You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Virtual Private Networks (VPNs) create encrypted tunnels over public networks, allowing secure communication between remote users, branch offices, and cloud environments. Tunnelling protocols encapsulate private data within public network packets, ensuring confidentiality and integrity in transit.
A VPN extends a private network across a public network (typically the internet) by creating an encrypted tunnel between two endpoints. Anyone intercepting the traffic sees only encrypted data — they cannot read or tamper with the contents.
| Use Case | Description |
|---|---|
| Remote Access VPN | Employees connect to the corporate network from home or travel |
| Site-to-Site VPN | Permanent encrypted link between two office networks |
| Cloud VPN | Secure connection between on-premises and cloud environments |
| Client-to-Client VPN | Peer-to-peer encrypted communication |
| Protocol | Encryption | Speed | Security | Status |
|---|---|---|---|---|
| IPsec | AES, 3DES | Good | Strong | Industry standard |
| OpenVPN | OpenSSL (AES) | Good | Strong | Open source, widely used |
| WireGuard | ChaCha20, Curve25519 | Excellent | Strong | Modern, ~4,000 lines of code |
| IKEv2/IPsec | AES | Good | Strong | Fast reconnection, mobile-friendly |
| L2TP/IPsec | AES (via IPsec) | Moderate | Moderate | Legacy, being replaced |
| PPTP | MPPE (RC4) | Fast | Weak — broken | Deprecated — do not use |
Security: PPTP ◁──────────────────────────▷ WireGuard / IPsec
Weak Strong
Speed: IPsec ◁──────────────────────────▷ WireGuard
Good Excellent
Complexity: WireGuard ◁──────────────────────▷ IPsec
Simple (~4K lines) Complex (>400K lines)
IPsec is the most widely deployed VPN protocol suite. It operates at Layer 3 (Network Layer) and provides encryption, authentication, and integrity.
| Component | Purpose |
|---|---|
| AH (Authentication Header) | Provides integrity and authentication (no encryption) |
| ESP (Encapsulating Security Payload) | Provides encryption, integrity, and authentication |
| IKE (Internet Key Exchange) | Negotiates security associations and exchanges keys |
| SA (Security Association) | Defines the parameters (algorithms, keys, lifetime) for the tunnel |
| Mode | Description | Use Case |
|---|---|---|
| Transport Mode | Encrypts only the payload — original IP header preserved | Host-to-host communication |
| Tunnel Mode | Encrypts the entire original packet and adds a new IP header | Site-to-site VPNs (most common) |
Phase 1: Establish secure channel (ISAKMP SA)
├── Authenticate peers (PSK or certificates)
├── Agree on encryption algorithm
└── Exchange Diffie-Hellman keys
Phase 2: Negotiate IPsec SA
├── Agree on ESP/AH parameters
├── Define traffic selectors
└── Establish data tunnel
WireGuard is a modern VPN protocol designed for simplicity, speed, and strong cryptography.
| Feature | Detail |
|---|---|
| Codebase | ~4,000 lines (vs ~400,000 for OpenVPN) |
| Cryptography | ChaCha20, Poly1305, Curve25519, BLAKE2s |
| Performance | Typically 2-4x faster than OpenVPN in benchmarks |
| Configuration | Minimal — a single configuration file per peer |
| Roaming | Handles IP address changes seamlessly |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.