VPN is a generic term used to describe a communication network that uses any combination of technologies to secure a connection tunnelled through an otherwise unsecured or untrusted network.
Instead of using a dedicated connection, such as leased line, a "virtual" connection is made between geographically dispersed users and networks over a shared or public network, like the Internet.
Data is transmitted as if it were passing through private connections.
VPN transmits data by means of tunnelling
Before a packet is transmitted, it is encapsulated in a new packet, with a new header.
This header provides routing information so that it can traverse a shared or public network, before it reaches its tunnel endpoint.
This logical path that the encapsulated packets travel through is called a tunnel.
When each packet reaches the tunnel endpoint
, it is decapsulated and forwarded to its final destination.
Both tunnel endpoints need to support the same tunnelling protocol. Tunnelling protocols are operated at either the
- OSI (Open System Interconnection)
- layer two (data-link layer), or
- layer three (network layer).
The most commonly used tunnelling protocols are IPsec, L2TP, PPTP and SSL.
A packet with a private non-routable IP address can be sent inside a packet with globally unique IP address, thereby extending a private network over the Internet.
VPN uses encryption to provide data confidentiality. Once connected, the VPN makes use of a tunnelling mechanism described above to encapsulate encrypted data into a
secure tunnel, with openly read headers that can cross a public network.
Packets passed over a public network in this way are unreadable without proper decryption keys, thus ensuring that data is not disclosed or changed in any way during transmission.
VPN can also provide a data integrity check. This is typically performed using a message digest to ensure that the data has not been tampered with during transmission.
By default, VPN does not provide or enforce strong user authentication. Users can enter a simple username and password to gain access to an internal private network from home or via other insecure networks. Nevertheless, VPN does support add-on authentication mechanisms, such as smart cards, tokens and RADIUS.