES-256, ChaCha20. Avoid 3DES, DES, or anything “export grade.”
Enable MFA Add second factor for VPN authentication.
Certificate Auth Use certificates instead of pre-shared keys for better security.
Limit Access Use split tunneling wisely. Apply least privilege.
15.7 Other Tunneling Methods SSH Tunneling Create encrypted tunnels using SSH.
# Local port forwarding # Access remote_host:3306 via localhost:3306 ssh -L 3306:remote_host:3306 user@bastion # Remote port forwarding # Expose local:8080 on remote:8080 ssh -R 8080:localhost:8080 user@remote # Dynamic (SOCKS proxy) ssh -D 1080 user@server # Configure browser to use localhost:1080 as SOCKS proxy
Use Cases:
Access database behind firewall
Quick temporary secure access
Bypass network restrictions
GRE (Generic Routing Encapsulation) Encapsulates various network layer protocols inside point-to-point links.
┌──────────────────────────────────────────────────────┐ │ Outer IP │ GRE Header │ Inner IP │ Original Payload │ └──────────────────────────────────────────────────────┘
Note: GRE provides no encryption. Often combined with IPsec.VXLAN (Virtual Extensible LAN) Overlay network for data centers. Extends L2 network over L3.
┌───────────────────────────────────────────────────────────────┐ │ Outer IP │ UDP │ VXLAN │ Inner Ethernet │ Inner IP │ Payload │ └───────────────────────────────────────────────────────────────┘
Use Case: Connect VMs/containers across different physical networks as if on same L2 network.15.8 Troubleshooting VPN Issues
# 1. Check if VPN port is reachable nc -zv vpn.example.com 1194 # 2. Check firewall rules sudo iptables -L -n # 3. Verify credentials/certificates # Check certificate expiry openssl x509 -in client.crt -noout -dates # 4. Check VPN logs # OpenVPN: /var/log/openvpn.log # WireGuard: sudo wg show
Connected but can't reach resources
# 1. Check if tunnel is up ip addr show tun0 # 2. Check routing ip route | grep tun0 # 3. Ping VPN gateway ping 10.0.0.1 # 4. Check DNS nslookup internal-server.company.com # 5. Verify split tunnel config # Are the target routes included?
15.9 Key Takeaways
VPN = Secure Tunnel Encrypts traffic over untrusted networks.
Choose Right Protocol WireGuard for speed, OpenVPN for compatibility, IPsec for site-to-site.
Split Tunnel Carefully Balance security vs. performance based on use case.
Never Use PPTP It’s broken. Use modern protocols only.
Next Module
Module 16: Real-World Networking Scenarios Walk through complete networking scenarios from request to response.
