VPN - Virtual Private Network

If there is hot topic in Brazil (as of the date of this post) is VPN, there has been some problems between Elon Musk’s X and the supreme court of Brazil. VPN has been a central topic since it was the preferred method used to bypass the geoblocking of X inside Brazil allowing its users to continue using the platform even after the ban, but what is VPN in the first place? Is it only to be used to bypass censorship content? How does it actually works?

❓ What

VPN or Virtual Private Network is basically an network technology that allows two or more endpoints or even entire remote networks (aka Site-to-Site VPN) to communicate across the internet in a secure manner. It can have a lot of advantages once this kind of virtualisation between this two or more networks or devices are connected as they would be in the same private network together.

An analogy for VPN can be seen as your Wi-Fi cannot access some specific site or service, for example, and you ask your neighbourhood Wifi so you can access this content through theirs end, after connecting to their Wifi network, your device is no longer using your ISP and nor your network but another internet access through your neighbour’s ISP¹ and IP address. So your restrictions no longer apply any more since you basically switch your way to access the internet and how the internet’s services and sites “view” you (like your IP address and ISP).

Another analogy is when you want two separated endpoints in totally different networks and physical places and you wants to join each other in the same virtual network. VPN can do that too, bringing both devices together even across the internet and in secure way. Back in the days that we would use hamachi, for example, to play an LAN (local area network) game over the internet when an game didn’t support internet connection or you didn’t have a fixed public IP address to host the server yourself to play directly with your friends. Today we have other, quite good I may add, alternatives to Hamachi like ZeroTier or Tailscale. Both do the same thing as Hamachi do and, in some features, even beyond. Tailscale for example has plans to also support business usage cases with a lot of features that is more oriented for organizations but in its free version can be just as good as zerotier to bring two devices together in one virtual network. Both are an wonderful solutions for this kind of usage, be it for games or productivity in general.

❓ Why

So why would you use VPN in the first place? What is its advantages besides bypass geoblocking and censorship content. Lets see come VPN uses-cases:

🕵 Privacy and Anonymity

VPNs can be used to hide your real IP address for example, since you’re practically forwarding your packages to another network and inside that network you’re effectively accessing another resource, like a website, you are not giving your real IP to that website, for example.

It also encrypt all the data in transit until it reaches this remote VPN network that in turns will contact the resource you want to connect, so your ISP will not know what you’re accessing or what are you doing in the internet.

Another advantage of VPN is that you can hide your real location as much the same way it hides your IP. So your true location will remain hidden and the only location that the destination resource will see is the VPN network that is directly accessing it.

👥 Productivity and collaboration

Here is where VPN truly shines in the corporate side, sometimes organizations have a lot of branch offices that need to share its intranet content through other remote offices but do not want it to be public or “discoverable” by other people that is not part of the organization. So VPN, and specially site-to-site configuration (it will be explained bellow), can make a huge difference when talking about productivity and collaboration. For instance, organizations that have their employees working from home, VPN proven to be a great solution to allow collaboration and productivity continue to work even in the 2020 COVID-19 pandemic and also had increased the usage of VPN than before COVID-19

Besides the corporation, its also useful to remote access your assets in an remote network to do your personal stuffs, say backups or even playing games with your friends that cannot host an private service over the their ISP since fixed public IP or one to one connection with the same IP is about to be gone by now and is rare to have one IP for yourself since the shortage of IPv4 address in favor for IPv6 addresses (see also CGNAT technique deployed by ISPs for more knowledge about this topic)

🔒 Network encryption and Security

VPNs also have a good advantage of being encrypted and improves security in networks that can be seen as less secure or not trusted at all. An example of this is an public wifi that you can connect your devices to have access to the internet, since this wifi is not yours and is beyond your control an actor could use it to launch a lot of kind of attacks like: MITM² attacks, WiFi eavesdropping, fake hotspots, sessions hijacking and so on.. Using VPN in an public network will encrypt all your traffic and even if the attacker capture the data it will be useless for him, since its all encrypted anyway. So VPN can greatly increase security in a less secure network.

🌐 Bypass geoblocking contents

There is some sites or some service’s content that could not be “normally” accessed by a device that’s in an IP location that has this kind of restriction. Using VPN on the other hand, you can change the country your IP is located, redirecting your traffic to another server that is in another country and so you’ll can access this content like you’re from that country.

This way to use VPN is generally used to bypass streaming services that block some movies or series to an specific country, for example.

🚫 Bypass censorship

Finally the one that is currently in the trends of all news. This way to use VPN is to bypass ISP or government-imposed censorship to a specific service or site. It works just like geoblocking bypass, the VPN’s user will change its VPN’ server to use an server that is in another country that does not have this kind of block and since the data traffic is encrypted, the ISP or the government can not know what it being accessed or what the user is doing.

In China for example, has a extremely sophisticated firewall (aka. Great Firewall of China) in their cyberspace. No one will access something without it being monitored by this firewall, it can detect VPN traffic, and since its encrypted it just block the VPN traffic all together. This is far beyond what is currently happening in Brazil, since here its block the access for an specific service.

Since nothing is 100% secure, there is ways to bypass even this kind of control but it needs advance knowledge of how DNS Poisoning³, IP Blocking, URL Filtering⁴, DPI (Deep package inspection)⁵ and keyword filtering actually works in this kind of firewall.

🕴️ Enhanced protection against ads, tracking and malware

There is also a protections against ads and also malware in using VPN, since the device is resolving DNS and get content through an “proxy” server. It can help to block ads, tracking mechanisms and even malware that is know by its server and DNS lookups.

Not all VPN has this kind of feature but its perfectly possible to have. Commercial ones like NordVPN, ProtonVPN and ExpressVPN. All of them have tracker/ad blocker and malware protection technology in place.

Corporate VPNs can have this kind of protection too, using a mix of technologies and techniques like DNS Filtering, URL Filtering, DPI, NGFWs⁶, endpoint security solutions and/or web proxy servers.

❓ How

Now that we have seen why we would like to have a VPN and its use cases, let’s see how its actually works.

First there is two common configuration that VPN can be seen today:

🔗 Remote-Access

This is the typical way to use VPNs and how you would use it if you bought one from VPN provider or when you want to access your computer on your job’s network or if you have a remote job and the company setup a VPN connection with their network. Basically your PC and a remote server is processing the packages and establishing an connection between both of them, you router for example, don’t even know what is happening between you and the remote service (even though its forwarding its packages though the internet) since your device and the remote service is communicating securely and encrypted. Other devices on your network is also not aware of this virtual network, only your device that made the connection and authentication thought the VPN to the remote service, only you two are in the same network.

It is possible to have other devices in this VPN network if it is configured to allow them to “speak” with each other, if this is not the case, then it will be just like a commercial usage of VPN network, purely by using its infrastructure to hide your location and real IP address.

🧶 Site-to-Site

Here on the other hand is not your device that established the connection with the remote network’s service, its the router or firewall in the network that do all the heavy lifting. Your device don’t even know that this other remote network is not actually in the same physically place and its packages has to be tunneling thought the router or firewall to another remote router thought the entire internet until it reach its destination.

This kind of approach is used a lot for companies that have branch offices on other places or have other regional offices, this make possible to devices of the same company to collaborate and consume contents that is suppose to be out of their reach in their network but with site-to-site technique its looks like it is local to the same big corporate network. Nevertheless, there is something that might not work properly, like broadcast or multicast packages. Lets say you have a printer server or file server in that remote network, it will not be “automatically” found by other devices that is in this other remote network, it would need to be configured manually to be used. Even that can be configured to adjust to each organization needs and for any size of company.

To sum it up, an VPN with Site-to-Site configuration can greatly reduce operational costs, improve productivity, simplify network topology and also provide global networking opportunities.

⚙️ VPN properties

Just like any other technology, VPN also has some very important properties that makes it possible to have a reliable and secure data communication between this virtual networks and their clients. So some of the overall properties for VPN technologies is:

🔵 Data confidentiality

Like any other secure data transmission, is imperative to have a good encryption so it cannot be read during its transmission to its destination. There’s a lot of protocol that uses different types of encryption algorithm to protect its tunneling data, the most used is AES-256 since its the standard now a days.

There is also other encryption algorithms that could also help VPNs to be more “lightweight” and faster and having a good range in options for encryption is also a very good security practice. Since we talking about networks, being faster, optimized and secure is the sweet spot here.

ChaCha20 is one option, faster than AES and is a stream cipher. Very suitable for devices that does not have a good computational power.

Camelia is also an alternative for AES. Offers the same key size as AES, 128, 192 and 256bits. It is pretty similar to AES in terms of performace and security but still not as used in VPN encryption as the AES itself.

DH (Diffie-Hellman) is not used to actually encrypt the data, like AES, but to do the key exchange for the symmetrical cyphers to in turn encrypt the data. So this one is known as a asymmetrical algorithm in encryption and works in conjunction with symmetrical cyphers, specifically in the key-exchange phase. Like in IPSec or OpenVPN protocols that uses it.

RSA (Rivest–Shamir–Adleman) is also a asymmetrical encryption algorithm used in key exchanging, just like DH. It comes in 1024, 2048 and 4096 bits of key size.

ECC (Elliptic Curve Cryptography) also another asymmetrical encryption but faster and more “compact” than RSA, this one uses smaller key sizes (256 bits key can provide similar security as 3072-bits RSA, for example) and an good alternative for devices that do not have a lot of computational power like IoT.

Last but not the least, Serpent encryption cipher, that was the competitor of the standard that we know today as AES. It also very secure and have stood against the test of time and comes in 128, 192 and 256 bits key size. Just like AES, it’s symmetrical block cipher but since its purpose was to have an greater margin for security over performance, it’s slower than AES and since a lot of optimizations inside the CPU’s hardware has benefits AES s-box and its simplicity, AES does have the advantage of performance in this case.

🔵 Data Integrity

Data integrity is also a crucial property for any type of VPN, it assures that the data will arrive on its destination not tempered or corrupted during the transit. Just like the confitentiality, it will increase the trustworthiness of the data transmission between the source and destination make it possible to have a reliable communication between this two parties.

As like other protocols and secure communication technologies, integrity and confidentiality works together to have an great security overall in the communication. Just like confidentiality can protect against MITM attacks, with integrity alongside the confidentiality, is where this two properties shines together. An perfect example of this is algorithm known as HMAC (Hash-based Message Authentication Codes) used alongside AES or other cryptographic cyphers.

Before sending the data it can use the encryption, like AES, encrypt the data and then apply an HMAC to the message. Assuming the data is D and the function to encrypt and hash the data is C() and H(), respectively. One could implement this kind of strong security transmission like this:

[ C(D) + H(C(D)) ] -> send to destination

After arriving in the destination, the destination would first recalculate the HMAC with the function dH() and match with the one it received, in this case the H(C(D)). If it matches then proceed to decrypt the data with the function, dC(), assuming that both parties already has exchanged the key for this. This is known as Encrypt-then-MAC (EtM), so this would be done like this on the destination side:

Recived message: H(C(D)) + C(D)

IF H(C(D)) == dH(C(D)):
    plaintext D = dC(C(D), key to decrypt)
ELSE:
    warm(Something is off here!)

EtM technique is well know today and is the most secure way to have an reliable integrity and confidentiality in data transmission, not only in the VPN use case. There also other ways to mix this two properties like: MAC-then-Encrypt (MtE) and Encrypt-and-MAC (E&M), like everything in the world there is an trade off between them, it can be summarized as follow:

• EtM
  • Security against the manipulation of cyphertext, one can not alter the cyphertext without the destination knowing, because of the recalculation of HMAC and the check on the receiving ending.
  • Since HMAC and Cyphertext is sent together, the two artifact is independent. The destination do not need to do anything to check the integrity before doing any operation on the cyphertext, like decryption.
  • HMAC do not leak anything about the plaintext (assuming the encryption algorithm is safe)
  • It is used in IPsec, TLS1.2 and other protocols
  • It is tricky to implement and more complex than the others
• MtE
  • HMAC also do not leak any information of the plaintext
  • It is simpler to implement than the EtM
  • No integrity for the cyphertext, this means you have to decrypt it to then do the HMAC on the plaintext. So you’re basically “trusting” that the cyphertext was not tempered
  • Vulnerable to padding oracle or other side-channel attacks if the encryption algorithm is not safe or good enough.
  • Older protocols used this method but not anymore.
• E&M
  • The easier of the three to implement
  • Vulnerable to pedding oracle and other side-channel attacks too
  • HMAC can leak plaintext information
  • No integrity of cyphertext
  • Much less common used because of these vulnerabilities this technique has.

So the EtM is the best one in this case but still there is another approach that is far better. Since this kind of method you have to implement on your own and, as always, programmers is not necessary cryptanalysts and may commit serious mistakes in this world of cryptography that any kind of tiny mistake can have an great impact on the security. The world of cryptography is a very big topic and an beast on its own right, so do better to respect this beast and leave it alone if we do not know what we are doing.

⚠️ Here i should also add this: Do not attempt to create your own cryptographic or MAC algorithm for an commercial or public usage unless you know what you’re doing, it is open source for other cryptanalyst to validate it and has stood the test of time. You could put other people’s data at risk implementing something on your own without this three fundamental requirement.

Knowing this problem of implementation when mixing encryption with MAC, it would be simpler to implement something that has this two concept already “build-in” in an atomic operation. The answer for this is something called AEAD (Authenticated Encryption with Associated Data), AEAD combines encryption + integrity into one single cryptographic primitive, enhancing security and easing the burden on development.

Some examples of AEAD algorthim is AES-GCM and ChaCha20-Poly1305, both are strong encryption and integrity algorithm build-in in one cryptographic primitive, so programmers can easily use them without the danger to wrongly implement something on their own. They also is used in the state-of-the-art security and VPN protocols like TLS 1.3 and Wireguard that we will discuss on the next topics.

Basically AES-GCM is a bit more intensive in computational power than ChaCha20-Poly1305, which gives ChaCha20-Poly1305 an good alternative for devices that have less computational power (also do not have AES hardware acceleration specially) an way to use this kind of security, like IoT devices for instance.

🔵 Authentication

Having all this kind of security in the transmission of data would mean nothing if there isn’t a way to safely authenticate the user with the server. For that a lot of commercial and self-hosted VPNs that have an safe way to authenticate its users, some of them is:

• PSK (Pre-shared key): The weakest of them, it uses only an key (that’s why this pre-shared key has to be big and secure). Usually used in Site-to-Site VPN paired with another method to authenticate, usually alongside PKI to enhance the security of this method of authentication.
• MFA (Multiple-factor authentication): This one can vary greatly but the most used is the OTP or software tokens (aka soft token), Google Authentication or Authy is an example of this. Now a days there is a great movement towards the passkeys, that is gaining momentum in the cybersecurity world.
• PKI (Public-key Infrastructure): This one works just like the HTTPS web page certificates, you could have your own infrastructure for this asymmetric cryptographic certificates or use the big CAs⁷ for that. It can also help to make sure where you’re connecting is actually the correct VPN server (non repudiation). So a client will have its certificate and the server will authenticate it as much as the client can also authenticate to know that the server is actually the correct server that its connecting. An very good alternative to user/password + MFA
• LDAP (Lightweight Directory Access Protocol): Usually it uses the username + password for mid-size to large-sized organizations, since they will have their users structured inside an LDAP, like Windows AD. It can be enhanced alongside with MFA.
• OAuth/SAML/OpenID: An modern way to authenticate the users, you probably have used it. When you signing on LinkedIn or Facebook using Google account or other third-party service. This is know as broader category being part of federated authentication systems⁸.
• Smartcards/Hardware Tokens: This is the best way to authenticate an user, since its a hardware token opposed to the soft token explained in MFA that can be compromised more easily than an dedicated hardware and since its physical read-only device (private key burned in this hardware, if done properly, can not be read outside from the hardware), it can be used as “something you have” kind of authentication. Usually used in highly secure environments that needs this kind of degree of security, Yubikey from Yubico or Titan key from Google are an example of this. They are a subgroup of an broadly group that are know as HSM (hardware secure module).

🔵 Data Tunneling

This property is the core reason behind the VPN in the first place, it will use one protocol as the main transmission of data encapsulating another protocol inside of it. Such protocols is the actually VPN protocols like OpenVPN, IPSec, Wireguard and so on… That will be used to transmission the data, this can greatly improve security and privacy, for example, let’s say you want to browse a site in HTTP or retrieve a file in an FTP server using FTP protocol. Both protocol are not secured protocols by encryption and they travel in the wire in plaintext. Using data tunneling it will be encapsulated inside the protocol like Wireguard that is encrypted and has all that security properties discussed before build-in in it, making it possible to be secure to browse the web or retrieve the file in the FTP server secure but it will not protect you from the VPN Server itself or after this package leaves the VPN server, after all this tunneling will be removed once it reach the VPN destination and the VPN destination will actually do this request, instead of your endpoint, directly. This can be viewed like this:

            Send over tunneling
(client vpn)  ---->  [Wireguard[http]] ---> (VPN Server) ----> [http]  (real destination)


            Receiving back over tunneling
(client vpn)  <----  [Wireguard[http]] <--- (VPN Server) <---- [http]  (real destination)

This will protect the privacy and security of the client but if there is another problem after the VPN server it will expose the data. That’s why is always good to use secure protocol, even in VPN, like HTTPS, FTPS and so on… but indeed, the IP address and the source who made this connection will be VPN Server not the actual client, so privacy in IP address and geolocation will be hidden (unless data inside http, in the example above, can say anything about the sender after leaving VPN Server to the real destination).

Here we can also see the difference between VPN traffic and a end-to-end encryption⁹, not necessary all VPN traffic before it leaves the VPN Server is actually encrypted, it will depends of the original protocol that is used to “talk” with the “real destination”. If you use HTTPS for example, then it will be a truly end-to-end encryption even after leaving the tunneling.

Besides this implications and some minor technical details that could affect data privacy and security, tunneling when properly done, can have the main benefits of VPN. Some of them is:

• Privacy: Since the VPN Server is reaching the destination address, your identity can be hidden from ads or tracking. Also ensuring data privacy during the transport of client vpn to the vpn server. Since the protocol will be encapsulated inside the VPN protocol

• Security: Also because of the tunneling, the data that can be intercepted between the client vpn and VPN Server, is encrypted and protected with integrity properties that we have seen the previous topic.

• Anonymity: The real client IP will be protected from the real destination, if the user do not login or share any information with the “real destination”, his anonymity will be maintained by the VPN Server

• Bypass Geo-Blocking: Since this VPN Server can be anywhere in the world, the client can access an content that is blocked in his region but not blocked in another region through the VPN Server in that country.

📝 VPN Protocols

Going even more deeper inside the VPN technology, VPN can comes in different “shapes” and “colors”. As you can see in the Figure 01:

Figure 01 VPN Classification

By Michel Bakni - Andersson, L. (March 2005) RFC 4026, Provider Provisioned Virtual Private Network (VPN) Terminology, Interner Society, p. 7 DOI: 10.17487/RFC4026.Lewis, Mark (April 2006) Comparing, Designing, and Deploying VPNs, Cisco Press, p. 10 ISBN: 1587051796., CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=84112082

It’s important to understand that VPN is not an protocol but a concept or a technology rather than an specific protocol. So in this section we will explore what VPN’s protocol exists in this big concept of VPN, and see some differences between them.

🟢 OpenVPN

OpenVPN protocol is widely used among VPN solutions, it also uses mainly the AES up to 256bits and 3DES encryption alonside sha256 or sha512 for integrity. It also works on the layer 4 level (transport layer) based on SSL/TLS using TCP or UDP for its transmission and can tunnel layer 2 and 3.

Performance in this protocol depends on the configuration, UDP would be faster than TCP because of the inherent overhead of this protocol itself, like retransmission or acknowledgement that is needed for TCP.

Configuration of this protocol is easier to configure than IPSec, for example, and can be used in site-to-site VPN or client-server VPN setups.

🟢 IPSec

IPSec is also an very widely used protocol for VPN solutions. It operates in layer 3 (Network layer) and can work with both IPv4 and IPv6. IPSec also uses the same cyphers and integrity algorithm than OpenVPN and is highly configurable to go beyound that ones.

It uses another two protocols to make it work, that is AH (Authentication Header) for integrity and authentication and ESP (Encapsulation security payload) to actually encapsulate other protocols inside of its own protocol.

It can operate in tunnel mode (encrypts the entire IP package and is used in site-to-site vpn setups) and transport mode (only encrypts the payload of IP package. This is typically used in end-to-end communication)

The configuration of IPSec tendes to be more complex than OpenVPN and require more knowledge of networking.

Other down side is also the performace of this VPN protocol, since it has a complex encryption process plus the overhead of AH and ESP headers, make it a bit more resource-intensive.

🟢 WireGuard

Wireguard is the newest VPN protocol and have the state-of-the-art performace, security and configuration compare to the OpenVPN and IPSec.

It works in the layer 3 level, just like IPSec and also supports IPv4 and IPv6. It only operates in UDP unlike OpenVPN that operates also on TCP.

Wireguard uses modern cryptographic algorithms such as ChaCha20 and Poly1305 for integrity. Since this algorithms is stream-cipher type it tends to be more lightweight than AES, for example.

The performance is also hugely more faster than OpenVPN and IPSec because of its modern approach and using newer technologies, like the stream-cipher and UDP protocol.

The configuration is also simplier, since wireguard is much more simpler than the other two by only having 4k lines of codes vs 70k lines of codes of OpenVPN for instance. Its default configuration is also more secure than OpenVPN and IPSec, since it is enabled by default to uses PFS (perfect forward secrecy), like ephemeral keys and key rotation already configured out-of-the-box making it less prone to miss configuration than the other two.

The downside of this protocol is that is a bit less privacy centric than the other two, since wireguard do not have support dynamic IPs for its clients but commercial VPNs and some configurations tweaks can solve this to always assign different IPs for its users when reconnecting. So this is not such an big deal when the VPN provider got your back in this point. We’ll see more about this in the next section but this can be even more enhanced with Zero-log policy too when talking about VPN for personal usage though an commercial VPN provider.

The other downside, since its newer technology than the other two, there can be a lot of providers that do not uses it but this is continually being incorporate as more and more providers switch to this VPN protocol.

🟢 MPLS (Multiprotocol Label Switching) VPNs

MPLS is a bit different than the other three, this one is more suitable for companies instead for personal usage, since it uses the WAN to the internet with help with the ISP that gives this feature for its corporate customers and provides the requirement isolation from other traffics from the internet and redirect its packages to its correct destination inside ISP’s backbone infrastructure.

It also will need a new dedicate hardware to connect to the ISP’s MPLS network, so let’s say an HQ want to have a MPLS with its branch offices this company will need to have the hardware (know as CPE (customer premises equipament) like a router) so it can connect the two location and create the VPN between these two location.

It also do not use encryption, since the ISP is the one routing the packages back and forth between inside its infrastructure backbone between these two or more locations of an company. To use encryption on MPLS the customer has to do it on his side using IPSec or using other secure transmission protocols to protect its data if the risk appetite for the company see this as a real risk that the ISP’s MPLS network are compromised.

Since this is entirely managed by the ISP and does not have the overhead of encryption and also uses the ISP’s backbone, this solution is very fast and easily scalable, all of this will depend of how robust the ISP’s infrastructure actually is but in general it will be much more faster than the other three VPNs.

The configuration is also simplified since this burden will be on the ISP’s side instead for the customer. So its also very easy to setup this kind of infrastructure and transparent for its customers.

🟢 PPTP (Point-to-Point Tunneling Protocol)

PPTP is a very old VPN protocol created by Microsoft in the 90s and should not be used anymore, because of the outdated encryption it uses and that it is not privacy centric. Making it the worst VPN protocol of all of these ones in terms of security and privacy.

Besides the problem with security and privacy it is pretty easy to setup between old Windows OS and its actually “fast” but not by a large margin by anymeans. So in its better to use OpenVPN with UDP configuration or even better choice, the wireguard.

It uses the old cipher RC4, that is not considered secure anymore and MS-CHAPv2 that is also has been cracked and vulnerable making this protocol critically insecure.

🟢 SSTP (Secure Socket Tunneling Protocol)

Another VPN protocol created by Microsoft and as such it needs to have a Windows OS to make it run, it can have a way to make it work in Linux but its not meant to.

In contrast with the PPTP old protocol, this is more secure. It typically uses SSL/TLS encryption, so it uses port 443 that make it a good way to bypass firewall restrictions in some places that does not allow you to use VPN (OpenVPN also is good at this point too)

Is easy to setup if you’re on Windows environment, since its build-in since Windows Vista SP1.

Its performance is somewhat good, better than OpenVPN but worst then Wireguard in terms of speed.

Since this solution is close-source and proprietary is not a good solution to be used when privacy is in question, since open-source solutions generally can be audited more easily and open but this protocol have PFS (perfect forward secrecy) nevertheless, just like wireguard and openvpn, making it an good alternative for windows environment.

❓ Which

Ok, we now know why would it be good to have a VPN, how it works and what protocols exists but if we would like to buy a commercial VPN for our business or our personal usage, which one is good and what we need to know to make the best choices? Let’s see some important features that is important when choosing your VPN provider. In parenthesis I put what is the most relevant for business, personal or both usages:

🛡️ Secure authentication and authorization (Business and personal usage)

Like we have seen on the previous sections, this one is imperative to have a good and strong VPN service. Without a good authentication and customizable authorization (this one specially for business usage) from the VPN provider can be as problematic as having weak VPN protocol.

In this topic, always find VPN providers that accept an good range of MFA (multifactor authentication) like OTP, SSO or even better HSM like yubico’s yubikey or google’s titan key for instance (specially in an business network with mission critical assets in this network).

Authorization is also a key component for an VPN provider that will be used in an business environment, since we talking about of having multiple users accessing different resources inside an VPN’s network. Its a good idea to have an customizable authorization rules build-in on the VPN provider’s solution. It can also enhance the business ZTN (zero trust network)¹⁰ with this, as a matter of fact, there is a lot of VPN providers that has ZTN features build-in in their VPN solutions for enterprise clients. Not something that will benefits personal usage of VPN providers but will definitely be an big plus for business usage.

🔌 Kill switch (Personal usage)

This feature is more oriented for personal usage, since it is more privacy centric rather for business and for people that is inside countries that has censorship of the internet’s usage and have enforced ways to not allow their population access some content that is restricted inside their country but can also help people that do not want their data be leaked or seen by its ISP or when connect to an untrusted network, such as an public wi-fi network.

The kill switch is a feature that when the VPN solution on the client-side end detects that the VPN server is down or has been disconnected it immediately cut off the internet from the device. Doing so it will prevent for the client to leak its IP or data thought the ISP, for example, while the client is trying to access something thinking that is on an VPN when its not.

So kill switch greatly helps maintain the privacy of the VPN client while something unexpected happen with the connection between VPN client and VPN server. It can be an system kill switch or application kill switch, in an system level it will cut off the internet as a whole in the entire system, whereas the application level will only cut off the internet access for the browser or any other specific application.

NordVPN, ExpressVPN and ProtonVPN is an example of VPN providers that does have this feature.

🖥️ Huge choice of IP addresses per regions (Personal usage)

Having an large pool of IPs in different regions or even in the same region can also be beneficial, since one of the main purpose of VPN server is to hide your IP and your identity from the destination website that you’re accessing, be it because of ads, tracking, anonymous web surfing and etc… Having a good pool of IPs or VPN server that you can reach the same destination, can be beneficial to effectively hide your internet activity between this pool of IP.

Also there is a chance that you get an VPN Server that has a lot of latency because of it’s overcrowded or that it gives you a lot of captcha to solve just to enter in an website, change to another VPN Server in the same region or in different region, can solve this kind of issues. So having an good pool of IPs can give its clients more diversity in ways to access the contents it wants to, with lower latency.

🗑️ Zero-log policy (Personal usage)

Just like the kill switch this one is more for personal usage and privacy centric usage of VPN. Having a zero-log policy is an must when talking about privacy and a lot of VPN Providers is serious about this topic since the great part of their user base gravity towards privacy, if one of them has proven to keep logs of its customers could be the end of their business.

If an VPN provider do not grantees this, all that you do inside their VPN Server is being logged and so, they already have your account details and payment details (some VPN providers are even good hiding payment transaction for privacy of its customers, see MulladVPN payment methods) so they can link that data to what you do online by timestamps, IP destination and source since they are the “middle man” here, trust, ethical business and transparency here is paramount.

Before paying for a VPN Service first thing is to make sure this vendor is well known and have a good reputation and actually follows the zero-log policy in its core. After all you’re putting your trust in this VPN Provider of what you do online just like you would do the same in your ISP when not using VPN.

🔐 State-of-the-art encryption (Business and personal usage)

This is not something new but some people might forget to look at this when privacy is always the main topic in VPN Providers, so making sure they also uses a good and very secure encryption can be the difference between having your data exposed or not.

Since we already talked a lot about this all I can say here is to check for Wireguard protocol and see if your VPN Provider support it, since it’s modern and secure, you’ll be in good hands, not only in security but also in latency that is also a huge plus in VPN to be fast, even more if you want to use VPN to access streaming services like Netflix or Spotify.

🏆 Trusted reputation (Business and personal usage)

Just like zero-log policy feature, this is also a must not only for personal but for business too. After all we’re trusting this VPN provider to keep our data in transit safe and secure and our VPN network too, so have a very good reputation helps quite a lot. The big names in the VPN industries that i can say from the top of my head is NordVPN (Nordlayer for business customers), ExpressVPN, ProtonVPN and PIA (Private Internet Access).

Do not take my word alone in this, since reputation can change over time, do your own research and see the features and their history. See if they had any problem in the past about the zero-log policy, for example, and if its an trustworthy company behind this commercial names. All of this will help you decide what is the best VPN Provider for your use-case, there is also the price factor too. So its best to do your own research and find what works out for you.

💡 Conclusion

It was long discussion, a lot of details to cover but now I hope I could give you a little bit of knowledge what is VPN and why it is so important now a days. Sure it can help against censorship and bypass firewall restrictions but VPN is wayyy broader than just a tool to bypass censorship. It also helps business and people work even remote in their home while maintaining a secure connection with their company’s network and assets, it can secure the privacy of their data in a less secure network that they currently have access or even protect them from ads and tracking services in their ISP or embedded in the websites they visit.

VPN is a essential tool now a days, be it for privacy and anonymity, to empower individuals to navigate the internet freely, secure data in an network that you do not trust or to increase productivity. This is just one small wonder of what technology can give to us in this interconnect world that we live today.

---