VPN Architectures
1. Site-to-Site VPN
Connects more than one networks over an encrypted tunnel.
Each site's VPN gateway authenticates with the other.
Diagram:
[LAN] -- [VPN Gateway] === enc. tunnel === [VPN Gateway] -- [LAN]
2. Remote Access VPN
Connects individuals to private network from outside.
Generally user gets VPN client and authenticates with VPN gateway and all traffic is then tunneled to private network.
Diagram:
[Remote User] === enc. tunnel === [VPN Gateway] -- [LAN]
3. SSL VPN
Runs over HTTPS (SSL/TLS), typically on TCP/443. (Firewall-friendly).
Can be built on web-based or client-based.
Diagram:
[User Browser] === (HTTPS / TCP 443) === [SSL VPN Gateway] --- [LAN]
4. Cloud VPN
VPN service provided by cloud vendors such as AWS,GCP, AZURE.
Virtual VPN Gateway in cloud establishes an IPSec tunnel with on-prem network.
Diagram:
[On-prem network] -- [VPN Device] === enc. tunnel === [Cloud VPN Gateway] -- [VPC]
5. Double / Multi-hop VPN
Passes multiple VPN servers before internet.
Multiple encryption follows. Good for protecting against traffic correlation attacks.
Diagram:
[User Device] === enc. tunnel === [VPN Gateway 1] === enc.tunnel === [VPN Gateway 2] -- internet
VPN Protocols
1. IPSec
L3 encryption. Industry standard, good for site-to-site VPN.
No complex config support, not good in NAT environment (requires NAT-T).
2. L2TP/IPSec
Data link tunneling (L2TP) with encryption (IPSec).
Built in most OS. But requires encryption mechanism like IPSec. (Now outdated protocol)
3. PPTP
Legacy protocol (by Microsoft in 1990s).
Simple setup but simple hacking.
4. SSTP
Based on SSL/TLS (typically over TCP/443), well integrated into Windows.
Managed by MS, limited standardization.
5. OpenVPN
Based on SSL/TLS on user side.
Open source, flexible, cross-platform and provides strong security (certificates).
6. WireGuard
Uses modern crytographic standards (ChaCha20, Poly1305, Curve25519, etc). Linux friendly.
Less flexible compared to IPSec and OpenVPN.
7. SoftEther VPN
Built by U of Tsukuba (Japan). Multi-proto support (IPSec, L2TP, SSL VPN, OpenVPN emulation). But too complex.