How Does VPN Work? |

Earlier than leaping into the Community Extension framework, it is advisable know a little bit of principle about VPN and networking generally. If you’re already acquainted with networking and VPN, be happy to skip this text. If you’re not, this text has a fast overview/refresher on the community protocols, it outlines the issue that VPN is aimed to unravel, after which analyzes one of many present VPN protocols.


There are not any stipulations for going by this text, however the normal data of the networking protocols goes to be a plus. This text makes heavy use of Wireshark. If you’re not acquainted with this instrument, I’d recommend putting in it (it’s free), and inspecting one or two pattern captures.

Networking #

What occurs while you open your browser and sort in a URL? Let’s open Wireshark and discover out.

DNS, HTTP (Utility Layer) #

First, the browser must ship a DNS request to resolve an IP handle for the given area title, for instance

The Area Title System (DNS) is the phonebook of the Web. People entry info by domains, comparable to or Browsers work together by IP addresses. DNS interprets domains to IP addresses1.

A browser has to know an IP handle to ship requests to How was it capable of ship the requests to the DNS server? Usually, an IP handle (or addresses) of the DNS server is supplied to the pc by DHCP when connecting to the router.

Now that the browser has an IP handle, it is able to begin sending HTTP requests to (

Let’s now spend an excessive amount of time speaking in regards to the software layer protocols. I’m assuming you might be already acquainted with HTTP and DNS. The rationale I used these two examples is that HTTP usually works on prime of TCP2, and DNS on prime of UDP3.

If you wish to be taught extra, MDN has a fantastic part on HTTP, and Cloudflare – on DNS. If you wish to dig a bit deeper, I’d suggest studying RFCs. You could find the checklist of HTTP and DNS RFCs on the respective wiki pages.

UDP, TCP (Transport Layer) #

HTTP and DNS remedy particular application-level issues. However when a pc receives a message, how does it know which software to ship it to? That is the place transport layer protocols, comparable to Consumer Datagram Protocol (UDP) and Transmission Management Protocol (TCP), are available.

READ:  How to Setup & Use a VPN on Samsung Smart TV [Tested Guide]

When a server is began, it usually creates a socket, an inside endpoint addressable utilizing a mix of an IP handle and a port quantity (a 16-bit unsigned integer starting from 0 to 65535), and begins listening for messages arriving on this socket.

When a browser must ship a message, it additionally wants a socket and creates one utilizing one of many system APIs.

On Apple platforms, there may be a wide range of APIs for working with ports/sockets, starting from the Unix sockets, CFSocket wrapper and to just lately launched Community framework.

Transport layer protocols, comparable to TCP and UDP, switch knowledge utilizing protocol knowledge items. For TCP, the PDU is a phase, and a datagram for UDP. Each protocols use a header discipline for recording the supply and vacation spot port quantity.

The DNS messages are usually despatched utilizing UDP (different choices exist, even together with issues like DNS over HTTPS). The UDP datagram header is extraordinarily. easy When a system must ship a DNS message, it takes the message (the protocol of the message is irrelevant, for DNS it’s simply uncooked bytes), and prepends 4 bytes of the UDP datagram header. If we return to our browser instance, here’s what the UDP header seems like:

Wireshark capture: DNS packet

The supply port is 63802, which is the port that the browser reserved for itself, and the vacation spot port is 53, which is likely one of the well-known ports.

Clearly, UDP and TCP are fully completely different. TCP protocol has its personal phase construction. TCP is connection-oriented, it supplies dependable, ordered, and error-checked supply of a stream of octets. UDP, however, makes use of a easy connectionless communication mannequin, it’s very minimalistic.

IP (Web Layer) #

Within the earlier part, we established {that a} socket is addressable utilizing a mix of an IP handle and a port quantity. We all know what the port is for. However there are not any IP addresses to be present in UDP/TCP headers. To know which pc to ship the messages to, you want an IP handle and IP protocol. Let’s get again to our Wireshark seize to see what info an IP header comprises.

Wireshark capture: IP packet

All the info that you simply noticed captured utilizing Wireshark was recorded from my en0 community interface (WiFi).

Community interface is a degree of connection between the pc and the community. A pc can have a number of community interfaces: Wi-Fi, Ethernet, and so forth.

There are bodily community interfaces, comparable to en0 (which is your WiFi module on macOS). You may checklist all of these utilizing networksetup -listallhardwareports command. Every bodily interface has an related Ethernet Handle and a {hardware} gadget, for instance:

After which there are digital community interfaces, comparable to lo0 (a loopback interface which pc makes use of to speak with itself) and utun (that are usually utilized by VPN, extra on this later). You should utilize ifconfig to see all the community interfaces, together with each bodily and digital.

All the info that you simply noticed from the captures on this part can be seen to my ISP and to any servers between me and the vacation spot. They noticed all my DNS queries, they noticed my IP handle, and in case of HTTP (unencrypted), they noticed all my HTTP communications too4. Utilizing this info anybody can determine and monitor me. And these are the sorts of issues that VPN is designed to unravel.

READ:  Can VPN protect users from cyber-attacks?


What’s VPN (Digital Non-public Community)? Initially, VPN was designed to ascertain safe connections between a pc and a protected or non-public company community, utilizing an in any other case insecure public community. This usually concerned “making” a pc a part of the non-public community in order that the computer systems inside the community might handle it.

Lately, VPNs additionally blown up in reputation within the shopper market as a solution to keep safe and nameless when logging on, and in addition having fun with unrestricted community entry by hiding the supply of the visitors. Enterprise and private VPN are usually very completely different merchandise. I’m going to focus totally on private VPN on this collection, because it includes barely much less complexity to cope with.

How Does It Works? #

The important thing concept behind VPN is surprisingly easy:

  • Take all the IP packets5 coming from the system
  • Encrypt them
  • Encapsulated encrypted knowledge blobs within the VPN packets
  • Ship the VPN packets to the VPN server (over UDP/TCP)

The IP packets find yourself being wrapped in one other IP packets, a networking model of a Russian nesting doll.

VPN, nesting protocols

This can be a easy concept, but it achieves all of our targets. The unique IP packets are absolutely encrypted. You may see neither the applying, nor even the web layer contents (IP addresses). The one factor ISP or different observers are going to see is a few blob of encrypted knowledge going between a VPN shopper and a VPN server.

READ:  UltraVPN Review - Should You Consider This VPN?

Now, how do you implement one thing like this? That is what I’m going to cowl within the upcoming articles. It’ll contain direct IP packets manipulations, encryption, digital community interfaces, and extra. Thrilling stuff!

Instance: OpenVPN #

The concept behind VPN is easy, but designing and implementing a protocol is much from simple. Earlier than designing a VPN protocol of our personal, it’s price exploring an present VPN protocol, comparable to OpenVPN.

The outline of the protocol is surprisingly brief and easy. As a primary step, the shopper establishes the session with the server and exchanges cryptographic info.

When the session is prepared, the shopper and the server must change cryptographic knowledge to agree on a key. The change, known as the “handshake” in TLS6.

I’m not going to enter element relating to the TLS change. The Wireshark session solely reveals the primary messages of the TLS “handshake”. Your complete handshake requires a number of round-trips. The purpose is that after a number of management messages, the shopper and the server are able to encrypt and ship messages to the server, no matter which model of TLS and which encryption mannequin was used. And that is what P_DATA_V1 message kind is for – knowledge channel packet containing precise tunnel knowledge ciphertext.

Wireshark capture: OpenVPN sending data

And this wraps up an outline of OpenVPN. There is no such thing as a want to completely perceive it, however the huge image is obvious. The principle takeaways are:

  • OpenVPN is a binary protocol that has a number of message sorts: management (P_CONTROL_V1), acknowledgment (P_ACK_V1), and knowledge (P_DATA_V1).
  • Earlier than a shopper and a server can begin exchanging knowledge (P_DATA_V1), they should set up a session and change cryptographic info.
  • The messages are despatched over UDP7. The management messages (P_CONTROL_V1) have a supply assure and require acknowledgment (P_ACK_V1). The info messages (P_DATA_V1) don’t require an acknowledgment and don’t have a supply assure, the underlying protocol of the unique messages is answerable for offering the wanted ensures.

That is sufficient info to start out engaged on our toy VPN protocol.