Skip to content
My Docs

Vpn Virtual Private Networks

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:04:48
For: Network Engineering, Administration & Technical Interviews

VPN (Virtual Private Network) - Cheatsheet

Section titled “VPN (Virtual Private Network) - Cheatsheet”

What is it?

A VPN creates a secure, encrypted connection over a less secure network, like the internet. It essentially extends a private network across a public network.

Why is it important?

  • Security: Protects data from eavesdropping and tampering.

  • Privacy: Hides your IP address and location.

  • Access Control: Allows access to resources on a private network from a remote location.

  • Circumvention: Bypasses geo-restrictions and censorship.

  • Tunneling: Encapsulating data packets within other packets to create a secure tunnel.

  • Encryption: Converting data into an unreadable format (ciphertext) using an algorithm and key.

  • Authentication: Verifying the identity of the VPN client and server.

  • IPsec (Internet Protocol Security): Suite of protocols for secure IP communications.

  • SSL/TLS (Secure Sockets Layer/Transport Layer Security): Cryptographic protocols for secure communication. Commonly used with VPNs like OpenVPN.

  • VPN Client: Software on the user’s device that establishes the VPN connection.

  • VPN Server: Server that hosts the VPN connection and provides access to the private network.

  • Split Tunneling: Routing only specific traffic through the VPN, while other traffic uses the regular internet connection.

  • Full Tunneling: Routing all traffic through the VPN.

  • IKE (Internet Key Exchange): Protocol used to establish a secure channel for IPsec.

  • Remote Access VPN: Allows individual users to connect to a private network remotely.

  • Site-to-Site VPN: Connects two or more private networks together.

Simplified Step-by-Step Example (Remote Access VPN):

  1. Client Initiation: The VPN client on the user’s device initiates a connection to the VPN server.
  2. Authentication: The client authenticates to the server (e.g., username/password, certificate).
  3. Key Exchange: A secure channel is established using a protocol like IKE or SSL/TLS. Encryption keys are negotiated.
  4. Tunnel Creation: A secure tunnel is created between the client and server.
  5. Data Encapsulation: Data packets from the client are encrypted and encapsulated within new IP packets with the VPN server’s IP address as the destination.
  6. Data Transmission: The encapsulated packets are sent over the internet to the VPN server.
  7. Decapsulation and Decryption: The VPN server decapsulates the packets, decrypts the data, and forwards it to the destination on the private network.
  8. Return Traffic: Traffic from the private network to the client is encrypted and encapsulated by the VPN server and sent to the client.
  9. Client Decryption: The client decrypts the received data.

ASCII Diagram:

[User Device] --(Internet)-- [VPN Server] --(Private Network)-- [Resource]
     |                     |                    |
     |  Encrypted Tunnel   |  Internal Network  |
     |                     |                    |
 [VPN Client]            [VPN Gateway]

Detailed Explanation:

  1. Connection Request: User starts VPN client.
  2. Handshake:
    • Client and server negotiate security parameters (encryption algorithms, key exchange method).
    • Authentication happens (user credentials, certificates).
  3. Tunnel Establishment: A secure tunnel is created. All data sent through this tunnel is encrypted.
  4. Data Transmission: The VPN client encrypts all data and sends it to the VPN server. The VPN server decrypts the data and forwards it to its destination as if it originated from the VPN server itself. Responses are encrypted by the VPN server and sent back to the client.
  5. Session Maintenance: The VPN maintains the secure connection, re-keying as needed to ensure security.

Here’s a breakdown of common VPN protocols:

ProtocolEncryptionAuthenticationPort(s)ProsCons
IPsecAES, 3DESCertificates, PSK500 (IKE), 4500 (NAT-T)Highly secure, widely supported, stable.Can be complex to configure, sometimes blocked by firewalls (NAT Traversal issues).
OpenVPNAES, BlowfishCertificates, Username/Password1194 (UDP/TCP)Open-source, highly configurable, good security, can run over TCP or UDP.Can be slower than other protocols, requires client software.
WireGuardChaCha20Cryptokey Routing51820 (UDP)Modern, fast, lightweight, easy to configure (compared to IPsec).Relatively new, still under development (though considered very stable now).
L2TP/IPsecAES, 3DESCertificates, PSK1701 (L2TP), 500, 4500 (IPsec)Widely supported (natively on many OSes), combines L2TP and IPsec for security.Can be slower than IPsec alone, relies on IPsec for encryption, potential security concerns with L2TP itself.
SSTPSSL/TLSCertificates, Username/Password443 (TCP)Difficult to block (uses HTTPS), good for bypassing firewalls.Can be slower due to TCP overhead, relies on SSL/TLS for security.

IPsec Protocol Suite:

  • AH (Authentication Header): Provides data integrity and authentication.
  • ESP (Encapsulating Security Payload): Provides confidentiality (encryption), data integrity, and authentication.
  • IKE (Internet Key Exchange): Establishes a secure channel for exchanging keys.

OpenVPN Protocol (simplified message flow):

  1. Client Connects: Client initiates a TCP or UDP connection to the server.
  2. TLS Handshake: Client and server perform a TLS handshake to establish a secure control channel. This involves certificate exchange and key agreement.
  3. Data Channel Establishment: A data channel is established using the negotiated encryption algorithm.
  4. Data Transfer: Encrypted data is exchanged between client and server through the data channel.
  5. Connection Maintenance: The connection is kept alive through keepalive packets.

  • Remote Workers: Employees connecting to the corporate network from home.

  • Bypassing Geo-Restrictions: Accessing content that is blocked in your region.

  • Secure Online Banking: Protecting financial transactions from eavesdropping.

  • Protecting Public Wi-Fi: Encrypting traffic when using unsecured public Wi-Fi hotspots.

  • Connecting Branch Offices: Establishing a secure connection between two geographically separated offices (Site-to-Site VPN).

  • Secure Cloud Access: VPNs are often used to securely access cloud resources, ensuring data confidentiality and integrity.

  • Connection Problems:

    • Firewall blocking VPN traffic: Ensure that the necessary ports are open on the firewall (e.g., UDP 500, 4500 for IPsec).
    • Incorrect VPN configuration: Double-check the VPN server address, username, password, and encryption settings.
    • Network connectivity issues: Verify that the client device has a working internet connection.
    • MTU issues: Large MTU values can cause fragmentation and connection problems. Try reducing the MTU.

  • Slow VPN Speed:

    • Server distance: Choose a VPN server that is geographically closer to your location.
    • Server load: The VPN server might be overloaded with too many users.
    • Encryption overhead: Higher encryption levels can slow down the connection.
    • Network congestion: General internet congestion can affect VPN speeds.

  • DNS Leaks:

    • The VPN client might not be properly configured to use the VPN server’s DNS servers. Use a DNS leak test to verify.

  • IP Address Leaks:

    • Ensure that all traffic is routed through the VPN tunnel.

  • VPN Blocking:

    • Some services actively block VPN connections. Try using a different VPN protocol or server.

  • Authentication Failures:

    • Double-check username/password. If using certificates, verify the certificate is valid and properly installed.

Troubleshooting Commands (Linux):

  • ping <vpn_server_ip>: Check basic connectivity to the VPN server.
  • traceroute <vpn_server_ip>: Trace the route to the VPN server.
  • tcpdump -i <interface> port <vpn_port>: Capture network traffic on the VPN port to analyze communication issues. Replace <interface> with your network interface (e.g., eth0, wlan0) and <vpn_port> with the VPN protocol’s port (e.g., 500 for IKE).
  • ip route: View the routing table to confirm that traffic is being routed through the VPN tunnel.
  • ifconfig or ip addr: Check the VPN interface (e.g., tun0) to verify the assigned IP address.

OpenVPN Client Configuration (example .ovpn file):

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-client
verb 3
cipher AES-256-CBC

Explanation:

  • client: Specifies that this is a client configuration.
  • dev tun: Use a TUN device for the VPN tunnel.
  • proto udp: Use UDP protocol.
  • remote vpn.example.com 1194: VPN server address and port.
  • ca ca.crt: Path to the CA certificate.
  • cert client.crt: Path to the client certificate.
  • key client.key: Path to the client private key.
  • cipher AES-256-CBC: Encryption algorithm.

IPsec (StrongSwan) Configuration (example ipsec.conf):

conn myvpn
        type=tunnel
        auto=add
        left=<client_public_ip>
        leftid=@client.example.com
        right=<vpn_server_public_ip>
        rightid=@server.example.com
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256!
        keyexchange=ikev2
        leftauth=eap
        rightauth=pubkey
        eap_identity=%identity
        leftsourceip=%config
        rightsubnet=10.10.10.0/24
        dpdaction=restart
        dpddelay=30s
        dpdtimeout=120s

Explanation:

  • left: Client IP address.
  • leftid: Client identifier.
  • right: VPN server IP address.
  • rightid: Server identifier.
  • ike: IKE encryption and hashing algorithms.
  • esp: ESP encryption and hashing algorithms.
  • leftauth: Client authentication method (EAP in this case).
  • rightauth: Server authentication method (public key).
  • rightsubnet: Subnet on the VPN server’s network that the client can access.

Example Linux command to bring up the IPsec connection:

Terminal window
sudo ipsec start
sudo ipsec up myvpn

WireGuard Configuration (example wg0.conf - client):

[Interface]
PrivateKey = <client private key>
Address = 10.6.0.2/24
DNS = 1.1.1.1


[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server public IP>:51820
PersistentKeepalive = 25

Explanation:

  • PrivateKey: The client’s private key.
  • Address: The IP address assigned to the client on the WireGuard network.
  • DNS: DNS server to use.
  • PublicKey: The server’s public key.
  • AllowedIPs: Specifies which IP addresses should be routed through the tunnel. 0.0.0.0/0 means all traffic.
  • Endpoint: The server’s public IP address and port.
  • PersistentKeepalive: Sends keepalive packets to maintain the connection.

Example Linux commands to bring up the WireGuard interface:

Terminal window
sudo wg-quick up wg0

  • What is a VPN and how does it work?

    • A VPN creates a secure, encrypted connection over a public network. It works by encapsulating data packets within new packets and encrypting the data. The VPN client establishes a connection with the VPN server, authenticates, and then creates a secure tunnel. All traffic is then routed through this tunnel, protecting it from eavesdropping.

  • What are the different types of VPN protocols?

    • IPsec, OpenVPN, WireGuard, L2TP/IPsec, SSTP. (Explain the pros/cons of each, as outlined above).

  • What is the difference between split tunneling and full tunneling?

    • Split tunneling: Only specific traffic is routed through the VPN. This can improve performance for non-sensitive traffic.
    • Full tunneling: All traffic is routed through the VPN. This provides maximum security and privacy but can impact performance.

  • What are the security benefits of using a VPN?

    • Encryption of data, hiding your IP address, preventing DNS leaks, bypassing geo-restrictions.

  • What are some common issues with VPNs and how can they be resolved?

    • Connection problems (firewall, incorrect configuration), slow speeds (server distance, encryption overhead), DNS leaks (configure VPN client to use VPN server’s DNS).

  • Explain the difference between IPsec in Tunnel Mode and Transport Mode.

    • Tunnel Mode: The entire original IP packet is encapsulated and encrypted, with a new IP header added for routing through the VPN. This provides greater security and is used for VPN gateways connecting networks.
    • Transport Mode: Only the payload of the IP packet is encrypted, and the original IP header is used. This provides less overhead but also less security, as the source and destination IPs are still visible. Less commonly used for VPNs.

  • How does IKE work in IPsec?

    • IKE (Internet Key Exchange) is a protocol used to establish a secure channel for negotiating security associations (SAs) in IPsec. It handles authentication, key exchange, and security parameter negotiation. It is a critical part of setting up a secure IPsec connection.

  • What is a DNS leak and how can you prevent it?

    • A DNS leak occurs when DNS requests are sent to your ISP’s DNS servers instead of the VPN server’s DNS servers, potentially revealing your browsing activity. You can prevent it by configuring your VPN client to use the VPN server’s DNS servers, disabling IPv6 (if not needed), and using a DNS leak test to verify.

  • Describe a scenario where you would use a site-to-site VPN.

    • Connecting two geographically separate offices to allow secure communication and resource sharing between the networks. For example, connecting the headquarters network to a branch office network.

  • Tor (The Onion Router): Another anonymity network, offering multiple layers of encryption and routing. Slower than a VPN but provides stronger anonymity.

  • Proxy Servers: Act as intermediaries between your device and the internet, but typically do not provide encryption like VPNs.

  • Firewalls: Network security devices that control network traffic based on predefined rules.

  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Monitor network traffic for malicious activity and take action to prevent or mitigate threats.

  • Network Address Translation (NAT): Translates private IP addresses to public IP addresses. Can sometimes interfere with VPN connections.

  • Cryptography: The science of encrypting and decrypting data. Fundamental to VPN security.

  • Network Security Audits: Assessing the security of a network, including VPN configurations, to identify vulnerabilities.

  • Zero Trust Network Access (ZTNA): A security framework that assumes no user or device is trusted by default and requires continuous verification before granting access to resources. Can be seen as a more advanced evolution of VPNs for some use cases.

This cheatsheet provides a comprehensive overview of VPNs, covering key concepts, practical examples, and troubleshooting tips. It should be a valuable resource for students and professionals alike. Remember to always prioritize security best practices when configuring and using VPNs.