VPN – what is it, server setup. Why do you need a VPN, what is it, how to set it up and why VPN is good

Most of us use the Internet daily, for personal or business purposes. Most likely, you have not had any problems with various threats. However, the Internet is not as safe as it seems. Okay, you've got it on WiFi, but what about VPN? Do you need this kind of protection?

A VPN, or virtual private network, is a group of networks or computers connected to each other on the Internet. A VPN allows you to secure your connection by ensuring that everything you send and receive is securely encrypted.

So how can you tell when you need to connect a VPN? It doesn't matter if you're a student or an employee, if you don't want anyone prying into your business, use a VPN.

There are several types of VPN: The most common types are PPTP VPN, Site-to-Site VPN, L2TP VPN, IPsec, SSL, MPLS VPN and Hybrid VPN. Below we will look at them in more detail.

1. PPTP VPN

PPTP VPN is a point-to-point tunneling protocol. As the name suggests, PPTP VPN creates a tunnel and captures data. This is the most common VPN type. PPTP VPNs allow you to connect to a VPN network over your existing Internet connection. This type of VPN is great for both business and home use. A password is used to access the network. PPTP is ideal for home and business because it requires no additional hardware and allows for low-cost, uncomplicated applications. PPTP is highly compatible with Windows, Mac and Linux.

And while PPTP VPNs offer many benefits, they are not without their drawbacks. The main one is that the PPTP protocol does not use encryption. In addition, PPTP is based on the PPP protocol, which also does not provide high level security.

1. Site-to-Site VPN

Host-to-host or Router-to-Router is the most common type of VPN in business. This is especially typical for companies with offices both in different parts of one country and in several countries, which makes it possible to connect all computers in single network. They are also known as intranet VPNs (VPN over an internal network). Another option is also possible. Companies using a site-to-site VPN connect to other companies' servers in the same way as an extranet VPN. In simple terms, this type of VPN is a kind of bridge that connects networks in different locations, providing a secure connection and internet connection.

Like PPTP, a site-to-site VPN creates a secure network. However, there is no dedicated line, so different company computers can connect to the network. Unlike PPTP, encryption is performed either using special devices or using applications at both ends of the network.

1. L2TP VPN

L2TP stands for Layer 2 Tunneling Protocol and was developed by Microsoft and Cisco. An L2TP VPN is combined with another protocol to provide a more secure connection. With the L2TP protocol, a tunnel is formed between two L2TP connection points, and data is encrypted using another protocol, such as IPsec.

L2TP operates similarly to PPTP. The main similarities are the lack of encryption and the basis on the PPP protocol. The difference is the protection and safety of data. L2TP based VPNs provide a more secure and reliable connection.

1. IPsec

IPsec is an acronym that stands for Internet Protocol Security. IPsec is a VPN protocol used to provide network security. The protocol establishes a tunnel to a remote host. Each session is verified and data packets are encrypted, so IPsec provides a high level of connection security. There are two modes in which this protocol operates. Transport and tunnel. Both serve to secure data transfer between different networks. In transport mode, the message in the data packet is encrypted. In tunnel mode, the entire data packet is encrypted. Advantage using IPsec is that it can be used in addition to other protocols to enhance network security.

And although IPsec is a useful and convenient protocol, the main disadvantage is the long installation time of client applications.

1. SSL and TLS

SSL is a secure sockets protocol, TLS is transport layer security. They work as one protocol. Both are used to create a VPN. In this connection, the web browser works as a client, the user gets access to special applications instead of the entire network. SSL and TSL are used in online sales. SSL and TSL provide a secure session from the browser to the application server. The browser easily switches to SSL without requiring any additional actions from the user's side. The vast majority of modern browsers already include SSL and TSL. An SSL connection contains https instead of http in the address.

1. MPLS VPN

VPN services that support Multi-Protocol Label Switching (MPLS) technology are best used for site-to-site connections. This is because MPLS is the most flexible option with maximum possibilities for adaptation. MPLS are based on certain standards used to speed up the distribution of network packets across multiple protocols. MPLS-enabled VPN services are systems that are VPN services configured to work with Internet service providers, where two or more sites can join together to form a VPN, using the power of the same Internet provider. However, the biggest disadvantage of MPLS-enabled VPN services is the fact that such a network is much more difficult to set up than other VPNs. It is more difficult to make modifications to it. As a result, VPN services with MPLS support are more expensive for users.

1. Hybrid VPN

A hybrid VPN combines MPLS and IPSec. Both types are used separately on different nodes. However, sometimes a node allows both types of protocols to be connected simultaneously. This is done to improve the reliability of MPLS using IPSec.

IPSec, as mentioned earlier, requires certain hardware. This is usually a router or multi-purpose security device. With its help, the data is encrypted and forms a VPN tunnel. MPLS are used on the information transmission channel using transmission equipment.

To connect these two types of VPN, a gateway is installed where IPSec is eliminated and the connection to MPLS is made while maintaining data security.

Hybrid VPNs are used by companies because MPLS is often not suitable for their hosts. MPLS provides many benefits over shared connectivity, but the cost is high. With a hybrid network, you can connect to a central node through a remote one. Hybrid VPNs are the most expensive, but at the same time very flexible in configuration.

conclusions

Overall, choosing the right type of VPN is quite difficult. To understand what type of VPN you need, you first need to understand what type of security you want. It also depends on whether you are a student, a small business owner or a large company. You should consider whether a simple security system will suffice or whether a more complex one, such as a hybrid VPN, will be required. Another factor that must be taken into account is cost. How much money are you willing to spend to ensure a secure Internet connection? Once you answer these questions, the choice will become much easier. And, of course, you can always expand your knowledge on this issue. Good luck!

IN Lately In the world of telecommunications, there is an increased interest in virtual private networks (VPN). This is due to the need to reduce the cost of maintaining corporate networks by cheaper connection of remote offices and remote users via Internet network. Indeed, when comparing the cost of services for connecting several networks via the Internet, for example, with Frame networks Relay you can notice a significant difference in cost. However, it should be noted that when connecting networks via the Internet, the question of data transmission security immediately arises, so it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. Networks built on the basis of such mechanisms are called VPN.

In addition, very often a modern person, developing his business, has to travel a lot. These could be trips to remote corners of our country or to foreign countries. Often people need access to their information stored on their home or company computer. This problem can be solved by organizing remote access to it using a modem and line. Using a telephone line has its own characteristics. The disadvantages of this solution are that calling from another country costs a lot of money. There is another solution called VPN. The advantages of VPN technology are that organizing remote access is not done through telephone line, but through the Internet, which is much cheaper and better. In my opinion, technology. VPN has the potential to become widespread around the world.

1. Concept and classification of VPN networks, their construction

1.1 What is a VPN

VPN(eng. Virtual Private Network - virtual private network) - a logical network created on top of another network, for example the Internet. Despite the fact that communications are carried out over public networks using insecure protocols, encryption creates information exchange channels that are closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

At its core, a VPN has many of the properties of a leased line, but it is deployed within a public network, for example. With the tunneling technique, data packets are broadcast across the public network as if they were a normal point-to-point connection. A kind of tunnel is established between each data sender-receiver pair - a secure logical connection that allows data from one protocol to be encapsulated in packets of another. The main components of the tunnel are:

• initiator;
• routed network;
• tunnel switch;
• one or more tunnel terminators.

The principle of VPN operation itself does not contradict basic network technologies and protocols. For example, when establishing a remote access connection, the client sends a stream of standard PPP protocol packets to the server. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, a fundamentally new aspect is the forwarding of packets through a secure tunnel organized within a public network.

Tunneling allows you to organize the transmission of packets of the same protocol in a logical environment using a different protocol. As a result, it becomes possible to solve the problems of interaction between several different types of networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

A corporation's existing network infrastructure can be prepared for VPN use using either software or hardware. Setting up a virtual private network can be compared to laying a cable across a global network. Typically, a direct connection between a remote user and a tunnel end device is established using the PPP protocol.

The most common method of creation VPN tunnels- encapsulation of network protocols (IP, IPX, AppleTalk, etc.) in PPP and subsequent encapsulation of the generated packets into the tunneling protocol. Usually the latter is IP or (much less often) ATM and Frame Relay. This approach is called second-level tunneling, since the “passenger” here is the second-level protocol.

An alternative approach of encapsulating network protocol packets directly into a tunneling protocol (such as VTP) is called Layer 3 tunneling.

No matter what protocols are used or what purposes pursued when organizing a tunnel, the basic technique remainspractically unchanged. Typically, one protocol is used to establish a connection with a remote node, and another is used to encapsulate data and service information for transmission through the tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By type of environment used:

• Secure VPN networks. The most common version of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN and PPTP.
• Trusted VPN networks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It would be more correct to say that these protocols shift the task of ensuring security to others, for example L2TP, as a rule, is used in conjunction with IPSec.

2. According to the method of implementation:

• VPN networks in the form of special software and hardware. The implementation of a VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.
• VPN networks as a software solution. Use Personal Computer with special software that provides VPN functionality.
• VPN networks with an integrated solution. VPN functionality is provided by a complex that also solves filtering problems network traffic, organizing a firewall and ensuring quality of service.

3. By purpose:

• Intranet VPN. Used to unite several distributed branches of one organization into a single secure network, exchanging data via open channels communications.
• Remote Access VPN. They are used to create a secure channel between a corporate network segment (central office or branch) and a single user who, working at home, connects to corporate resources from a home computer or, while on a business trip, connects to corporate resources using a laptop.
• Extranet VPN. Used for networks to which “external” users (for example, customers or clients) connect. The level of trust in them is much lower than in company employees, so it is necessary to provide special “lines” of protection that prevent or limit the latter’s access to particularly valuable, confidential information.

4. By protocol type:

• There are implementations of virtual private networks for TCP/IP, IPX and AppleTalk. But today there is a tendency towards a general transition to the TCP/IP protocol, and the absolute majority VPN solutions supports him.

5. By network protocol level:

• By network protocol layer based on comparison with the layers of the ISO/OSI reference network model.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of VPN builders. For example, if a router is already operating at its maximum capacity, then adding VPN tunnels and applying encryption/decryption of information can stop the entire network due to the fact that this router will not be able to cope with simple traffic, let alone a VPN. Experience shows that it is best to use specialized equipment to build a VPN, but if there is a limitation on funds, then you can pay attention to a purely software solution. Let's look at some options for building a VPN.

• VPN based on firewalls. Most firewall vendors support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted. An encryption module is added to the firewall software itself. The disadvantage of this method is that performance depends on the hardware on which the firewall runs. When using PC-based firewalls, remember that similar solution can only be used for small networks with a small amount of transmitted information.
• Router-based VPN. Another way to build a VPN is to use routers to create secure channels. Since all information coming from local network, passes through a router, then it is advisable to assign encryption tasks to this router.An example of equipment for building VPN on routers is equipment from Cisco Systems. Beginning with IOS software version 11.3, Cisco routers support L2TP and IPSec protocols. In addition to simple encryption of traffic, Cisco supports other VPN features such as authentication during tunnel connection and key exchange.To improve the performance of the router, an optional ESA encryption module can be used. In addition, Cisco System has released a specialized device for VPN, which is called the Cisco 1720 VPN Access Router (VPN access router), intended for installation in small and medium-sized companies, as well as in branches of large organizations.
• Software-based VPN. The next approach to building a VPN is purely software solutions. When implementing such a solution, specialized software is used that runs on a dedicated computer, and in most cases acts as a proxy server. The computer running this software may be located behind a firewall.
• VPN based on network OS.We will look at solutions based on a network OS using Microsoft's Windows OS as an example. To create a VPN, Microsoft uses the PPTP protocol, which is integrated into the Windows system. This solution is very attractive for organizations using Windows as a corporate operating system. It should be noted that the cost of such a solution is significantly lower than the cost of other solutions. VPN in operation Windows based a user database stored on the Primary Domain Controller (PDC) is used. When connecting to a PPTP server, the user is authenticated using the PAP, CHAP or MS-CHAP protocols. Transmitted packets are encapsulated in GRE/PPTP packets. To encrypt packets, a non-standard protocol from Microsoft Point-to-Point Encryption is used with a 40 or 128 bit key received at the time the connection is established. The disadvantages of this system are the lack of data integrity checking and the inability to change keys during the connection. The positive aspects are ease of integration with Windows and low cost.
• Hardware-based VPN. The option of building a VPN on special devices can be used in networks that require high performance. An example of such a solution is the IPro-VPN product from Radguard. This product uses hardware encryption of transmitted information, capable of transmitting a stream of 100 Mbit/s. IPro-VPN supports the IPSec protocol and the ISAKMP/Oakley key management mechanism. Among other things, this device supports network address translation tools and can be supplemented with a special card that adds firewall functions

2. VPN protocols

VPN networks are built using protocols for tunneling data through the public Internet, and the tunneling protocols provide data encryption and provide end-to-end transmission between users. As a rule, today the following levels of protocols are used to build VPN networks:

• Data Link Layer
• Network layer
• Transport layer.

2.1 Link layer

On link level L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

PPTP.

Currently, the most common VPN protocol is the Point-to-Point Tunneling Protocol - PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy PPP point-to-point protocol. In practice, RRR remains so communication protocol PPTP connection session. PPTP creates a tunnel through the network to the recipient's NT server and transmits PPP packets from the remote user through it. The server and workstation use a virtual private network and have no regard for how secure or accessible the WAN between them is. Ending a connection session at the server's initiative, unlike specialized remote access servers, allows local network administrators to prevent remote users from leaving the system Windows security Server.

Although the competence of the PPTP protocol extends only to devices operating under Windows control, it provides companies with the ability to interoperate with existing network infrastructures without causing harm own system security. So a remote user can connect to the Internet using local provider via an analogue telephone line or ISDN channel and establish a connection to the NT server. At the same time, the company does not have to spend large amounts for the organization and maintenance of a pool of modems providing remote access services.

The following discusses the operation of the RRTR. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin exchanging service packets. In addition to the PPTP control connection that ensures the link is operational, a connection is created to forward the data through the tunnel. Encapsulating data before sending it through a tunnel occurs somewhat differently than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the data link layer.
2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the channel is responsible for this OSI layer. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions typically associated with PPP, i.e. adds a PPP header and ending to a PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet, which belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to allow them to be transported over IP networks. However, GRE does not have the ability to establish sessions and protect data from intruders. This uses PPTP's ability to create a tunnel control connection. Using GRE as an encapsulation method limits the scope of PPTP to IP networks only.

After the PPP frame has been encapsulated in a frame with a GRE header, encapsulation is performed in a frame with an IP header. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.

The sending system sends data through the tunnel. The receiving system removes all overhead headers, leaving only the PPP data.

L2TP

In the near future, an increase in the number of virtual private networks is expected, deployed based on the new second-level tunneling protocol Layer 2 Tunneling Protocol - L2TP.

L2TP emerged as a result of combining the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and L2F packets SLIP and PPP. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering Task Force (IETF) recommended that Cisco Systems combine PPTP and L2F. By all accounts, L2TP combines the best features of PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP is used as transport UDP protocol and uses the same message format for both tunnel control and data forwarding. L2TP as implemented by Microsoft uses UDP packets containing encrypted PPP packets as control messages. Delivery reliability is guaranteed by packet sequence control.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks; service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used on IP networks and requires a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee nearly 100 percent security for your organization's critical data. The features of L2TP make it a very promising protocol for building virtual networks.

The L2TP and PPTP protocols differ from third-level tunneling protocols in a number of features:

1. Providing corporations with the opportunity to independently choose the method of authenticating users and verifying their credentials - on their own “territory” or with an Internet service provider. By processing tunneled PPP packets, corporate network servers receive all the information necessary to identify users.
2. Support for tunnel switching - terminating one tunnel and initiating another to one of many potential terminators. Tunnel switching allows you to extend the PPP connection to the required endpoint.
3. Enabling corporate network administrators to implement user access control strategies directly on the firewall and internal servers. Because tunnel terminators receive PPP packets containing user information, they are able to apply administrator-defined security policies to individual user traffic. (Third-level tunneling does not allow distinguishing packets coming from the provider, so security policy filters must be applied to end workstations and network devices.) In addition, if you use a tunnel switch, it becomes possible to organize a “continuation” of the tunnel second level for direct transmission of individual trafficusers to the relevant internal servers. Such servers may be tasked with additional packet filtering.

MPLS

Also at the data link level, MPLS technology can be used to organize tunnels ( From the English Multiprotocol Label Switching - multiprotocol label switching - a data transfer mechanism that emulates various properties of circuit-switched networks over packet-switched networks). MPLS operates at a layer that could be positioned between the data link layer and the third network layer of the OSI model, and is therefore commonly referred to as a data link layer protocol. It was designed to provide a universal data service for both circuit-switched and packet-switched network clients. MPLS can carry a wide variety of traffic, such as IP packets, ATM, SONET, and Ethernet frames.

Solutions for organizing VPN at the link level have a fairly limited scope, usually within the provider’s domain.

2.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements data encryption and confidentiality, as well as subscriber authentication. The use of the IPSec protocol allows for full-featured access equivalent to physical connection to the corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. Each client must have software that implements IPSec.

IPSec

Naturally, no company would want to openly transfer Internet financial or other confidential information. VPN channels are protected by powerful encryption algorithms based on IPsec security protocol standards. IPSec or Internet Protocol Security - a standard chosen by the international community, the IETF - Internet Engineering Task Force, creates the security framework for the Internet Protocol (IP / IPSec protocol provides security at the network level and requires support for the IPSec standard only from devices communicating with each other on both sides of the connection. All the remaining devices located between them simply provide IP packet traffic.

Method of interaction between persons using IPSec technology, is usually defined by the term “secure association” - Security Association (SA). A secure association operates on the basis of an agreement between the parties, who use IPSec to protect information transmitted to each other. This agreement regulates several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consistent set of open standards with a core that can be easily extended with new features and protocols. The core of IPSec consists of three protocols:

· AN or Authentication Header - authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AH protocol is that it allows the receiving side to ensure that:

• the packet was sent by a party with which a secure association has been established;
• the contents of the packet were not distorted during its transmission over the network;
• the packet is not a duplicate of an already received packet.

The first two functions are mandatory for the AH protocol, and the last one is optionally selected when establishing an association. To perform these functions, the AH protocol uses a special header. Its structure is considered according to the following scheme:

1. The next header field indicates the code of the higher-level protocol, that is, the protocol whose message is located in the data field of the IP packet.
2. The payload length field contains the length of the AH header.
3. The Security Parameters Index (SPI) is used to associate a packet with its intended security association.
4. The Sequence Number (SN) field indicates the sequence number of the packet and is used to protect against spoofing (when a third party attempts to reuse intercepted secure packets sent by the actual authenticated sender).
5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called a digest, is calculated using one of the two computationally irreversible functions MD5 or SAH-1 that are required by the AH protocol, but any other function can be used.

· ESP or Encapsulating Security Payload- encrypted data encapsulation - encrypts transmitted data, ensuring confidentiality, can also support authentication and data integrity;

The ESP protocol solves two groups of problems.

1. The first includes tasks similar to those of the AH protocol - ensuring authentication and data integrity based on the digest,
2. The second is the transmitted data by encrypting it from unauthorized viewing.

The header is divided into two parts, separated by a data field.

1. The first part, called the ESP header itself, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
2. The remaining ESP protocol service fields, called the ESP trailer, are located at the end of the packet.

The two trailer fields - the next header and the authentication data - are similar to the fields of the AH header. The Authentication Data field is absent if a decision is made not to use the integrity capabilities of the ESP protocol when establishing a secure association. In addition to these fields, the trailer contains two additional fields - filler and filler length.

The AH and ESP protocols can protect data in two modes:

1. in transport - transmission is carried out with original IP headers;
2. in a tunnel - the original packet is placed in a new IP packet and transmission is carried out with new headers.

The use of one mode or another depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. Thus, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

1. host-host;
2. gateway-gateway;
3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is responsible only for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a stripped down form). An ESP can support encryption and authentication/integrity functions in any combination, that is, either the entire group of functions, authentication/integrity only, or encryption only.

· IKE or Internet Key Exchange - Internet key exchange - solves the auxiliary task of automatically providing endpoints of a secure channel with the secret keys necessary for the operation of authentication and data encryption protocols.

2.3 Transport layer

The transport layer uses the SSL/TLS or Secure Socket Layer/Transport Layer Security protocol, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL/TLS can be used to secure TCP traffic, but cannot be used to secure UDP traffic. To operate a VPN based on SSL/TLS, there is no need to implement special software since each browser and mail client equipped with these protocols. Due to the fact that SSL/TLS is implemented at the transport layer, a secure connection is established “end-to-end”.

The TLS protocol is based on the Netscape SSL protocol version 3.0 and consists of two parts - the TLS Record Protocol and the TLS Handshake Protocol. The differences between SSL 3.0 and TLS 1.0 are minor.

SSL/TLS includes three main phases:

1. Dialogue between the parties, the purpose of which is to select an encryption algorithm;
2. Key exchange based on public key cryptosystems or certificate-based authentication;
3. Transfer of data encrypted using symmetric encryption algorithms.

2.4 VPN Implementation: IPSec or SSL/TLS?

IT department managers are often faced with the question: which protocol to choose for building a corporate VPN network? The answer is not obvious since each approach has both pros and cons. We will try to conduct and identify when it is necessary to use IPSec, and when SSL/TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining functional features each of the implemented VPNs.

The choice of protocol for building a corporate VPN network can be made according to the following criteria:

· Type of access required for VPN users.

1. Fully functional, always-on connection to the corporate network. The recommended choice is the IPSec protocol.
2. Temporary connection, e.g. mobile user or a user using a public computer in order to gain access to certain services, for example, e-mail or database. The recommended choice is the SSL/TLS protocol, which allows you to organize a VPN for each individual service.

· Whether the user is an employee of the company.

1. If the user is an employee of a company, the device he uses to access the corporate network via IPSec VPN can be configured in some specific way.
2. If the user is not an employee of the company to which the corporate network is being accessed, it is recommended to use SSL/TLS. This will limit guest access to certain services only.

· What is the security level of the corporate network.

1. High. The recommended choice is the IPSec protocol. Indeed, the level of security offered by IPSec is much higher than that offered by the SSL/TLS protocol due to the use of configurable software on the user side and a security gateway on the corporate network side.
2. Average. The recommended choice is the SSL/TLS protocol, which allows access from any terminal.

· Security level of data transmitted by the user.

1. High, for example, company management. The recommended choice is the IPSec protocol.
2. Average, for example, partner. The recommended choice is the SSL/TLS protocol.

Depending on the service - from medium to high. The recommended choice is a combination of the IPSec protocols (for services requiring a high level of security) and SSL/TLS (for services requiring a medium level of security).

What's more important fast deployment VPN or scalability of the solution in the future.

1. Quickly deploy a VPN network at minimal cost. The recommended choice is the SSL/TLS protocol. In this case, there is no need to implement special software on the user side as in the case of IPSec.
2. VPN network scalability - adding access to various services. The recommended choice is the IPSec protocol, which allows access to all services and resources of the corporate network.
3. Fast deployment and scalability. The recommended choice is a combination of IPSec and SSL/TLS: using SSL/TLS in the first stage to access the necessary services, followed by the implementation of IPSec.

3. Methods for implementing VPN networks

A virtual private network is based on three implementation methods:

· Tunneling;

· Encryption;

· Authentication.

3.1 Tunneling

Tunneling ensures the transfer of data between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden from the source and receiver of the data.

The transport medium of the tunnel, like a ferry, picks up packets of the network protocol used at the entrance to the tunnel and delivers them unchanged to the exit. Building a tunnel is enough to connect two network nodes so that, from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the “ferry” with data passes through many intermediate nodes (routers) of an open public network.

This state of affairs poses two problems. The first is that information transmitted through the tunnel can be intercepted by attackers. If it is confidential (bank card numbers, financial statements, personal information), then the threat of its compromise is quite real, which in itself is unpleasant. Even worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient will not be able to verify its authenticity. The consequences can be the most dire. Taking into account the above, we come to the conclusion that the tunnel in its pure form is suitable only for some types of network computer games and cannot claim to be used more seriously. Both problems are solved by modern means of cryptographic information protection. To prevent unauthorized changes from being made to the data packet as it travels through the tunnel, the electronic digital signature method () is used. The essence of the method is that each transmitted packet is equipped with additional block information, which is generated in accordance with an asymmetric cryptographic algorithm and is unique to the contents of the package and secret key Sender's digital signature. This block of information is the digital signature of the package and allows data to be authenticated by the recipient, who knows the public key of the sender's digital signature. Protection of data transmitted through the tunnel from unauthorized viewing is achieved by using strong encryption algorithms.

3.2 Authentication

Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server may be located at a great distance from the client computer, and data on the way to the organization’s network passes through the equipment of many providers. How can I make sure that the data has not been read or modified? For this, various authentication and encryption methods are used.

PPTP can use any of the protocols used for PPP to authenticate users

• EAP or Extensible Authentication Protocol;
• MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
• CHAP or Challenge Handshake Authentication Protocol;
• SPAP or Shiva Password Authentication Protocol;
• PAP or Password Authentication Protocol.

The best protocols are MSCHAP version 2 and Transport Layer Security (EAP-TLS), since they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates clients.

Although PPTP provides a sufficient degree of security, L2TP over IPSec is more reliable. L2TP over IPSec provides authentication at the user and computer levels, and also performs authentication and data encryption.

Authentication is carried out either by an open test (clear text password) or by a challenge/response scheme. Everything is clear with the direct text. The client sends the server a password. The server compares this with the standard and either denies access or says “welcome.” Open authentication is almost never seen.

The request/response scheme is much more advanced. In general it looks like this:

• the client sends the server a request for authentication;
• the server returns a random response (challenge);
• the client takes a hash from his password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and transmits it to the server;
• the server does the same, comparing the received result with the client’s response;
• if the encrypted response matches, authentication is considered successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from a certificate authority. The client and server exchange certificates and create a secure connection ESP SA (security association). After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. For authentication, you can use any protocol, even PAP, which transmits the username and password in clear text. This is quite secure, since L2TP over IPSec encrypts the entire session. However, performing user authentication using MSCHAP, which uses different encryption keys to authenticate the computer and the user, can enhance security.

3.3. Encryption

PPTP encryption ensures that no one can access your data while it is being sent over the Internet. There are currently two supported encryption methods:

• MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
• EAP-TLS can automatically select the length of the encryption key when negotiating parameters between the client and server.

MPPE supports keys with lengths of 40, 56 or 128 bits. Older Windows operating systems support encryption with a key length of only 40 bits, so mixed Windows environment the minimum key length should be selected.

PPTP changes the encryption key value after each packet received. The MMPE protocol was designed for point-to-point communication links in which packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the results of decryption of the previous packet. When building virtual networks through public networks, these conditions cannot be met, since data packets often arrive at the recipient in a different sequence than they were sent. Therefore, PPTP uses packet sequence numbers to change the encryption key. This allows decryption to be performed regardless of previous received packets.

Both protocols are implemented both in Microsoft Windows and outside it (for example, in BSD), the VPN operating algorithms may differ significantly.

Thus, the “tunneling + authentication + encryption” combination allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional pleasant effect of a VPN connection is the possibility (and even necessity) of using the addressing system adopted in the local network.

The implementation of a virtual private network in practice looks like this: A VPN server is installed in the local computer network of the company's office. Remote user(or a router if connecting two offices) using VPN client software initiates the connection procedure with the server. User authentication occurs - the first phase of establishing a VPN connection. If the authority is confirmed, the second phase begins - the details of ensuring the security of the connection are agreed upon between the client and the server. After this, a VPN connection is organized, ensuring the exchange of information between the client and the server in the form when each data packet goes through encryption/decryption and integrity check procedures - data authentication.

The main problem with VPN networks is the lack of established standards for authentication and encrypted information exchange. These standards are still under development and therefore products various manufacturers cannot establish VPN connections and automatically exchange keys. This problem entails a slowdown in the spread of VPNs, since it is difficult to force different companies to use the products of one manufacturer, and therefore the process of combining the networks of partner companies into so-called extranet networks is difficult.

The advantages of VPN technology are that remote access is organized not through a telephone line, but through the Internet, which is much cheaper and better. The disadvantage of VPN technology is that VPN building tools are not full-fledged means of detecting and blocking attacks. They can prevent a number of unauthorized actions, but not all the possibilities that can be used to penetrate into corporate network. But despite all this VPN technology has prospects for further development.

What can we expect in terms of VPN technology development in the future? Without any doubt, a unified standard for constructing such networks will be developed and approved. Most likely, the basis of this standard will be the already proven IPSec protocol. Next, manufacturers will focus on improving the performance of their products and creating user-friendly VPN management tools. Most likely, the development of VPN building tools will go in the direction of router-based VPNs, since this decision combines fairly high performance, VPN and routing integration in one device. However, low-cost solutions for small organizations will also develop. In conclusion, it must be said that, despite the fact that VPN technology is still very young, it has a great future ahead of it.

Leave your comment!

Imagine a scene from an action-packed movie in which the villain escapes the crime scene along the highway in a sports car. He is being pursued by a police helicopter. The car enters a tunnel that has several exits. The helicopter pilot does not know which exit the car will appear from, and the villain escapes the chase.

VPN is a tunnel connecting many roads. No one from the outside knows where the cars entering it will end up. No one from the outside knows what is happening in the tunnel.

You've probably heard about VPN more than once. Lifehacker also talks about this thing. Most often, a VPN is recommended because using the network you can access geo-blocked content and generally increase security when using the Internet. The truth is that accessing the Internet through a VPN can be no less dangerous than directly.

How does a VPN work?

Most likely, you have a Wi-Fi router at home. Devices connected to it can exchange data even without the Internet. It turns out that you have your own private network, but in order to connect to it, you need to be physically within reach of the router’s signal.

VPN (Virtual Private Network) is a virtual private network. It runs on top of the Internet, so you can connect to it from anywhere.

For example, the company you work for may use a virtual private network for remote workers. Using a VPN, they connect to their work network. At the same time, their computers, smartphones or tablets are virtually transferred to the office and connected to the network from the inside. To log into a virtual private network, you need to know the VPN server address, login and password.

Using a VPN is quite simple. Typically, a company installs a VPN server somewhere on a local computer, server, or data center, and connects to it using a VPN client on the user’s device.

Nowadays, all current devices have built-in VPN clients. operating systems ah, including Android, iOS, Windows, macOS and Linux.

The VPN connection between the client and the server is usually encrypted.

So VPN is good?

Yes, if you are a business owner and want to secure corporate data and services. Letting employees into work environment Only through a VPN and by accounts, you will always know who did and is doing what.

Moreover, the VPN owner can monitor and control all traffic that goes between the server and the user.

Do your employees spend a lot of time on VKontakte? You can block access to this service. Does Gennady Andreevich spend half his working day on sites with memes? All his activity is automatically recorded in logs and will become an ironclad argument for dismissal.

Why VPN then?

VPN allows you to bypass geographic and legal restrictions.

For example, you are in Russia and want. We regret to learn that this service is not available from the Russian Federation. You can use it only by accessing the Internet through a VPN server in the country in which Spotify operates.

In some countries, there is Internet censorship that restricts access to certain sites. You want to access some resource, but it is blocked in Russia. You can open the site only by accessing the Internet through a VPN server of a country in which it is not blocked, that is, from almost any country except the Russian Federation.

VPN is a useful and necessary technology that copes well with a certain range of tasks. But the security of personal data still depends on the integrity of the VPN service provider, your common sense, attentiveness and Internet literacy.

For today, it would be useful to consider a few questions related to VPN - what it is, what its features are and how it is configured.

The fact is that many people today do not know anything about this technology, although now such knowledge can be very useful.

Even if you look at it from a mercantile point of view, setting up a VPN is very expensive. good money.

Therefore, it would be good to explain in simple language what a VPN is and how you can configure this technology on Windows 7 and Windows 10, the most popular on this moment operating systems.

Basic information

In general, VPN stands for Virtual Private Network, that is, a virtual private network.

To put it simply, this is a technology that allows, but not using physical devices such as switches and routers, but using Internet resources.

Essentially, a VPN creates one local network on top of another.

On the Microsoft website you can find the picture shown in Figure 1. There you can clearly see what is meant in the phrase “creates one local network on top of another.”

In practice, this is exactly what happens.

In this picture you can see devices in the form of computers. The cloud implies a shared or public network, most often this is the most regular internet.

The two servers are connected to each other using a VPN.

Moreover, these devices are also physically connected to each other. But in practice this is not at all necessary.

This is precisely why the technology in question is needed - not to use cables and devices, but to make do with conventional technologies that transmit information.

Yes, they also require cables, but they are not required for a specific VPN device.

Reference: A local network is the connection of several devices into one network, which allows them to use each other’s resources.

As mentioned above, in physical local networks, devices are connected to each other using optical cables, twisted pairs, radio channels, as well as Wi-Fi, Bluetooth, GPRS, as well as various devices such as routers.

So, in virtual networks, instead of all this, the most common Internet connection is used.

Of course, access various devices is not provided just like that, it has its own levels of identification, which are aimed at “not letting strangers” into a particular VPN network.

Now let's talk in more detail about how the connection occurs in a Virtual Private Network.

A little about the structure

There are two parts to a VPN structure: internal and external.

Each individual computer is connected to both of these parts simultaneously. This is done using a server.

Server in in this case acts as a kind of face control at the entrance to the club. It determines who logs into the virtual network and who goes to seek their fortune elsewhere.

The computer that connects to the VPN must have authentication data with it, that is, some kind of one-time password, smart card or other means that will allow you to go through this procedure.

For us this is not particularly important, it is important that there is an authentication process at all.

Today, specialists from various large companies are developing new authentication methods.

If we return to the same example with face control at the entrance to the club, then the person who comes to the club should know:

1. Firstly, his name, which will allow him to go through the identification process;
2. Secondly, he needs to know, for example, a one-time password, which is needed to pass authorization.

In exactly the same way, a computer that comes and wants to join one of the VPN networks “carries” with it its name with a means of authorization.

The server enters the above information into its database, in particular, the name of the connected computer.

In the future, “face control” will no longer require the incoming “client” to provide his data.

In principle, it should now be clear how VPNs work and what they are.

In fact, in practical application everything is much more complicated and, if you want to become a network specialist, you will need to know quite a lot of information.

In particular, this information concerns types of VPNs.

VPN classification

The full classification of this type of technology is shown in Figure No. 2.

Now let's look at each type of classification in more detail.

The classification criteria are:

• Degree of protection. According to this criterion, there are such networks:

1. Fully protected– based on inherently secure networks;
2. “Trustedly” protected– lower degree of security, used when the “parent” network has a sufficient degree of reliability.

• Method of implementation. According to this criterion, the following types of networks are distinguished:

1. By hardware, that is, using real devices (this type still deviates a little from the canons of classical virtual network, which does not use all kinds of devices);
2. By software;
3. Combined method.

• Purpose. Within this criterion, there are the following types of VPN:

1. Intranet– most often used in companies where several branches are united;
2. Extranet– used for organizing networks where there are not only internal corporate participants, but also clients;
3. Remote Access– used to organize networks in which there are remote branches (most often these branches have one person working remotely).

• According to the protocol. Although it is possible to implement VPN using protocols such as IPX and AppleTalk, in practice only TCP/IP is used. The reason is very simple - this particular protocol is used everywhere on the Internet and developers simply do not see the point in “reinventing the wheel”.
• By level of work. Here everything corresponds to the classic OSI model, but VPN works only at the data link (transferring information over channels), network (providing a connection) and transport (providing data transfer) levels.

Of course, in practice, one network embodies several classification features at once.

Now let's move directly to how to set up a VPN network using the regular computer.

Setting up a virtual network

First, let's understand how this is done on Windows 7.

On this operating system, configuration occurs using the following relatively simple steps:

• Open the “Network and Sharing Center”. To do this, click in the panel quick access on the network connection icon, right-click and select the appropriate item from the drop-down menu.

• It is worth saying that the network connection icon may not look the same as shown in Figure 3. It can also have the appearance that can be seen in Figure 4.

• In the window that opens, you need to click on the item called “Setting up a new connection or network” (highlighted in Figure No. 5).

• In the window that opens, you need to select the “Connect to a workplace” item and click the “Next” button (highlighted in Figure No. 6).

• If any VPN connections are already on this computer, the window shown in Figure 7 will appear. In it you need to select the item “No, create a new connection” and again click the “Next” button.

• In the window that appears, click on the “Use my Internet connection (VPN)” item. There is no Next button here. There's nothing wrong with that.

• Now you will need to enter the address and name of the VPN network. As the window for creating a connection in Windows 7 suggests, you can find out about it from your network administrator.

If you are joining an existing network, you need to ask the administrator for this information. Usually this is not difficult.

They are entered into the fields highlighted in Figure 9.

• In the same window, you need to check the box next to the words “Do not connect now...”, and then click the “Next” button.

• Now all that remains is to enter the login and password for the corresponding network. The fields for this are highlighted in Figure 10.

If you are connecting to the network for the first time, you will have to create this data, after which the server will check it and, if it matches, “allow” it to enter the network, and you will be able to use it immediately.

If the connection is not happening for the first time, the server will not check them, but will immediately “let them” into the network.

• After entering the appropriate data, you just need to click the “Connect” button.

• Next, a window will appear asking you to connect to the connected network right now. But it’s better to close this window by clicking on the corresponding button highlighted in Figure 11.

Now the setup is complete and all that remains is to connect to the created network. To do this, you need to go to the “Network and Sharing Center” again.

• In the window that opens, select the “Connect to network” item, highlighted in Figure 12.

• In it, all you have to do is select the created connection and click the button highlighted in the same figure.

So how to set up VPN connection on Windows 7 we already know.

As for Windows 10, the algorithm of actions is almost the same. Only some interface elements and access paths to them may differ.

For example, “Network and Sharing Center” looks almost the same as in Windows 7.

Moreover, there is a very similar item called “Creating and setting up a new connection or network.”

IN further action the settings are almost the same, only the interface will be slightly different.

Inconveniences may only occur for those Windows 10 users who do not use the so-called classic look, and the “Control Panel - Home Page” view, you will first need to go to the “Network and Internet” section, and then select “View network status and tasks”.

In any case, there is absolutely nothing complicated in the setup procedure and there cannot be. I wonder what VPN connection can even be used on Android devices.

If you are alive, accessed the Internet in 2017 and do not live on a desert island, then you have probably heard the term “VPN” more than once or twice. If you still don’t know what it is, why it’s needed and how it improves life (and the quality of work on the Internet in particular), then we, the vpnMentor website team, will be happy to conduct an educational program for you. Here we go?

What is a VPN?

VPN (from the English Virtual Private Network - virtual private network) is a special technology for creating a secure network connection on a public (the same Internet) or private network. Everyone and everything, from large companies to government agencies, is using this technology to provide secure connection to their infrastructure to remote users.

There are literally dozens of VPN services on the Internet that can help you connect online safely and securely for $5-$10 a month. This will allow you to securely encrypt your personal data and everything you do on the Internet. Additionally, most operating systems have long supported VPN connections, and there are also (and/or free) versions of paid VPNs.

Why do you need a VPN service?

Public networks have become too dangerous for the average user - there are hackers, attacks and sniffers everywhere trying to steal your data. So why eat a cactus and cry (read, continue to use public networks and hope for the best) when you can do the smart thing and use a VPN service?

Initially, VPN technologies were developed so that corporate employees could connect to local company networks while at home. Now VPN connections are used mainly in cases where people want to hide their Internet activity from the prying eyes of strangers, thereby ensuring their online privacy and bypassing blocking access to content (both local and national). Among other purposes using a VPN-services can be called protection against hackers when working in public WiFi networks and bypassing geo-blocking of sites (for accessing content available only in certain regions).

How does a VPN work?

A firewall protects the data on your computer, while a VPN protects your data online. Technically speaking, a VPN is a WAN (Wide Area Network) that offers the same level of security and functionality as a private network. There are two types of VPN connections: remote access (the computer connects to the network) and network-to-network.

When surfing the web without a VPN, you connect to your ISP's server, which in turn connects you to the desired site. This means that all your Internet traffic passes through the provider's servers, and the provider, accordingly, can monitor your traffic.

When you connect through a VPN server, your traffic passes through an encrypted “tunnel” there. This means that only you and the VPN server have access to your traffic. However, it is worth noting that there is a certain difference between privacy and anonymity. Using a VPN service does not make you anonymous, as your VPN service knows exactly who you are and can view data about your online activity. But a VPN service provides you with privacy when working online - in other words, your ISP, teachers, principal, or even your government will no longer be able to spy on you. To make sure that a VPN service can truly protect you, it is extremely important to choose. And this is logical, because if a VPN service keeps logs of user actions, then the authorities can always demand that this data be transferred to them, and in this case, your data will no longer be just yours.

However, even if the service you choose doesn't keep logs, it can still (if necessary) monitor your online activities in real time - for example, to fix technical problems. And while most “no-log” VPNs also promise not to track your activity in real time, in most countries the law allows authorities to order a VPN service to start logging a specific user's activity without notifying them. However, there is no reason to worry about this... well, only if you are not hiding from law enforcement agencies looking for you.

When choosing a VPN service, it is equally important to choose a service that provides its users with the ability to use shared IP addresses (in other words, having many users use the same one at the same time). In this case, it will be infinitely more difficult for any third parties to determine that it was you who performed this or that action online, and not someone else.

How to use VPN on mobile devices?

VPN is fully supported on both iOS and Android. A VPN can also protect you when torrenting. Unfortunately, the mobile apps you install on your phone not only have access to your IP address, through which they can access the history of all your online activities, but also your GPS coordinates, contact list, App Store ID and more. These applications send the collected data to the servers of their companies, which reduces the benefit of using a VPN connection to zero.

And therefore, in order to take full advantage of all the benefits of connecting to a VPN from a mobile device, you need to access sites only through browsers with an open source code and support private modes(for example, through Firefox), rather than through special “native” applications.

If you want to learn more about using a VPN on your mobile device, check out our lists and.

Advantages and disadvantages

To help you understand the pros and cons of using a VPN, I have prepared a table in which I have listed the main pros and cons of using this technology (*spoiler alert*: according to the author, the pros outweigh the cons, but the decision is yours).

PROS	MINUSES
The speed of downloading torrents via the p2p protocol may increase(for example, via BitTorrent), since some Internet providers specifically slow down this type of connection. In such cases .	Your normal network connection speed may slow down by at least 10%, or even more - depending on the distance to the VPN server. If the VPN server you are connecting to and the site you want to visit are located relatively close to each other, then the delay will be minimal, if not noticeable. But the more kilometers separate you, the VPN server and the server on which the site you want is located, the slower everything will work. Encrypting and decrypting data will also contribute to this dirty business of slowing down the connection speed (however, everything will be almost unnoticeable in any case).
You will be able to use public WiFi hotspots and not worry about your safety. Why bother if the connection between your device and the VPN server is encrypted! This means that your personal data is reliably protected, even if some miracle hacker manages to steal it.	VPN service of your choice will receive access to the history of all your online activities. This point can hardly be called a definite disadvantage, since someone will still see your data, and it would be better if it were a reliable VPN service (since Internet providers are not at all interested in protecting your personal data). However, you need to know about this. Secure VPN services go to great lengths to learn as little as possible about their customers and what they do online.
Your ISP will not have access to your online activity history, since all data will be encrypted by the VPN service. Accordingly, the provider will not know which sites you visited and what you did there. It will simply know that you connected to the VPN server.	Not all sites can be accessed even through a VPN. Some sites have learned to detect and block users who use a VPN to access them. Fortunately, such blocking is quite easy to bypass, as described in more detail in our article.
You can access your home or work network even when you travel. Actually, this is what everything was originally started for. Local resources do not have to be accessible via the Internet (it’s safer this way). You can always set up remote access to your computer, use local network files and even play local games the same as if you continued to stay at home!	You may become a victim of IP spoofing and blacklisting, since the VPN service will hide your real IP address and use its own. The problem is that the IP address of the VPN service is 1) used by an unknown number of service clients; 2) is well known, and this greatly simplifies IP spoofing. Additionally, the actions of other clients of your VPN service that use the same IP address as you may result in that address being added to blacklists. Because of this, you will not be able to access certain sites. In addition, a number of services (for example, your bank or postal service) may become suspicious of to you, if they notice that you are using a VPN service. And if your VPN service also has a tarnished reputation... in general, it’s not an option.
You can fool any website and pretend that you are visiting it from a completely different country. Accordingly, you will be able to access both sites that are blocked in your country, as well as sites that are accessible only to residents of a certain region. You just need to connect to to the required server! Anyone trying to spy on your internet activity will only find the VPN server you are using, making it nearly impossible to find your real IP address.

Legal aspects

Using VPN services is rarely illegal in itself (but the content you try to access using a VPN may well be illegal). This is true even in countries that block access to VPN services (China, Syria, Iran). However, this does not prevent some sites from blocking VPN services.

However, in July 2016, the use of a VPN service in the United Arab Emirates (UAE) was considered illegal. Violators faced imprisonment and fines ranging from 500,000 to 2,000,000 dirhams ($136,130 to $544,521). In other words, if you are planning to visit the UAE, then it makes sense to exercise common sense and visit only whitelisted sites.

As for VPN access blocks in place at your school or work, here's what you should consider: if you get caught (in private WiFi networks and when connecting like a LAN there is always a small chance), then they can be punished accordingly. How exactly? For example, subject to disciplinary measures (fine, suspension, dismissal). The case may even be referred to the police! In general, it’s worth thinking in advance whether the game is worth the candle.

Beginning of work

The good news is that there are just a ton of VPN services out there that would love to have you as their client.

The bad news: it's easy to get confused by all the options on offer.

When making any decision, you need to carefully study the issue.

Visit our article about , read reviews online, read recommendations, explore your options and only then make a decision.

Then ask yourself these 10 questions:

1. How much will I pay for this? Different services have different prices, but usually everything falls within the range of $5 to $10 per month. There are also free options, which are described in more detail in the article about.
2. What is this servicePrivacy Policy? We touched on this point earlier: you need to make sure that the VPN service will protect you and your data.
3. How good are the service's technical and security measures? Will it be able to effectively counter hackers and third parties who decide to gain access to my data?
4. How long is the distance between VPN servers? and the server I want to log into? This is an important point, because the speed of your work on the network is decided here. Other factors that affect connection speed include the power of the server itself, the bandwidth of the channel, and the number of people accessing the server at the same time.
5. How many servers does the service have, and where are they located? If you need to visit different sites located on servers from different countries, you need to find a VPN service with a large number of available server locations and servers - this will greatly increase your chances of a successful connection.
6. How many devices can I use at the same time? VPN services support almost all types of computers, including desktops, laptops, laptops, smartphones and tablets. Some services will only allow you to connect one device to their servers at a time, while others will allow you to connect several at once.
7. How good is the user support for this service? After reading