VPN is a generic term used to describe a communication network that uses any combination of technologies to secure a connection tunnelled through an otherwise unsecured or untrusted network.
Instead of using a dedicated connection, such as leased line, a "virtual" connection is made between geographically dispersed users and networks over a shared or public network, like the Internet.
Data is transmitted as if it were passing through private connections.
VPN transmits data by means of tunnelling.
Before a packet is transmitted, it is encapsulated in a new packet, with a new header.
This header provides routing information so that it can traverse a shared or public network, before it reaches its tunnel endpoint.
This logical path that the encapsulated packets travel through is called a tunnel. When each packet reaches the
tunnel endpoint, it is decapsulated and forwarded to its final destination.
Both tunnel endpoints need to support the same tunnelling protocol. Tunnelling protocols are operated at either the
- OSI (Open System Interconnection)
- layer two (data-link layer), or
- layer three (network layer).
The most commonly used tunnelling protocols are IPsec, L2TP, PPTP and SSL.
A packet with a private non-routable IP address can be sent inside a packet with globally unique IP address, thereby extending a private network over the Internet.
VPN uses encryption to provide data confidentiality. Once connected, the VPN makes use of a tunnelling mechanism described above to encapsulate encrypted data into a
secure tunnel, with openly read headers that can cross a public network.
Packets passed over a public network in this way are unreadable without proper decryption keys, thus ensuring that data is not disclosed or changed in any way during transmission.
VPN can also provide a data integrity check. This is typically performed using a message digest to ensure that the data has not been tampered with during transmission.
By default, VPN does not provide or enforce strong user authentication. Users can enter a simple username and password to gain access to an internal private network from home or via other insecure networks.
Nevertheless, VPN does support add-on authentication mechanisms, such as smart cards, tokens and RADIUS.