VPN (VPN)
A VPN creates a private, encrypted tunnel through the public internet. Think of it as a sealed envelope for all your internet traffic. Without a VPN, anyone on the same network (coffee shop Wi-Fi, hotel, ISP) can potentially see what sites you visit. With a VPN, all they see is encrypted data going to one address. In business, VPNs let remote employees securely access internal company resources as if they were in the office.
A Virtual Private Network (VPN) extends a private network across a public network, enabling devices to send and receive data as though they were directly connected to the private network. VPNs provide confidentiality (encryption), integrity (tamper detection), and authentication.
VPN types:
- Remote access: a single device connects to a corporate network (road warrior scenario). Protocols: WireGuard, OpenVPN, IKEv2/IPsec, SSL VPN (Cisco AnyConnect, Palo Alto GlobalProtect).
- Site-to-site: connects two networks (branch office to headquarters). Runs on routers/firewalls. Protocols: IPsec, GRE over IPsec, DMVPN.
- Consumer VPN: routes user traffic through a third-party server to mask IP address and encrypt ISP-visible traffic. Different threat model than enterprise VPN.
Common protocols:
| Protocol | Layer | Speed | Security |
|---|---|---|---|
| WireGuard | L3 | Excellent | Modern (ChaCha20, Curve25519) |
| OpenVPN | L3-L4 | Good | Mature (OpenSSL, TLS-based) |
| IPsec (IKEv2) | L3 | Good | Enterprise standard |
| L2TP/IPsec | L2 | Moderate | Legacy, avoid if possible |
WireGuard (recommended for new deployments): uses Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for authentication, and BLAKE2s for hashing. Only ~4,000 lines of code (vs. 100,000+ for OpenVPN), making it easier to audit. Built into the Linux kernel since 5.6.
Split tunneling routes only corporate-destined traffic through the VPN; all other traffic goes directly to the internet. Reduces latency and bandwidth usage but creates a potential security gap.
WireGuard VPN configuration
# Generate key pair
$ wg genkey | tee privatekey | wg pubkey > publickey
# Server config: /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32
# Start the tunnel
$ sudo wg-quick up wg0
$ sudo wg show
interface: wg0
public key: <key>
listening port: 51820
peer: <client-key>
endpoint: 203.0.113.50:54321
allowed ips: 10.0.0.2/32
latest handshake: 12 seconds ago
transfer: 4.52 MiB received, 1.83 MiB sentVPNs are essential for remote work, connecting branch offices, and protecting traffic on untrusted networks. Enterprise environments typically require VPN for accessing internal tools, databases, and admin panels. WireGuard has rapidly displaced OpenVPN as the preferred protocol for new deployments due to its simplicity, speed, and small attack surface. In homelab setups, WireGuard is commonly used to access home network resources remotely. Consumer VPN services (NordVPN, Mullvad, ProtonVPN) are useful for privacy from ISP monitoring and accessing geo-restricted content, but they shift trust from the ISP to the VPN provider. The “zero trust” movement (BeyondCorp, Cloudflare Access, Tailscale) is gradually replacing traditional VPNs with identity-aware proxies that authenticate every request individually rather than granting network-level access.