How does a VPN protect you?

Since many organizations have adopted remote working, virtual private networks (VPNs) have been increasingly deployed for employees to connect to their organization’s infrastructure remotely. VPNs are an essential tool in protecting the organization’s assets; they ensure that your enterprise network offers a private, safe, and standardized way for employees to connect from home while also keeping them safe as end users.

A VPN encrypts the connections between your organization’s private networks and an employee’s device (or the connection between two private networks), thus providing protection from manipulator-in-the-middle attacks. VPNs also provide isolation to internal networks to prevent their exposure to the public internet. Additionally, VPNs help to secure all data flowing into an organization’s internal network, safeguarding it from external threats.

Types of VPN

There are two main VPN types: remote access VPN and site-to-site VPN. While they’re classified as different types, they accomplish the same outcome — the connection to the network is encrypted and protected.

Remote access VPNs

Remote access VPNs connect your device to a private network to access its resources directly by creating an encrypted tunnel to the destination network. As an enterprise administrator, you can provide a configuration file that the employee imports into a VPN desktop client. The traffic from the computer flows directly to the enterprise’s infrastructure without traversing the unsecured internet.

In this way, organizations that have employees working remotely can avoid exposing their servers to an unprotected internet connection while those employees connect to the internal servers. This protects the organization from distributed denial of service (DDoS) attacks and alleviates the need for an additional DOS protection tool, as unauthorized traffic never makes it to the server.

This also protects employee data from being sniffed by malicious public Wi-Fi networks, as the connection to the VPN is encrypted. With the widespread adoption of work-from-home policies, these types of VPNs are vital for added protection, flexibility, and compliance.

Remote access for consumer use

Other than its widespread application in complex corporate networking of architectures, remote access VPNs are also used for privacy reasons. These types of VPNs are known as consumer VPNs. A consumer VPN can pass your web traffic through a different geographic region where the VPN provider has set up a network infrastructure presence. The virtual network now acts as a proxy between your device and the website or resource you’re trying to reach, which masks your original IP from those servers. You’re now a part of the virtual network established by the VPN provider, and the traffic to external websites would seem to originate from the region the consumer chose.

One major benefit of using a consumer VPN is that you can remotely access content that might not be available in your region. While it does also provide encryption and other privacy benefits, many end users are primarily motivated by this region-exclusive content. Examples of consumer VPNs include TurboVPN, ExpressVPN, and NordVPN.

Site-to-site VPNs

Site-to-site VPNs act as a connection between two or more remote networks. These are usually adopted by enterprises wanting to connect their office branches in different locations securely over the internet.

Enterprises also make use of site-to-site VPNs in multicloud infrastructure setups. Unlike remote access VPNs, users don’t have to use a desktop application to access resources in the remote network because the connection is permanent. For example, Tailscale offers organizations the opportunity to set up site-to-site VPN connections with the help of subnet routers.

Types of VPN protocols

There are many types of VPN protocols, which usually focus on data transfer speed and encryption types. In this section, we’ll take a closer look at five common VPN protocols.

OpenVPN

OpenVPN is the most well-known VPN protocol. It uses Secure Sockets Layer (SSL) to transmit data, which ensures data security during transit. It can run on both Transmission Control protocol (TCP) and User Datagram protocol (UDP). OpenVPN on TCP focuses on the data arriving correctly, while UDP focuses on ensuring faster data transmission. OpenVPN is open source with an active community of maintainers, which translates to more quickly addressed issues and security vulnerabilities.

PPTP

Point-to-Point Tunneling Protocol (PPTP) is one of the earliest VPN protocols to be developed. PPTP is extremely easy to set up with minimal knowledge and is, by default, still in use by older devices.

Due to its age, PPTP lacks the sophistication necessary for modern security protocols and is vulnerable to exploits. However, since PPTP is very easy to set up, it’s still commonly used among hobbyist and small-scale VPN setups.

L2TP/IPsec

L2TP/IPsec is a combination of two protocols where Layer 2 Tunneling Protocol (L2TP) ensures the tunneling between networks and IPsec (Internet Protocol Security) ensures the traffic is encrypted and secured. It’s reportedly one of the slowest protocols in data transmission, which means it’s not a common choice among VPN providers currently on the market.

SSTP

Secure Socket Tunneling Protocol (SSTP) is a VPN protocol created by Microsoft. This makes it a good choice for Windows machines, which dominate the market in terms of desktop end users. The downside is that the protocol is not open source, making it harder to audit and secure. Since Microsoft originally developed it as a remote access VPN, it doesn’t support site-to-site VPN communication. Nevertheless, it’s fast and secure, making it an excellent challenger to other protocols.

IKEv2

Internet Key Exchange version 2 (IKEv2) is a VPN protocol created jointly by Microsoft and Cisco. It commonly uses the IPsec protocol to improve secure communication. IKEv2 works especially well on mobile devices. It’s the successor to IKEv1, with the primary improvements being more stability and broader support of encryption algorithms.

WireGuard

WireGuard® is an entirely open source VPN protocol that’s only recently emerged. It was designed to achieve high-speed transmission and to be easy to set up. By using the latest encryption methods, WireGuard can arguably be considered more secure than other VPN protocols, and it’s also received widespread acclaim for its relative simplicity and stability. The WireGuard team keeps the software exceptionally well updated, and they aim to make it the gold standard of VPN protocols.

Tailscale VPN not only incorporates WireGuard but also extends its capabilities. For example, Tailscale offers MagicDNS, which makes it easier to reach other devices on your network. Tailscale also adds an ACL layer on top of WireGuard to further control network traffic. Tailscale ACLs allow you to express rules for everything in a single place with users, groups, and tags, which are easier to maintain than a list of which device pairs may communicate.

How VPN measures can protect you

Reputable VPNs employ many safety measures to keep your privacy intact. While these measures can be different from VPN to VPN, some standard ones are as follows.

Kill switch feature

Most modern VPNs include a kill switch feature. If a user accidentally loses connection to the VPN, the VPN will automatically terminate the internet access. This feature prevents users from accidentally leaking their real IP address, thus compromising their privacy.

A kill switch continuously monitors the connections between the VPN server and the device, and the moment it detects issues with your VPN connection, it will disable internet access. A kill switch is an optional feature and can be disabled if needed. Because it’s pivotal in preserving your security, experts recommend that users keep it enabled.

Dynamic IP address

A VPN provides a masked IP address that can be static or dynamic. In the case of a static address, the IP assigned to you will not change, whereas in the case of a dynamic address, the VPN continuously and randomly changes your IP address. Dynamic IP addresses make it very hard to track your online activity and add a nice layer of security and anonymity.

Split tunneling

You may not necessarily want to send all your internet traffic through a VPN. Split tunneling lets you choose what traffic you want to pass through a VPN. This can help reduce bandwidth costs and increase speeds when a VPN is not needed, in addition to making the user experience better without having to continually connect and disconnect.

On an organizational level, if you disable split tunneling and force all of a device’s network traffic to pass through your network infrastructure before hitting the internet, you gain the benefit of all of your normal security tools analyzing a user’s web traffic. This could prevent your employees from clicking malicious links and downloading malware in the first place.

Strong AES encryption

AES 256-bit encryption is one of the most secure encryption algorithms approved by the United States National Security Agency (NSA) for top-secret information. Most VPN providers have adopted AES 256. AES 256-bit encryption ensures that the communication between you and your VPN is protected from everyone, including government agencies and malicious hackers.

Top-notch protocols

High-quality VPN providers compete to implement the latest protocols to entice more of the market share of corporations seeking to protect their networks. When choosing a VPN for your organization, you should look for some reputable protocols such as WireGuard and IKEv2, which ensure high speeds and the best encryption available for security purposes. As mentioned, Tailscale uses WireGuard, building on the functionality of the protocol to deliver faster, more secure services to corporate clients.

Selecting a VPN provider

Organizations and individual end users alike must exercise caution while choosing a VPN client. Despite their assurances, many VPN clients log data or are careless with the data they’ve collected. With this in mind, let’s take a look at the top common threats of a rogue VPN disguised as a genuine provider.

Logging policies

An unverified VPN may log all of your browsing data, which can be harmful if anonymity and privacy are the top priorities for your organization. The best way to ensure your VPN is adhering to their stated logging policies is to check for audits. Some VPN providers submit to voluntary verification of their logging as a way to prove their claims. Additionally, some VPNs have proven adherence to logging policies through documented court proceedings.

VPN providers incur large, recurrent costs to maintain their product. You should avoid free or cheap VPN providers as they’re more likely to be recouping maintenance costs by profiting from your data. Time and again, reports have shown that many VPN providers are not honest about their data collection, use, and storage.

Data leaks

The security and privacy that VPNs promise is only possible when VPN developers use necessary standards and protocols. VPNs that adhere to stated logging policies have less vulnerable data to expose. However, most VPNs have experienced at least minor incursions at one point or another. Accidental configuration and developer errors can lead to information leaking.

Hackers are always looking for sensitive personally identifiable information (PII) to sell on dark web forums. Providers who carelessly or purposely mishandle personal data cause significant harm to their users.

Bad privacy policies

Some VPNs aim to collect as much PII as possible. Carefully reviewing a VPN provider’s privacy policy regarding data collection is essential before using their product. Users more often than not blindly accept privacy policies, leading to a severe invasion of privacy without the users even realizing it. Even commercial VPN developers have been caught selling user data and reselling bandwidth.

You should especially pay attention to policies surrounding the collection of connection logs, IP address logs, and traffic logs. These logs often contain sensitive data and browsing history and can connect individuals to accounts. This can impact individual and corporate VPN users as some work-from-home and traveling employees could be accessing sensitive company data that should not be exposed.

Malware infection

Individual consumers choosing a free or less reputable VPN put themselves at risk of malware infection. Since VPN clients are generally apps you install on your mobile device or PC, they may be malware disguised as a VPN provider. They could easily be spyware or a ransomware-infected application designed to spread through networks and cause cyberattacks. You must be careful when choosing a VPN because hackers can lure you into installing the application through attractive deals. It’s best to avoid unknown and unverified VPN providers as you can’t be certain they have pure intentions.

Using PPTP

PPTP is a popular choice for small and medium-sized enterprises, especially in a Windows environment (because Microsoft developed it). However, as we covered earlier, it’s plagued with security vulnerabilities. PPTP has outdated encryption algorithms like RSA and RC4 that use 128-bit encryption, an issue that’s still not resolved.

Premium providers therefore tend to acknowledge that PPTP is not a suitable solution and steer clear of it. However, you should know that some VPN providers falsely claim to use a secure protocol when in fact they use PPTP, as it’s easier to set up and use. One way to determine if PPTP is being used is by sniffing the traffic when connected to the VPN. If you see connections from TCP port 1723, there’s a good chance that it is.

IP address as exit node

From a consumer’s perspective, VPNs are very useful for masking your IP address. VPNs use an exit node, where the node’s IP becomes your new IP address. Some VPN providers randomly pick another user’s IP address and use it as an exit node for your IP. This can be catastrophic if the IP address is implicated in cybercrime activity and traced back to you. Malicious VPN providers might actually use their user’s IP address from a pool of IPs to hide their dubious activities.

How Tailscale protects you

Tailscale VPN is designed to make your devices accessible from any part of the world effortlessly and securely from any network connection - even public wifi. In addition to offering all the security measures previously mentioned, some other Tailscale features are worth highlighting.

WireGuard’s Noise protocol encryption

WireGuard is based on the Noise protocol framework, which is highly secure and flexible. The Noise framework has almost zero built-in protocol negotiation, reducing the risk of a downgrade attack where an attacker forces the victim to use a downgraded protocol version. This makes Tailscale a very reliable VPN in terms of security and encryption.

Daily login key rotation

Tailscale can use your existing authentication provider to protect Secure Shell Protocol (SSH) connections. SSH helps in establishing shell access to your servers in an encrypted fashion with the help of SSH keys.

Tailscale automatically helps rotate your SSH keys as frequently as every hour by making you reauthenticate to the client. Additionally, Tailscale makes it very easy to revoke SSH access to a machine.

Low latency and guaranteed privacy

Tailscale users experience extremely low latency due to its decentralized tunneling of VPN connections. This means your remote workers will experience high speeds no matter what part of the world they might be connecting from.

Also, Tailscale ensures that no traffic ever touches its servers by acting as an overlay network, where it only routes traffic between devices running Tailscale. This means reliable privacy and top speeds are always ensured for Tailscale users.

Tailscale also logs data from both ends of the connection to ensure that the network traffic is not tampered with. This verifies the integrity of the web traffic and also helps in detecting manipulator-in-the-middle attacks between the user and the VPN endpoints.

Conclusion

In this article, you learned about VPNs, their protocols, and how they protect your organization from hackers and ensure privacy through end-to-end encryption. You also learned about the dangers of using unverified VPNs, as well as how Tailscale’s VPN can protect you and your end users.

You should carefully evaluate a VPN before implementing it as part of your organization’s network security. Tailscale is currently one of the most secure and accessible VPN solutions for enterprises looking to secure their networks. You can learn more in Tailscale’s documentation, and download Tailscale to get started.