Virtual Private Network

VPN

Learn how VPNs protect privacy through tunneling, encryption, and anonymity on untrusted networks.

What is a VPN?

A Virtual Private Network (VPN) creates a secure, encrypted connection between your device and a remote server operated by a VPN provider. All internet traffic is routed through this encrypted tunnel, protecting your data from eavesdropping, censorship, and tracking.

Tunneling

Data packets are encapsulated within VPN protocol packets, creating a tunnel that hides original packet headers.

Encryption

All data is encrypted using protocols like AES-256, making it unreadable to anyone intercepting the traffic.

Anonymity

Your real IP address is replaced by the VPN server's IP, masking your identity and location online.

Types of VPN

Remote Access VPN

Connects individual users to a private network over the internet. Ideal for remote employees accessing corporate resources from home or travel.

Site-to-Site VPN

Connects entire networks to each other (e.g., branch office to headquarters). Used for linking geographically separated offices.

Client-based VPN

Requires dedicated VPN client software installed on the user's device. Provides granular control and strong authentication.

SSL VPN

Operates over HTTPS using SSL/TLS. No client software needed — accessible via web browser. Ideal for quick, temporary access.

VPN Protocols Comparison

Protocol	Security	Speed	Port	Notes
PPTP	Weak (128-bit MPPE)	Fast	TCP 1723	Deprecated — known vulnerabilities. Avoid for any security-sensitive use.
L2TP/IPsec	Strong (AES-256 + IPsec)	Moderate	UDP 500, 4500	Widely compatible but can be slower due to double encapsulation.
OpenVPN	Very Strong (AES-256-GCM)	Fast	UDP 1194 / TCP 443	Open-source, highly configurable, gold standard for security.
WireGuard	Strong (ChaCha20-Poly1305)	Very Fast	UDP 51820	Modern protocol with minimal codebase (~4k lines). Fastest VPN protocol.
SSTP	Strong (AES-256 over SSL)	Fast	TCP 443	Microsoft proprietary. Uses HTTPS, can bypass most firewalls.

How VPN Works

The data flow when using a VPN:

Client Initiation

Your device connects to the VPN server and authenticates using credentials or certificates.

Encryption

Data is encrypted on your device using strong cryptographic algorithms before leaving.

Tunneling

Encrypted data is wrapped in a VPN protocol (e.g., OpenVPN, WireGuard) and sent through a secure tunnel.

Decryption

The VPN server decrypts the incoming data packets and forwards them to the destination.

Server Response

Response from the target server travels back through the encrypted tunnel to your device.

IPsec Components

IPsec (Internet Protocol Security) is a suite of protocols used to secure IP communications through authentication and encryption.

ESP (Encapsulating Security Payload)

Provides confidentiality, data integrity, and authentication. Encrypts the entire IP packet payload.

AH (Authentication Header)

Provides data integrity and authentication but no encryption. Protects against replay attacks.

IKE (Internet Key Exchange)

Manages key exchange and SA (Security Association) negotiation. Uses UDP port 500.

When to Use a VPN

Remote Work

Securely access corporate resources from home, cafes, or co-working spaces.

Geo-Spoofing

Access region-restricted content by appearing to connect from a different country.

Privacy Protection

Hide your IP address and browsing activity from ISPs, advertisers, and trackers.

Public Wi-Fi Security

Encrypt all traffic when using untrusted public Wi-Fi networks in hotels or airports.

VPN Best Practices

Use OpenVPN or WireGuard — avoid PPTP and L2TP/IPsec without proper configuration

Enable a kill switch to block traffic if the VPN connection drops

Use strong authentication: certificates plus passwords or MFA

Regularly update VPN client software and server firmware

Avoid free VPN services — they may log or sell your data

Configure DNS leak protection to prevent DNS queries from bypassing the VPN

Use split tunneling selectively to route only sensitive traffic through the VPN

Monitor VPN gateway logs for unusual connection attempts

Interview Questions

Q1: What is a VPN and how does it work?

A: A VPN (Virtual Private Network) creates an encrypted tunnel between a client and a server, protecting data in transit. It encapsulates and encrypts all traffic, hiding the user's IP address and ensuring privacy and security over untrusted networks.

Q2: What is the difference between symmetric and asymmetric encryption in VPNs?

A: Symmetric encryption (e.g., AES) uses a single shared key for both encryption and decryption — fast but requires secure key exchange. Asymmetric encryption (e.g., RSA) uses a public/private key pair for secure key exchange and authentication without pre-sharing secrets.

Q3: Explain IPsec and its components.

A: IPsec is a protocol suite for securing IP communications. It uses ESP (Encapsulating Security Payload) for encryption and authentication, AH (Authentication Header) for integrity without encryption, and IKE (Internet Key Exchange) to negotiate keys and Security Associations.

Q4: What is the difference between split tunneling and full tunneling?

A: Full tunneling routes all device traffic through the VPN. Split tunneling routes only specific traffic (e.g., corporate network) through the VPN while allowing other traffic (e.g., web browsing) to go directly. Split tunneling reduces bandwidth but may expose non-VPN traffic.

Q5: What are the advantages of WireGuard over OpenVPN?

A: WireGuard has a minimal codebase (~4,000 lines vs ~600,000), runs in the Linux kernel, uses modern cryptography (ChaCha20, Curve25519), connects faster with fewer round trips, and is simpler to configure. OpenVPN is more mature, runs in userspace, and supports more advanced configurations.