A VPN extends a private network across a public network, allowing users to send and receive data as if connected to the private network directly. The analogy is a sealed, private tunnel through a public highway. Cars (packets) entering the tunnel are visible to everyone on the highway — but no one can see what is inside the tunnel or tamper with its contents. When a car exits the tunnel on the other end, it is on the private road (network) as if it had always been there.
Industry standard for site-to-site VPNs.Two Modes:
TRANSPORT MODE (host-to-host):┌────────────────────────────────────────┐│ Original IP Header │ IPsec │ Payload │└────────────────────────────────────────┘ (encrypted)TUNNEL MODE (gateway-to-gateway):┌──────────────────────────────────────────────────┐│ New IP Header │ IPsec │ Original IP │ Payload │└──────────────────────────────────────────────────┘ (entire original packet encrypted)
IPsec Components:
Component
Purpose
IKE (Internet Key Exchange)
Negotiates security parameters, establishes SA
ESP (Encapsulating Security Payload)
Encryption + authentication
AH (Authentication Header)
Authentication only (no encryption)
SA (Security Association)
Set of security parameters for the connection
IPsec Phases:Think of the two phases like establishing diplomatic relations. Phase 1 is the countries agreeing on which language to speak and verifying each other’s credentials (authentication). Phase 2 is negotiating the actual terms of the treaty (encryption parameters for the data tunnel). If Phase 1 fails, Phase 2 never starts.
Phase 1 (IKE SA):- Authentication (pre-shared key or certificates)- Establish secure channel for Phase 2Phase 2 (IPsec SA):- Negotiate encryption algorithms- Establish tunnel for data
Modern, fast, simple VPN protocol. WireGuard has rapidly become the preferred choice for new VPN deployments due to its simplicity and performance.Advantages:
~4,000 lines of code (vs 100,000+ for OpenVPN) — a smaller codebase means fewer bugs and a smaller attack surface. The entire codebase is auditable by a single person.
Built into the Linux kernel (since 5.6) — no user-space daemons needed, which means better performance.
Faster than IPsec and OpenVPN in most benchmarks — lower latency and higher throughput due to its minimal, efficient design.
Uses modern cryptography only (Curve25519, ChaCha20, Poly1305, BLAKE2s) — no cipher negotiation, which eliminates downgrade attacks. The trade-off is that if any of these algorithms are ever broken, WireGuard must be updated (crypto agility is deliberately sacrificed for simplicity).
# Full tunnel - route everythingAllowedIPs = 0.0.0.0/0# Split tunnel - only company networkAllowedIPs = 10.0.0.0/8, 192.168.1.0/24
Pros: Faster, saves bandwidth
Cons: Non-VPN traffic is unprotected
Practical scenario — when split tunneling goes wrong: An employee uses split tunnel VPN so personal browsing goes direct. But their company laptop also runs a local database GUI that connects to the corporate database over VPN. One day, malware on a website infects their machine via the direct (unprotected) path. Because the VPN tunnel is active, the malware can now reach the corporate database. This is the fundamental trade-off: split tunneling saves bandwidth but creates a bridge between the untrusted internet and the trusted corporate network. Mitigate this with endpoint security (antivirus, host firewall) and network segmentation that limits what VPN clients can access.
# Local port forwarding# Access remote_host:3306 via localhost:3306ssh -L 3306:remote_host:3306 user@bastion# Remote port forwarding # Expose local:8080 on remote:8080ssh -R 8080:localhost:8080 user@remote# Dynamic (SOCKS proxy)ssh -D 1080 user@server# Configure browser to use localhost:1080 as SOCKS proxy
Encapsulates various network layer protocols inside point-to-point links.
┌──────────────────────────────────────────────────────┐│ Outer IP │ GRE Header │ Inner IP │ Original Payload │└──────────────────────────────────────────────────────┘
Note: GRE provides no encryption. Often combined with IPsec.
# 1. Check if VPN port is reachablenc -zv vpn.example.com 1194# 2. Check firewall rulessudo iptables -L -n# 3. Verify credentials/certificates# Check certificate expiryopenssl x509 -in client.crt -noout -dates# 4. Check VPN logs# OpenVPN: /var/log/openvpn.log# WireGuard: sudo wg show
Connected but can't reach resources
# 1. Check if tunnel is upip addr show tun0# 2. Check routingip route | grep tun0# 3. Ping VPN gatewayping 10.0.0.1# 4. Check DNSnslookup internal-server.company.com# 5. Verify split tunnel config# Are the target routes included?
Slow VPN performance
# 1. Test without VPN as baselinespeedtest-cli# 2. Test with VPNspeedtest-cli# 3. Check MTU issuesping -M do -s 1400 target# 4. Try TCP vs UDP (OpenVPN)# UDP is usually faster# 5. Change VPN server location# Closer server = lower latency
