VPN clients allow you to connect to a predesignated list of secure tunneling servers offered by a VPN service. This list of servers forms the VPN network for the VPN company. In short, How VPN works is by connecting you to a server on this VPN network from the client software. However, VPNs are fascinating networks with complex structures and mechanisms. Knowing a little more about how a VPN client connects to its network and how it works thereafter is a valuable and interesting piece of information.
There are many VPN clients out there. Some are developed by VPN protocol developers themselves while a few are developed by VPN service providers. OpenVPN is one such protocol where the developers also created a client for your use. Third party VPN software do not restrict themselves to a single protocol. Hence, you will find them allowing features like protocol switching, selecting server locations, auto-connect and kill switches. Before you decide on a protocol, it is advisable to compare VPN protocols and choose the one that suits your needs.
What Is a VPN Connection?
When you connect to a website, your computer sends a request to the website. This request has to travel through the ISP and various other servers in transit. In such a case, the ISP knows exactly which website you are requesting access to.
Compared to that, how VPN works is slightly different. VPN clients encrypt the requests that go out of your device. Once you connect to a secure VPN network, it acts as your ISP would normally. Also, it gives you a VPN server IP address that is different from your actual IP, and the website you are visiting sees this VPN server IP address. Congratulations, you have successfully anonymized yourself!
Anyone monitoring your Internet usage will be able to see the IP address of the VPN server and anyone trying to identify you will have to get connection logs from the VPN service. Moreover, good VPN providers also share the same IP among multiple users. This provides even more ambiguity and anonymity.
How VPN Works to Establish a Secure Connection?
A good VPN service carries out three steps to connect to a server securely and exchange data.
- Secure your packets: This task is of prime importance. A good VPN service should be able to protect your packets from programs that sniff and read internet traffic. This is achieved through strong encryption. Anything above 256-bits of encryption with a secure block cipher is good.
- Protect the integrity of your packets: Your packets should be what the visiting websites are serving to you. There should not be any alteration of the same packets that a Man in the Middle can create. This calls for a good integrity check, and is achieved by strong data authentication techniques, like with SHA2.
- Verify incoming packets: The VPN service should be able to ensure that you are receiving authentic data, and for this, it needs a key. This key should be established securely between your computer and the server and this is where key exchange becomes an important part of establishing a VPN connection.
Achieving all the above points is mandatory for a good VPN client and technically, all these steps are critical parts of how VPN works as a client-server system. A VPN client should connect to a VPN network securely using effective authentication, encryption, key exchange and reauthentication methods. In addition to these, some VPN services also provide additional scrambling through Obfsproxy.
OpenVPN Client-Server Communication Steps
Out of all the VPN protocols in existence today, OpenVPN is the most popular and widely used protocol. In addition, OpenVPN has an SSL-based architecture. Hence, it is more difficult to block than the other protocols and readily available for use on all Operating Systems.
How VPN works when using OpenVPN protocol is slightly different. An OpenVPN client establishes a secure connection in two steps.
- Session authentication and key exchange with SSL/TLS
- Secure Tunneling with ESP
Session authentication is a critical step in establishing a secure connection to any server of any sort, VPN or not. As part of session authentication, the client and server establish an HMAC with Blowfish encryption and SHA1 hashing authentication. This is done over an unsecured network by public key exchange with X.509 PKI. This image simplifies key exchanges with a paint mixing example.
Once the HMAC authentication is setup between the client and the server, the entire IP packet is signed with HMAC and sent out over a UDP tunnel adding the actual packet inside an Encapsulating Security Protocol or ESP. This is where OpenVPN borrows from IPSec without using IPSec itself, as IPSec can be blocked easily.
As you can see above, the connection packets are significantly different between a normal connection to your ISP and a VPN connection. The Encapsulating Security Protocol (ESP) is a hardened packet encapsulation method used by many commercial and enterprise VPN providers with or without L2TP/IPSec. OpenVPN uses ESP without using IPSec.
Once the VPN tunnel is established, OpenVPN uses this same tunnel stream for further periodic reauthorizations and key exchanges. The key exchange and reauthorization period allows using both the old and new keys in overlap for a short period, making this frequent key exchange quite seamless and robust. Hence, you will not notice any packet drops or slowness when your traffic starts using a new key.
OpenVPN allows portability and platform independence. Hence, it has seen some serious worldwide usage, contribution and development efforts in recent years.
We all like things that work at the push of a button. However, to get a taste of the grand scale of how a VPN client work, is a different joy altogether.
This post might not tell you what VPN to choose or what protocol to choose, but it will make you go "I know what is happening behind the scenes" the next time you fire up your VPN client.
Here is the security architecture of OpenVPN for some further reading.