“I need a VPN, because I want to protect my privacy”. As IT people, we probably all heard that phrase, mostly coming from people who barely understand what a VPN is. In order to understand whether you need a VPN, you need to know what it actually is. The acronym stands for “Virtual Private Network”, and it uses encryption to tunnel data between two hosts over an untrusted network. The untrusted network can only see that two hosts exchange data, but not what this data is. This sounds complicated, but I always compare it to a network cable: it is as if you could connect two computers with a very long virtual cable through a network, usually the Internet.
Reduced to the bare essence, a VPN is nothing more than a point to point connection between two computers. That’s it, but that is also what it makes a VPN so versatile. Let’s assume that one of these computers is your desktop (or laptop), and the other is your employers server. This server has access to resources within the company that are not accessible from the outside. Given you set up connection between your machine and that server, the server can relay your communications to your employers internal network. It “routes”1 your traffic to your employers internal network. This is the most common use-case for VPNs on corporate networks.
Interestingly, this is probably not the type of configuration you were looking for when you started reading this article. What you should remember is that the machine, you connect to, can share all its resources with you. In the above example, it’s the internal resources of your employer.
Wait! Did you just write “all its resources”?!? Indeed “all its resources” and that includes its full internet connectivity. That’s probably the VPN you were looking for: a server on the Internet to which you connect and you send all your Internet traffic over said server. If you’d look at the traffic flow from the outside, your computer only connects to that server. If for example, you’re on a hotel connection, anyone monitoring the hotels network will only see your computer connecting to one single server. It’s encrypted, so they don’t know what you do.
Now, think a bit further: The server, you connected to, now does your all your Internet connections for you. You’re watching Netflix? The server connects to Netflix for you. You connect to Facebook? The server connects to Facebook for you. For these sites, the connections look as if you were directly sitting at that server. The most visible consequence is that it looks as if you’re coming from the geographical region where the server is located, and not where your desktop/laptop actually is. If your server is in the UK, and you’re in Luxembourg, you could connect to the BBC and watch shows without being geoblocked. After all, from the BBCs point of view the connection come from the server, which is located in the UK.
There is, however, a larger consequence: Whoever owns the network to which the server is connected, can see what you do. If you rent that server from Amazon, Amazon can see what you do. You only shift the network that can spy on you: you do not eliminate it.
So when is this type of VPN appropriate?
- When you need access to resources the remote server can access.
- When you want to hide your activities from the network your desktop/laptop is on. An excellent example would be a wireless network in a café: You never know who is sniffing such a network.
- You trust the exit point (your remote server) more than your local network.
- You want to hide your geographical location.
What it does not do:
- Make you anonymous! From the Internets point of view, you are still you. From the perspective of the Internet you are just connecting from a weird location. In a certain sense it might even be worse: If you roll your own VPN, you’ll basically have one static IP address that’s wholly yours. If anything, it makes you more identifiable2.
- Protect your computer: You’re protecting network connections. Your browser history remains on your computer, you can still get viruses, you still need to be careful. If you have a keylogger on your computer or have been compromised by three letter agencies, no VPN will help you.
Decided you need a VPN after all?
Great! You’ll need a few things:
- Basic networking knowledge (Private/Public IPv4 addresses and routing)
- Basic Linux command line knowledge
- A Virtual Private Server (VPS). Sounds like a VPN, isn’t one. For all intents and purposes, it’s a small server you can rent. We’ll be using Amazon Lightsail in this tutorial. It only costs 5€/month. Downside is that Lightsail servers all are in the US.
- Optionally a domain name.
- Preferably a Linux/Desktop desktop. My knowledge about Windows/macOS on the desktop are limited.
1 Note that I used the verb “to route”. You may remember the little box that connects to the Internet for your is called a “router”. That is no weird coincidence: that little box also manipulates traffic in such a way that computers on your home network can talk to computers on the Internet. It “routes” traffic. Hence the name. Any computer can be configured to do this.
2 If you rent a commercial VPN service, you’ll share your IP address with many others. You’ll be more anonymous on such a VPN. You’ll have less control, though.