Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, October 15, 2012

Roll Your Own VPN

We've shown you how to roll your own VPN using Hamachi, and even how to set up Privoxy to secure your web browsing once you have your personal VPN set up. Hamachi isn't the only option: you can also download and configure OpenVPN (a free SSL VPN) on your own home server,, or if you have a router that supports it, enable OpenVPN on your home router so you can connect back to it when you're abroad. Combined with Privoxy, you get the privacy and anonymity benefits of a VPN without spending a dime.Both of these options put control in your hands, and while they're not quite as anonymous as subscription methods or offer international exit locations, they do give you the the most important benefits of a VPN: security, privacy, and anonymity while you're away from home.

Samara Lynn is Lead Analyst, Networking and Small Business at  
Example use of a VPN Tunnel
The following steps [9] illustrate the principles of a VPN client-server interaction in simple terms.
Assume a remote host with public IP address wishes to connect to a server found inside a company network. The server has internal address and is not reachable publicly. Before the client can reach this server, it needs to go through a VPN server / firewall device that has public IP address and an internal address of All data between the client and the server will need to be kept confidential, hence a secure VPN is used.
  1. The VPN client connects to a VPN server via an external network interface.
  2. The VPN server assigns an IP address to the VPN client from the VPN server's subnet. The client gets internal IP address, for example, and creates a virtual network interface through which it will send encrypted packets to the other tunnel endpoint (the device at the other end of the tunnel).[10] (This interface also gets the address
  3. When the VPN client wishes to communicate with the company server, it prepares a packet addressed to, encrypts it and encapsulates it in an outer VPN packet, say an IPSec packet. This packet is then sent to the VPN server at IP address over the public Internet. The inner packet is encrypted so that even if someone intercepts the packet over the Internet, they cannot get any information from it. They can see that the remote host is communicating with a server/firewall, but none of the contents of the communication. The inner encrypted packet has source address and destination address The outer packet has source address and destination address
  4. When the packet reaches the VPN server from the Internet, the VPN server decapsulates the inner packet, decrypts it, finds the destination address to be, and forwards it to the intended server at
  5. After some time, the VPN server receives a reply packet from, intended for The VPN server consults its routing table, and sees this packet is intended for a remote host that must go through VPN.
  6. The VPN server encrypts this reply packet, encapsulates it in a VPN packet and sends it out over the Internet. The inner encrypted packet has source address and destination address The outer VPN packet has source address and destination address
  7. The remote host receives the packet. The VPN client unencapsulates the inner packet, decrypts it, and passes it to the appropriate software at upper layers.
Overall, it is as if the remote computer and company server are on the same network.


Tunneling protocols can operate in a point-to-point network topology that would theoretically not be considered a VPN, because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a software-defined tunnel interface, customer-provisioned VPNs often are simply defined tunnels running conventional routing protocols.

PPVPN building-blocks

Depending on whether the PPVPN (Provider Provisioned VPN) runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combine them both. Multiprotocol label switching (MPLS) functionality blurs the L2-L3 identity.
RFC 4026
generalized the following terms to cover L2 and L3 VPNs, but they were introduced in RFC 2547
.[11] More information on the devices below can also be found in.[12]
Customer (C) devices
A device that is within a customer's network and not directly connected to the service provider's network. C devices are not aware of the VPN.
Customer Edge device (CE)
A device at the edge of the customer's network which provides access to the PPVPN. Sometimes it's just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.
Provider edge device (PE)
A PE is a device, or set of devices, at the edge of the provider network which connects to customer networks through CE devices and present the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.
Provider device (P)
A P device operates inside the provider's core network and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of providers.

No comments: