What is VPN, anyway?

I’ve been using it on my work laptop to connect from home. What is it?

I’m probably going to say stuff that makes our more technical people grind their teeth, but here’s what I understand from a “not a networks person” point of view.

VPN stands for Virtual Private Network; it’s any program that lets you create a remote, secure connection to a network which is not limited to the program itself. The security permissions you get are the same as if you were physically on site. It is also what the connection itself is called. The security of the connection is based on codification: you have to use the correct program and settings because what those are defining is which codification to use, so the other end of the “tunnel” can decode things correctly.

Counter example: when you go to your bank’s webpage, site has the https connection, it’s remote and secure but, because it is limited to that specific program/page, it is not a VPN.

To add some more to her response…

The VPN software on your machine looks like another network card. It is as if you had plugged in an extra network card that happens to have a super long cable that reaches to the office. Once connected to VPN, if you use standard means to check your IP address, you will usually see more than one network adapter, and more than one IP address.

While you are attached to the VPN network it appears as if you are at a branch office, not at home. When I go to any shopping website (e.g. BestBuy) on my work laptop I am usually given a New York City zipcode by default because work is in NY and they see a machine in NY.

You cannot see things on your home network (without special fiddling), since you are “in the office”. For most road warriors this manifests itself as not being able to print on your home network printer.

Your home network cannot see your traffic–for me this means that my “Eero” router with built-in ad blocking cannot block ads that come on my work computer.

This is how it was described to me in layman’s terms: it’s like having a personal anonymous mailman.

Rather than your packages going to a distribution center to be disseminated across the globe, you send all of your packages, locked in a secure box that only your personal mailman can open, to a single location and your personal mailman handles all of your traffic, coming and going. Other people along the way can look at your locked box, but they can’t open it. This person could be in another country, or he could be sitting in the desk across the hall from you; the point is, to anyone looking, packages you send out don’t appear to come from you, they appear to come from him, and he collects all of the packages intended for you and forwards them directly to you.

This is the best way to explain it to a non-technical person.

That reminds me: When I was in position of monitoring network use in public school district, I subscribed to numerous “new proxies” mailing lists. It’s amazing how many web-based proxies claim to be VPNs.

First of all: I’m pretty technical (I used to work in network security) and Nava’s explanation looks fine to me; no gnashing of teeth for me. Minor7flat5’s supplemental response is great as well…VPN software is a lot like a really long ethernet cable.

Secondly, DCnDC’s description, while valid, highlights something confusing about the term “VPN”: VPN software is used to provide two very different services.

The “classic” virtual private network is a way to connect to a network remotely and in a secure manner; this is what the OP asked about and what Nava described. NorthernPiper’s VPN software allows his/her work laptop to act as though it were on the office network by passing all traffic for the work network through an encrypted tunnel. That way, NorthernPiper’s machine can “see” internal servers via the encrypted tunnel, but no one else can decrypt the traffic between NP’s laptop and the office. You can also connect two offices this way; that’s called a “site-to-site VPN.”

The second use of the term “VPN” is part of what people are calling a “VPN service.” (One popular VPN service company, for example, is NordVPN). Despite the name, a VPN service doesn’t connect a remote computer to a particular network like an office network. Rather, a VPN service uses the same software to encrypt all the internet traffic between a user’s computer and the VPN service. The user’s traffic then appears to come from the VPN service’s data center and not the user’s public IP address (which is provided by their ISP).

People use VPN services to hide traffic from their ISPs and to get access to location-restricted content. Some people don’t want their ISPs to see that they’re downloading copyrighted content via BitTorrent, for example. Or a British expat may want to stream the BBC even though she’s living in the US. The BBC won’t stream some content to IP addresses outside the UK, so she could use a VPN service in the UK to make the BBC think her request for streaming is coming from within Great Britain. Other people worry that their ISPs are sending information about their internet browsing habits to advertisers, government agencies and things like that, and a VPN service makes all of one’s internet traffic look like a stream of gibberish between the user’s modem and their VPN service provider. Political activists in oppressive countries have good reason to use a VPN service.

Although VPN services and “classic” VPNs use the same software to set up encrypted tunnels, their goals are very different. The “classic” version–which the OP is asking about–lets a remote computer act as though it’s on an internal network. The VPN service concept would better be described as an encrypted proxy. But it’s easy to use the same VPN client software one would use to connect to a corporate network to create the encrypted proxy tunnel that VPN services offer, so the VPN acronym gets applied to both.

I get the impression that some people think it’s more secure to use, say, their bank’s web site when connected to a VPN service. This isn’t really true. The bank’s web site uses an encrypted HTTPS connection (ably described by Nava) and it’s very difficult for a third party to break that encryption and get access to your bank account. A VPN service runs the bank’s encrypted connection through an encrypted tunnel, so some people assume that a third party would have to decrypt both the VPN and the HTTPS encryption. That’s true for traffic between your public IP and your VPN service provider, but once the traffic leaves your VPN service provider, it’s singly encrypted and running over the regular internet to your bank. So a third party hell-bent on seeing traffic between you and your bank would find a way to sniff traffic between your VPN service provider and your bank. If you’re really worried about security for things like online banking and looking at your health records, you’d be better served by paying close attention to HTTPS/TLS certificate validity and not installing sketchy software than by paying for a VPN service.

Yeah, DougK…I totally agree that web proxies are often called VPNs. And as I said above, VPN services are really just proxies that encrypt all traffic, not just web browsing traffic. End users are confused because the terms are ambiguous.

I’ll add that a properly configured and useful VPN tool does not automatically mean you lose sight of your local (ie home) network. A trivial VPN implementation might do so, but you should be able to set things up so that only traffic that needs to get to the target network goes over the VPN interface. This can get a little tricky in some setups, so it isn’t universal. The idea that the VPN looks like an extra network card isn’t just a great way of explaining how it looks, it can actually be exactly how the operating system and networking system on your machine perceive the VPN. Which is why more careful setup can allow all your other networking to continue to work.
That said, a VPN might provide an unwelcome conduit into the target network. So there are advantages to making the machine connecting unable to see other networks during this period. But such a setup is only a band aid on a much wider problem.

Where I work, this split tunneling is forbidden by policy when connecting work computers to home networks. Which causes problems when people want to print work documents at home.

I can imagine. Personally, if I were admining the work system I would have every PC locked down, and make it impossible for anyone to even think about enabling the extra routing. There would be penalties involving hot coals and branding irons for anyone transgressing. Second offences would involve removal of selected body parts.
In reality, it isn’t easy to keep this stuff under control. It is the modern equivalent to people who used to connect a modem to their office phone when they went home.

Same here…my parenthetical note in “You cannot see things on your home network (without special fiddling),” refers to split tunneling, but many road warriors are forbidden from using split tunneling.

I certainly would like the convenience of a split network but I am not allowed to use this configuration.

If the non-technical person knows what a network card is? :confused:

Thanks for the comments, everyone. I think I’m getting it.

So when I turn my work laptop on, it connects to my home network ISP? And then I click on the app that turns on the VPN log-on, and it asks me for my password. That still must be via my home ISP, right?

Then I type in my password, and then it makes the connection to my work network?

So from that point on, any traffic I send will be coming from my work ISP, not my home ISP?

That’s the idea, yes. The important bit is that the “super long network cable” that minor7 mentioned is actually an encrypted connection between your computer and the office network, using your home ISP. That’s the “virtual” in “virtual private network.”

So the computer connects to the office via my home ISP, but from that point on traffic goes on the work ISP?

The traffic goes from your computer, through an encrypted channel via your ISP, to the office, to the office’s ISP.

Moderator Note

While there are legitimate uses for this type of VPN, the most common uses for it are IP hiding for illegal file sharing, ban evasion, spamming, trolling, and other bad uses. Discussions of this aspect of VPNs are forbidden here.

I’ve been burned in the past by people engaging in rules lawyering and other tactics like implying things that they’ve been told they can’t discuss instead of saying them outright, so unfortunately I have to be fairly strict when enforcing this one.

Torrenting, which was also mentioned, is also a forbidden topic here.

Let’s have no more discussion about anything related to this aspect of VPNs, or anything else that violates copyrights or is otherwise illegal in this thread.

I’m assuming you understand that the basic way computers “talk” is that they send out packets on the network to other computers and the other computers reply by sending network packets back (it gets horribly more complex than that, but let’s start there).

What a VPN does is you make a “network” of sorts out of software. Instead of your computer sending out packets to other computers, your computer sends the packets to the VPN server in your office, and then the VPN server in your office sends out the packets to other computers.

Let’s say for example that you want to read the Straight Dope. Normally, your web browser would send a network packet to the Straight Dope server that says “give me your web page” and the SDMB server sends back a packet with the web page (again, it’s much more complicated than that).

If you have a VPN connected, your browser creates a “give me your web page” packet. That packet gets wrapped up in a special VPN packet that gets sent through your internet provider, over the internet, to your office’s VPN server. The VPN server unpacks the packet, and sends out the “give me your web page” packet from its own network. The SDMB server then sends the reply to your office’s network, where the VPN server takes the reply packet, puts it in a special VPN packet, and sends it back to your computer. Your computer unpacks the VPN packet and then reads the SDMB reply packet as if it were a normal network packet.

So from your browser’s point of view, all it did was send out a request to read the SDMB and it got a reply. It doesn’t really know or care that a VPN actually shuttled the packets all the way to your office before sending them out on the internet and then took the reply and sent it back to your PC.

Many offices, like the one I work for, have local networks set up that can’t be easily accessed from the internet. The only way to access them is to use a VPN.

If you had your PC in the office, and you had an app that read data from another computer, which for this example we’ll call Fred’s computer, your PC would just send a packet to Fred’s computer to read it, and Fred’s computer would send a packet back to you. When you are at home, you try to send a packet to Fred’s computer, and your office is set up so that Fred’s computer can’t be accessed from the internet, so your PC can’t find it. But when you have the PC connected, it sends the packet to Fred’s computer, and that packet gets sent to the VPN server in your office and gets transmitted out on your office network, where Fred’s computer is. Now it looks to your computer as if you are physically connected to the office network, so your PC can find Fred’s computer and you can send packets to it and receive packets from it. But you aren’t physically connected. It’s the VPN client on your PC and the VPN server in your office that are shuttling the packets back and forth between your computer and the office network.

Make sense?

Oh; I apologize. Frankly, it hadn’t occurred to me that this subject might be off-limits. A previous poster had described the subject in a way that I thought was conflating the two uses of the term. I was only trying to distinguish two concepts that go by very similar names.

I absolutely wasn’t trying to skirt the rules; I was sincerely ignorant of this one. I won’t mention the subject again.