I consider myself pretty tech-literate so feel free to give a more-than-ELI5 answer; but i’m confused how VPNs actually work. I know what they do - route all your devices traffic back to the home network and then it goes from there onward to the internet as if the traffic originated from the home network - but i don’t even see how this is possible exactly if i’m connected to a router at some hotel or a friends place.
If i’m connected to a network outside my home, i need to use their gateway to send packets to my VPN network, right? So i’m curious how VPNs protect me when the first packet route has to go :
My device → Other persons network → Internet → My VPN server → Back to internet
The first couple hops seem necessary to get to the VPN and not secure by nature. I know the traffic can be encrypted, but isn’t that up to my device to encrypt anyway? So the VPN isnt doing any encryption really.
Can someone explain me in more detail how exactly my device connects to my VPN at home and how this helps? To me it seems like it doesnt offer any security, and the only real benefit is making devices that would be accessible on my home network - but aren’t exposed to the internet - accessible again through the VPN server.
Your device sends encrypted data for the application that actually support and request encryption from underlying layers (for ex. HTTP (Layer 7) encrypted with SSL/TLS (Layer 7) are sent down the line.) You don’t really require a proxy for simple web browsing since most of the websites today are HTTPS enabled, since all data between the server and your device is already encrypted. Same is true for a majority of applications ranging from WhatsApp to Spotify.
Where VPN comes into importance is:
When you traffic consists of unencrypted data that can be read by anyone on the transit network (VoIP, IOT Devices, other web apps you’re running locally.)
You need to access a service from a remote place exposing which to the internet is risky (read stupid) : Active Directory, IOT Devices’ Hub, Self Hosted Web Apps, VoIP Servers etc. For these services to be accessible from the outside you need to open ports, which is the same as add more doors to your house : you now have to worry about securing that door, and it is only a matter of time unless someone strong {smart} enough breaks in.
You need to access content that is Geo-blocked, or is unavailable on public/office networks.
VPNs build a virtual tunnel (encrypted/unencrypted - depending on what VPN protocol you use) to bring your remote device into the LAN segment of the network you are accessing.
You can go ahead and add a rule to route all internet traffic through the remote LAN Gateway but that’s not what VPNs were originally made for.
VPNs are highly necessary for corporate businesses which often host a ton of local services that must be made available to remote employees, and which should not be directly exposed to the internet.
The use case you’re describing actually goes like this :
Your Device > Virtual Interface created by VPN > Encapsulation (+ Encryption) > Send Down the Public Internet > Home Router > Drops packet on the LAN Segment > LAN Gateway > Home Router > Internet
However, internet is not the integral part of VPN, as you can see from my setup :
My Phone > Wiregaurd VPN (only for 10.1.1.0/27) > Home Network
Apps running through Wiregaurd:
PortSIP SIP Client >> To FreePBX Server at my home
NextCloud Sync >> Nextcloud Server
Mozilla >> Clinic Management System / Patient Contact System
Regular Web Traffic gets routed through my Mobile Data / Public WiFi as usual.
VPNs are used while accessing the Public WiFi extensively because even after the best of the security measures and encryption, you can still be hacked by a variety of exploits, let alone unencrypted traffic sniffers.
your local device encrypts, i. e. with openvpn ore wireguard by essentially crearing another network device on top of your physical device and dropping packages into that. your remote vpn endpoint decrypts, devices in between see encrypted traffic only.
common problems are rather related to routing overlap, i.e. your home network is on something like 192.168.1.0/24 and so is your current remote location.
there’s a whole handshake process going on before you establish a connection which allows a VPN to be secure - it’s sort of the same way https is secure and http isn’t. The main point here is that through that handshake you’re establishing an encrypted connection between your laptop and your home server which allows all the packets going through that tunnel to be encrypted, and nobody in your network will be able to see what’s passing through it.
I’d suggest you read a bit about SSL and TLS, there’s a lot of great literature online about it from people who know a whole lot more about it than I do
I know what they do - route all your devices traffic back to the home network
No. That’s just one of the things they can do.
A VPN tunnels network traffic across another potentially untrusted network. Traffic in the tunnel is usually encrypted and thus cannot be viewed from outside as it passes across the encapsulating network. That’s it. That’s all there is to it.
Which packets go where is entirely up to the creator of a network, of which a VPN may be a large or small part.
A VPN might be used to obscure your location on the internet from the sites you’re accessing, or it might just be used to allow you to print invoices to your office printer when you’re out on the road making sales.