Vpn
Chapter 16: VPN - Virtual Private Network
Section titled “Chapter 16: VPN - Virtual Private Network”16.1 Introduction to VPN
Section titled “16.1 Introduction to VPN”VPN creates a secure, encrypted tunnel over public networks.
VPN Overview+------------------------------------------------------------------+
Why Use VPN?+------------------------------------------------------------------+| - Secure data transmission over public networks || - Remote access to corporate resources || - Privacy and anonymity || - Bypass geo-restrictions || - Connect branch offices |+------------------------------------------------------------------+
VPN Benefits:+------------------------------------------------------------------+| - Encryption protects data from eavesdropping || - Authentication ensures only authorized users connect || - Remote work capability || - Cost-effective (no dedicated lines needed) |+------------------------------------------------------------------+
VPN Types:+------------------------------------------------------------------+| Type | Description ||------------------|-----------------------------------------------|| Remote Access | Individual users connecting to network || Site-to-Site | Connect entire networks (branch offices) || SSL VPN | Browser-based (HTTPS) || IPsec VPN | Network-layer encryption || MPLS VPN | Provider-based (not encrypted) |+------------------------------------------------------------------+
+------------------------------------------------------------------+16.2 VPN Protocols
Section titled “16.2 VPN Protocols” VPN Protocol Comparison+------------------------------------------------------------------+
| Protocol | Encryption | Port | Pros | Cons ||----------|---------------|--------|----------------|-------------|| PPTP | MPPE-128 | 1723 | Easy to set up | Not secure || L2TP/IPsec| AES-256 | 500,4500| Secure | Can be slow || OpenVPN | OpenSSL | 1194 | Very secure | Complex || WireGuard | ChaCha20-Poly| 51820 | Fast, simple | Newer || IPSec | AES, 3DES | 50,51 | Very secure | Complex || SSL/TLS | TLS 1.3 | 443 | Browser-based | Limited |+------------------------------------------------------------------+
Protocol Details:+------------------------------------------------------------------+
1. PPTP (Point-to-Point Tunneling Protocol)+------------------------------------------------------------------+| - Oldest, deprecated || - Weak encryption (MPPE) || - Easy setup but not recommended |+------------------------------------------------------------------+
2. L2TP/IPsec+------------------------------------------------------------------+| - Layer 2 Tunneling Protocol || - Combined with IPsec for encryption || - Good security, moderate speed || - Often blocked by firewalls |+------------------------------------------------------------------+
3. OpenVPN+------------------------------------------------------------------+| - Open source || - Uses OpenSSL library || - Works through most firewalls || - Very configurable |+------------------------------------------------------------------+
4. WireGuard+------------------------------------------------------------------+| - Modern, lightweight || - Very fast (kernel-level) || - Simple configuration || - ~4,000 lines of code (vs 600k for OpenVPN) |+------------------------------------------------------------------+
+------------------------------------------------------------------+16.3 IPsec VPN
Section titled “16.3 IPsec VPN” IPsec Overview+------------------------------------------------------------------+
IPsec Components:+------------------------------------------------------------------+| - AH (Authentication Header) - Authentication, integrity || - ESP (Encapsulating Security Payload) - Encryption || - IKE (Internet Key Exchange) - Key exchange |+------------------------------------------------------------------+
IPsec Modes:+------------------------------------------------------------------+| Mode | Description ||--------------|--------------------------------------------------|| Transport | Encrypts only payload, header visible || Tunnel | Encrypts entire packet (including header) |+------------------------------------------------------------------+
IPsec Tunnel Mode:+------------------------------------------------------------------+
Original Packet: [IP Header][TCP][Data]
Encrypted: [New IP Header][ESP][Original IP Header][TCP][Data][ESP Trailer][ESP Auth]
+------------------------------------------------------------------+
IKE Phases:+------------------------------------------------------------------+
Phase 1 (Main Mode/Aggressive Mode):+------------------------------------------------------------------+| - Establish ISAKMP SA (security association) || - Authenticate peer || - Exchange encryption keys |+------------------------------------------------------------------+
Phase 2 (Quick Mode):+------------------------------------------------------------------+| - Negotiate IPsec SA || - Generate encryption keys || - Define what traffic to encrypt |+------------------------------------------------------------------+
+------------------------------------------------------------------+16.4 WireGuard VPN
Section titled “16.4 WireGuard VPN”Modern, fast VPN protocol.
# Install WireGuardsudo pacman -S wireguard-tools
# Generate keyswg genkey | tee privatekey | wg pubkey > publickey
# Server configuration (/etc/wireguard/wg0.conf)[Interface]Address = 10.0.0.1/24PrivateKey = <server-private-key>ListenPort = 51820PostUp = iptables -A FORWARD -i wg0 -j ACCEPTPostUp = iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
[Peer]PublicKey = <client-public-key>AllowedIPs = 10.0.0.2/32
# Client configuration[Interface]PrivateKey = <client-private-key>Address = 10.0.0.2/24DNS = 1.1.1.1
[Peer]PublicKey = <server-public-key>Endpoint = server.example.com:51820AllowedIPs = 0.0.0.0/0PersistentKeepalive = 25
# Enable servicesudo systemctl enable wg-quick@wg0sudo systemctl start wg-quick@wg0
# Check statussudo wg showwg show wg016.5 OpenVPN
Section titled “16.5 OpenVPN” OpenVPN Configuration+------------------------------------------------------------------+
Server Configuration:+------------------------------------------------------------------+
# /etc/openvpn/server.confport 1194proto udpdev tunca ca.crtcert server.crtkey server.keydh dh.pemauth SHA256cipher AES-256-CBCkeepalive 10 120persist-keypersist-tunstatus openvpn-status.logverb 3duplicate-cn
# Network configurationserver 10.8.0.0 255.255.255.0push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 1.1.1.1"
+------------------------------------------------------------------+
Client Configuration:+------------------------------------------------------------------+
# client.ovpnclientdev tunproto udpremote vpn.example.com 1194resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverauth SHA256cipher AES-256-CBCverb 3
<ca># ca.crt contents</ca><cert># client.crt contents</cert><key># client.key contents</key>
+------------------------------------------------------------------+
+------------------------------------------------------------------+16.6 SSL VPN
Section titled “16.6 SSL VPN” SSL VPN+------------------------------------------------------------------+
How SSL VPN Works:+------------------------------------------------------------------+| - Uses TLS/SSL (like HTTPS) || - Works through firewalls/proxies || - Browser-based (no client needed) || - Two modes: portal and tunnel |+------------------------------------------------------------------+
SSL VPN Modes:+------------------------------------------------------------------+
1. SSL VPN Portal+------------------------------------------------------------------+| - Web browser interface || - Access via HTTPS || - For simple access (web apps, file share) || - Examples: OpenWebUI, corporate portals |+------------------------------------------------------------------+
2. SSL VPN Tunnel+------------------------------------------------------------------+| - Full network access || - Client software installed || - Creates virtual adapter || - Examples: OpenConnect, AnyConnect |+------------------------------------------------------------------+
OpenConnect (Linux SSL VPN Client):+------------------------------------------------------------------+
# Installsudo pacman -S openconnect
# Connectsudo openconnect vpn.example.com
# With certificatesudo openconnect --certificate=cert.pem vpn.example.com
# Using SAMLsudo openconnect --authgroup=saml vpn.example.com
+------------------------------------------------------------------+
+------------------------------------------------------------------+16.7 VPN Troubleshooting
Section titled “16.7 VPN Troubleshooting”# Check interfaceip link showip addr show tun0
# Check routingip route show
# Test connectivityping 10.8.0.1traceroute 10.8.0.1
# Check DNScat /etc/resolv.conf
# Check logsjournalctl -u wg-quick@wg0journalctl -u openvpn
# Test VPN server portnc -zvn <vpn-server-ip> 1194
# Debug WireGuardsudo wg showsudo wg show wg0 dump
# Debug OpenVPNsudo openvpn --config /etc/openvpn/client.confSummary
Section titled “Summary”In this chapter, you learned:
- ✅ What is VPN and why use it
- ✅ VPN protocols (PPTP, L2TP, OpenVPN, WireGuard)
- ✅ IPsec VPN architecture
- ✅ WireGuard setup
- ✅ OpenVPN configuration
- ✅ SSL VPN
- ✅ VPN troubleshooting
Next Chapter
Section titled “Next Chapter”Chapter 17: Wireless Networking
Last Updated: February 2026