Skip links

VPN Security: What You Need to Know

VPN usage is on the rise, due in part to growing privacy concerns around the globe. Many users have also started using a VPN to bypass geo-restricted content, such as their favorite Netflix or Hulu shows. Regardless of the reasons behind VPN usage, users need to know the fundamentals of VPN security to make the most of the service they’re paying for.

You may worry about the security of VPNs, but a little knowledge can go a long way toward peace of mind. While VPNs may seem complex and the terminology confusing, there are only a few things you need to know to safely use a VPN.

Today, we’re going to break down the topic of VPN security into it’s basic components to put your mind and rest and simplify the process of finding the right VPN for you.

What Is a VPN?

VPN is technical jargon for Virtual Private Network. In a nutshell, it is a secured, encrypted connection between your computer and a VPN provider designed to keep your communications private.

Example Usage

When you browse the Internet from your computer the traffic flows like this:

  • Your computer makes a request for a certain page
  • That request travels to your ISP’s server, either over your home network or whatever network you are connected to at that time
  • The ISP’s servers translate the domain name (i.e. www.google.com) into an IP address and requests the page on your behalf
  • The ISP sends the results back to your computer

This is an overly simplified example, of course, but it’s enough to get us started. For a more detailed look, check out our VPN guide.

Why You Need a VPN

In the example above your requests are forwarded over the network to your ISP. If you’re connected to a public Wi-Fi network, say at a library or coffee shop, your request travels over their network and is forwarded to their respective ISP.

The problem with this process is that a hacker or eavesdropper could be watching the network and logging the traffic. You have to trust your ISP’s security or the security of whatever network you’re connected to.

If you’ve seen the recent news, you know that you can no longer trust your ISP not to spy on you. This is where a VPN comes into play. Instead of making a request to your ISP, all of your traffic is encrypted and forwarded to your VPN provider.

The VPN provider forwards all of your traffic to it’s destination and then back to you. The only connection your ISP will see is your connection to your VPN provider: all of your emails, web browsing, chat, downloads and other traffic will be tunneled through a private, secure server.

Your home connection also has an IP address which can be used to track and monitor your activity. Think of an IP address as your digital street address. When you connect to a VPN server you’ll be using the same IP address as thousands of other users, making it next to impossible to tell which user you are.

VPNs Serve Many Purposes

Many users own multiple devices they use on a daily basis, such as a phone, tablet, and laptop. Each of these devices can connect to a wireless network, and each one offers a new target for attackers.

If you ever connect to a network you don’t own and trust, you’re putting yourself at risk. Public Wi-Fi networks should never be trusted and a VPN will help keep your devices safe and your data away from prying eyes.

Sometimes, due to copyright law or licensing issues, dedicated fans are often denied access to their favorite shows for months or years simply because of the country they live in. Geo-blocking, as it is called, restricts content to people in specific areas of the world.

When you subscribe to a VPN you are typically given a large list of servers to select from. If there is something you want to watch that is only available in the U.S., and you live across the globe, you can simply select a VPN server in the U.S. and bypass the geo-blocking.

Another common reason for VPN usage is to evade censorship. The Internet is a great tool for democracy and allows the oppressed a means to speak out and be heard, but without a VPN it can be quite dangerous. Some areas of the world only have access to a heavily restricted Internet — China has the “Great Firewall,” for example.

A VPN will allow you to stealthily tunnel past such a firewall and remain anonymous online. A VPN is an important tool for free speech and privacy activists all over the world.

If you do any torrenting you might also benefit from a VPN. We don’t advocate illegal filesharing, but if you’re downloading legal torrents your IP address is available to all the other torrent users that are downloading the same file you are — this is by design and it’s what makes torrenting so popular, each user shares the file with others and the net result is faster downloads.

You can avoid having your IP address visible, however, by using a VPN. TorGuard, short for Torrent Guard, is a VPN provider that markets their service specifically towards users of torrents. Many providers have specific servers dedicated for torrent users, so check with your provider to see their stance on torrenting.

As you can see, VPNs can be used for many different purposes, but the end result is the same: increased privacy and security for your online activities. Now that we’ve covered the benefits, let’s take a look at what you need to know about VPN security.

VPN Protocols

There’s a great deal of technical jargon surrounding VPNs that can make it confusing for first-time users. PPTP, L2TP and OpenVPN are three of the most common terms you’ll encounter and we’ll start with a brief explanation of those protocols.

Encryption is the key to keeping data safe as it travels over the Internet, and it’s the cornerstone of VPN technology. There are many different cryptographic libraries in use by VPN providers, such as IPsec or SSL, but there are only a few major ones that users need to know about.

IPsec was developed by the Internet Engineering Task Force (IETF) to securely transfer data across a public network. L2TP, short for Layer 2 Tunneling Protocol, typically uses the IPsec standard for encryption. It uses AES-256 bit keys and is considered safe, with no known vulnerabilities.

Unfortunately, the documents leaked by whistleblower Edward Snowden show that the NSA may be able to compromise IPsec by attacking routers or servers and stealing the keys. They can’t break the encryption, however, which means L2TP/IPsec is still a solid VPN protocol.

PPTP was developed by Microsoft and is one of the faster and simplest VPN protocols — however, it is known to have several vulnerabilities and is nowhere near as reliable as L2TP or OpenVPN. You should avoid using PPTP if possible.

The vulnerabilities in PPTP were revealed in 1999 by two security experts, the writer Bruce Schneier and the hacker known as Mudge. While Microsoft addressed some of the security concerns they presented, there are still some weaknesses in PPTP.

Namely, the protocol is still vulnerable to offline password cracking, and it is considered “broken by design,” meaning the underlying technology can’t be fixed so users should choose a more modern, secure protocol such as OpenVPN or L2TP/IPsec.

OpenVPN is a widely used, open-source technology that works across almost all platforms. OpenVPN uses the OpenSSL library for encryption, which can support many different encryption algorithms.

There are also no known vulnerabilities or weaknesses in OpenVPN, and it’s considered extremely secure when used with the proper encryption, such as AES-256. It’s incredibly reliable and typically has better performance than L2TP/IPsec.

You can also bypass firewalls by configuring OpenVPN to use port 443, the port used for browsing websites securely. This makes your VPN traffic appear as simple web surfing, a convenient feature for those stuck behind a restrictive firewall.

To recap, avoid PPTP if at all possible. Use L2TP or OpenVPN when it’s available. Most, if not all, VPN providers have their own software installers that make setting up an OpenVPN client dead simple and typically takes less than a few minutes to install.

Log Retention and Payment Options

If you want to retain your anonymity, you’ll want a provider that does not retain logs. This means that when users access a VPN server the provider does not store information about you, such as where you logged in from, what websites you requested or the time you were using the VPN.

In the event an attacker tries to coerce your provider into giving up user information, your provider can simply show attackers the empty logs. It’s best to read your provider’s policy on logging, as there are strong data retention laws in some countries that require service providers to maintain some sort of log of user activity.

In addition to zero logging, if you want anonymity you should find a provider that accepts cash or bitcoin. Mullvad, a Swedish VPN provider, is one of many providers that accept cash or bitcoin — Mullvad even offers a 10 percent discount since bitcoin has no transaction fees or other costs.

It’s easy to get started with bitcoins, even if you’re not sure how they work. Using this crypto-currency to pay for your VPN will go a long way towards remaining anonymous.

One last feature to keep in mind is the so-called “killswitch.” This option, when enabled, will disconnect your web browser, torrent client, or other software whenever your VPN connection is lost. This prevents your true IP address from getting leaked without your knowledge in the advent you accidentally disconnect from your VPN.

When you install your provider’s client software there will typically be a setting for this under the options. It’s a great fail-safe and should be used to ensure your privacy.

Conclusion

As we find ourselves relying more and more on cloud services and multiple devices all connected to the Internet, it is vital that we stay informed and take steps to ensure our privacy online. It may seem complicated at first glance but in reality it can be broken down into a few basic steps

  • Pick a VPN provider that you think meets your needs
  • Configure the VPN on all of your devices, including your phone
  • Pay with bitcoin when possible, and use a provider that doesn’t log
  • Enable any features your provider includes, such as the kill-switch

___
by James Crace
source: Cloudwards