Every time i try googling it i get simplistic explanations of how a VPN works. Is there a slightly more technical guide that talks through how traffic is routed and encrypted?
I’m very new to the concept as a whole so any information would be helpful - thanks!
It’s really pretty simple.
Traffic comes in to a device, matches some criteria, and is encapsulated in another protocol. Once encapsulated, your traffic can be routed across a third-party network.
For instance, if you have 192.168.0.0/24 at one site and 192.168.1.0/24 at another site, you can’t route those IPs across the Internet. So, your edge device will instead encapsulate that traffic inside another protocol (ESP, GRE, VXLAN, whatever) and then the intervening networks are just routing traffic between your two edge devices.
That’s really all there is to it. At the end of the day, all you’re doing is encapsulating some data inside another protocol for the purposes of sending it across a third-party network or networks.
This is Cisco-specific, but the concepts still apply. Also just an FYI, Cisco has great techincal documentation if you ever want to know how something works.
If you’re thinking VPN in the SSL/L2/L3 VPN sense, (OpenVPN, Cisco, Palo Alto, Microsoft, etc.) then it’s basically just an encrypted tunnel from one point to another that transits unicast over IP like any other unicast packet. Sometimes it uses TCP for transport, sometimes UDP, depending on the configuration. The end nodes (the “VPN server” and “VPN client”) do the encryption and decryption and key negotiation, and usually even the route additions are automated when connecting. In a client/server setup, the server (usually a firewall) will route anything to the client’s IP over the VPN connection to that client, and the client will route one or more subnets (usually RFC1918 “private IPs” if it’s a corporate setup) to the VPN server to connect to resources available on that network behind the VPN server. In what’s colloquially called a “point-to-point VPN” (they’re all point-to-point, technically) the two endpoints (usually two firewalls) will route one or more subnets to one another. This is how remote offices connect back to a home office over a VPN connection. These types of VPN connections are routed over the public Internet like any other traffic, with no provider intervention.
There’s a more broad definition of “VPN” that includes things like EVPN, VPWS, etc., and those are usually just called that because of the connotation it brings. It’s used as a marketing term, basically. Those “VPNs” may be secured, they may not, but they usually also include some services from a service provider that enable that type of connection to work.
Here’s a simpler explanation.
Imagine you have the British and Canadian Postal systems. The Canadian postal system can move (route) parcels (packets) anywhere within Canadian provinces (branch/hq locations).
Samething within the UK; Each country has their own routing system (RFC 1918 IP space).
However, if you want to ship from Toronto Canada to London England, you have to send your parcel (packet) through either a plane (ipsec vpn) or boat (GRE VPN).
The parcel (packet) still has the source-destination mailing address on the envelope (frame), but the envelope (frame) has been wrapped inside a shipping container (GRE frame) or an airmail cart (IPSec frame).
The only real part where this analagy falls down is that there is almost always only 1 frame in each VPN frame, never like dozens of parcels.
But basically, when the Canadian parcel system determines it’s unable to deliver the parcel because it needs to go the UK, it’s sent to a routing location (international airport) which makes the decision to send it through international mail (wrap it in a VPN packet) and send it on a plane headed to the UK (put it in a VPN packet destined to the other organization or branch).
When the packet arrives in the UK (vpn terminator receives a VPN packet), the shipping container is open (packet is de-encapsulated) and the packages inside (the frame inside) is routed normally.
basically the encapsulated traffic is routed through the computer’s internal routing table into the VPN’s virtual network adapter. it will handle the encryption and decryption and then route the actual packets up the network stack. same process for sending. this article might be useful to you: http://www.rawbytes.com/virtual-private-networks-in-depth-technical-details
I really like the way you explain this! For those who are a little more visual building on this great post. It’s like you have a mail service in your building for different cubicles (your local subnet). The building mail person knows how to route the papers through the building. Then the company expands and has two locations across the country. So any mail that needs to go between buildings gets put in a box (encapsulation) with the two real addresses for the buildings (internet routable IPs). Then the mail guy at the other building unwraps the box and delivers all the mail to the cubicles! And for encryption maybe they have some secret way of signing the box so if the box has an off signature they know it’s a fake and they throw it away instead of opening it
Conveying an information to a someone is really an Art.This cannot get simpler than this. You should try teaching someday.