Using a VPN for Remote Access

When non-IT people hear the term “VPN” they tend to think of a commercial service where for a monthly subscription you can connect your computer internet connection and surf the Web anonymously by passing your Internet traffic through a “VPN server” run by the VPN service provider.

This is one usage for a VPN – providing an encrypted point-to-point connection between two computers, and enabling your Web traffic to exit the end computer bearing a different IP address to the originating one of your computer.

VPNs in that sense are more glorified Internet proxies, particularly for Web traffic. While they have their uses, for example in encrypting the traffic leaving your computer to enter the Internet (most websites – though not all, use HTTPS and SSL/TLS for encryption anyway, and also in helping keep your own IP address hidden, if that’s what you want.

The latter feature can be useful if you want your Internet activity to look like it is coming from a different geographical region to the one you are actually located in. You might want this in order to act as a workaround to access media or other services who limit access according to your location. Or perhaps to avoid government censorship.

But VPNs are a form of network traffic management which can do far more than act as an IP address proxy. The key is in the actual meaning of the term VPN – Virtual Private Network.

A Virtual Private Network is a protected private network which uses data encryption to keep the traffic on the VPN private. It can be used for much more than just a single point-to-point connection.

VPNs are used by many businesses and organizations nowadays in order to provide remote-working facilities for staff in the form of a secure remote access LAN, as well as to link different business site locations via the Internet while keeping the network links between the locations private.

Remote access to the VPN is made possible by creating a virtual traffic tunnel between one compute and the company’s network. This tunnel passes through the public Internet, but the data travelling through the tunnel back and forth is protected by encryption and security protocols to ensure it is kept private and secure. This is crucial when remote employees are accessing the company network via wifi from outside since wifi connections can be easily intercepted by hackers.

Remote access VPNs have several advantages for businesses. But the most important one of all is data security. When a remote employee or an employee at a different company site sends and receives data through a VPN, this data is encrypted. A VPN ensures your organization’s data traffic is kept secure even if employees are accessing your office network from the public internet.

So even if a hacker should manage to intercept that data, they still won’t be able to do anything with it.

The two basic components of a remote access VPN are a network access server and VPN client software for the computers that want to connect.

 

VPN Protocols – A Quick Overview

VPN service providers tend to offer different VPN protocol options.

VPN protocols control how the data flows between your device and the VPN server, determining aspects as connection link speed and the type or level of encryption used for the traffic.

Here’s a brief overview of some of the most common VPN protocols in use:

  • OpenVPN: A widely used open-source protocol.
  • PPTP: Point-to-Point Tunneling Protocol (PPTP) is one of the oldest, originally used for dial-up connections. Has weak security.
  • L2TP/IPSec: Layer Two Tunneling Protocol (L2TP) is a successor to PPTP. It’s used with IPSec (Internet Protocol Security). Provides much better security than PPTP but tends to be on the slow side.
  • IKEv2/IPSec: Internet Key Exchange version two (IKEv2) uses IPSec for extra security. It’s especially popular for mobile devices.
  • SSTP: Secure Socket Tunneling Protocol was developed by Microsoft and so as a proprietary protocol it isn’t open-source.
  • WireGuard: The most recent VPN protocol. Provides for both fast connections and strong security.

 

OpenVPN is a very popular widely-used VPN system which being open-source is freely available for use. However, OpenVPN does not provide any network access servers – that’s your organization’s responsibility.

OpenVPN provides the software which enables both a VPN server and VPN clients to connect with each other.

Wireguard, although a promising system, at the time of writing is more easily usable for single point-to-point connections, rather than for building a remote access VPN with multiple nodes.

Zerotier-One

One system which is well-established and recommended for convenient multiple peer-to-peer use is Zerotier-One.

Zerotier is a company based in California, USA, and who distribute and update the Zerotier VPN software. The basic service is free and can support a high number of node computers. The company provides added-value services but the free service is perfectly adequate for many smaller businesses and organizations. Its also easier to configure than for example OpenVPN or Wireguard.

One feature of Zerotier is that it provides a Web-based dashboard for managing your VPN, as well as a command-line interface.

From the data security point of view Zerotier is pretty safe. Zerotier run so-called Zerotier “root servers” known as “planets” which provide the functionality for the network.

However, you cannot exit the network via their services, unlike with conventional VPN proxy services. Zerotier can’t see your network traffic.

As with OpenVPN, you are responsible for creating and operating your own VPN servers. In actual fact, Zerotier uses a peer-to-peer model, so there is no need for any conventional-style “VPN servers” as such. All participants in your Zerotier VPN are equal nodes.

The only potential drawback with Zerotier is that VPN network access is managed via my.zerotier.com. If this server should get hacked then your VPN network could potentially be accessed by an intruder. Also if there was an outage at my.zerotier.com or the supporting infrastructure then your VPN could be adversely affected or be completely unreachable.

You can set up any number of VPN networks with Zerotier if you want to run different WANs for specific purposes. The web-based dashboard also makes it easy to manage your VPN/s from a web-browser at any time.

Zerotier use an interesting method to run their host VPNs. They divide the connection into two parts:

The first is Virtual Layer 1 or VL1. This is the p2p component which takes care of encryption and direct communication. In effect its a virtualization of the physical layer in the OSI Networking System.

The second is Virtual Layer 2 or VL2 – This is the virtual Ethernet component which covers machine authorization, access control, network rules and so on.

VL1 is designed to operate with no necessary configuration. Instead it depends upon the assistance of the Zerotier “planet” or root servers mentioned earlier. This layer is what creates the actual virtual network itself.

It also deploys UDP “Hole Punching” to circumvent NAT configurations where they are identified.

VL2 is a Virtualized LAN protocol with Software-Defined Network (SDN) management features. It deploys secure VLAN boundaries, multicasting, capability based security and certificate based access control mechanisms.

This is the layer which actually takes care of the data packet transmission across the VPN.

 

Zerotier Infrastructure

Zerotier currently run 12 root servers or “planets” spread over various global regions to provide for VL1 functionality for all the hosted VPNs on the system.

If you wish, you can also set up your own replica “root servers” on your own VPN – known as “moons”. These help reduce the network overhead on the Zerotier root servers, and can help increase network speeds and reduce latency, but they are not essential and in individual cases are generally not necessary.

A moon is just another way to add user-defined root servers to the Zerotier system. Users can create moons to reduce their dependency on Zerotier’s own infrastructure.

Once the VL1 connection has been established, Zerotier clients then contact the network controller.

Every Zerotier VPN has a network controller which is a node that is responsible for admitting members to the VPN, issuing certificates, and providing default configuration information when required.

The network controller distributes network configurations for VL2 participation among the client nodes and deploys cryptographic methods to authenticate the members.

Setting up a Zerotier VPN is straightforward and the system will generally work straight “out of the box”. Follow the instructions at https://zerotier.atlassian.net/wiki/spaces/SD/pages/8454145/Getting+Started+with+ZeroTier

Check out the Zerotier Knowledge Base here: https://zerotier.atlassian.net/wiki/spaces/SD/overview

, , ,