By definition, a VPN is a connection that enables a remote user to securely connect to a private network or server over a public network. From the end user's perspective, it is as if the data is being sent and received over a dedicated private connection—hence, the term virtual private network. One common scenario in which a VPN is used is called client-server: the end user connects to a private network over the internet. Another common scenario is peer-to-peer, or network-to-network communication. A prime example of this would be a case where a branch office of a corporation needs to connect its local network with the private network at corporate headquarters. In such a case, the company is using the internet as if it is a WAN. In either case, client-server or peer-to-peer, the end users of the VPN take advantage of the fact that a VPN connection is an encrypted tunnel, enabling them to use the public internet as a private tunnel for a point-to-point circuit.
The introduction to this chapter briefly discussed private WAN circuits as an alternative to VPNs. In fact, they were the only way to securely connect to a private network before VPNs. They may still be the only way to meet certain bandwidth and latency requirements. A private WAN circuit will usually provide a latency of 3 ms or less. Anyone who has run the ping or traceroute utilities to measure the latency of a connection will know how good that is. With a VPN (or indeed, any other connection that uses the public internet), you will get that much latency with the first hop through your ISP. Running ping tests on your connection will give you a better idea of the latency of VPN connections in specific cases, but in general, you can expect such connections to have latencies of anywhere from 30 to 60 ms. This latency can vary, based on two important factors:
- The type of connection that is being used
- The distance between the remote node and the private network
One of our objectives is to minimize latency, and you can do that by using the same ISP on both ends of the connection. However, that is not always possible. In some cases, using a VPN may actually decrease latency. A good example of this is one in which your ISP uses traffic shaping. In such cases, encrypting traffic may thwart the ISP's attempts to classify the traffic. As a result, the ISP will not throttle the traffic and, therefore, latency will decrease.
In many cases, you will need to use due diligence before implementing a VPN connection. Determine what applications you are likely to use over a VPN, and find out how well such applications perform over connections with latency. Obviously, online games and VoIP applications can suffer from higher latency. Microsoft file sharing (SMB) and Microsoft's Remote Desktop Protocol are protocols that fall into the category of latency-sensitive. Depending on which side of the cost-benefit analysis you fall on, you may find that the improved performance justifies the cost of a private WAN circuit, or you may find that the improved savings justify the performance degradation of a VPN connection. Should you opt for a VPN, you needn't accept poor performance, however. Later in the chapter, we will discuss ways of tweaking network settings to improve performance.
There are several different types of VPN deployment:
- Client-server: We have already discussed this briefly. A VPN tunnel is used to connect one or more mobile clients to a company's (or individual's) local network. The encryption provided by the VPN guarantees that data privacy is maintained. This is probably the most likely use case, if you are setting up a VPN for use with pfSense. It should be noted that the client-server relationship can be inverted: pfSense can act as the client and connect to a remote server. This is one of the ways that we can connect to a VPN provider.
- Peer-to-peer: A VPN tunnel is created between two private networks. An example of this would be connecting a main corporate office with a satellite office location. In this case, setting up a VPN between the two locations is cheaper than a leased line. The beauty of this setup is that if the tunnel fails for any reason, we can re-establish the connection from either end.
- Hidden network: There may be cases where data is too sensitive or confidential to place on the main corporate network. This data might be located on a subnet that is physically disconnected from the rest of the network. In such cases, a VPN can provide us with a means of connecting to this subnet, establishing a private network within a private network.
VPNs can also be utilized to provide additional security for wireless connections. We can require wireless clients to log in through a VPN. By doing so, we can force them to provide additional authentication. The VPN will also provide a layer of encryption in addition to the encryption that the wireless protocol gives us, making the connection that much more secure.
No discussion of VPN fundamentals would be complete without an overview of the VPN protocols that can be used, as well as the advantages and disadvantages of each one. Our overview will cover the three protocols currently supported by pfSense: IPsec, L2TP, and OpenVPN.