Fundamentals of
Protected Virtual
Network Technologies
VPN Architecture • Tunneling Protocols • Cryptography • Security Standards
Comprehensive guide to understanding, designing and securing virtual private networks
Network Security | Virtual Private Networks | Cryptographic Protocols
Table of Contents
What we will cover in this presentation
01
What Is a VPN?
Core concepts and definitions
02
VPN Architecture & Components
Building blocks of virtual networks
03
Tunneling Protocols
PPTP, L2TP, OpenVPN, WireGuard
04
Encryption & Cryptography
Symmetric, asymmetric, hashing
05
Authentication Mechanisms
Certificates, MFA, RADIUS
06
VPN Topologies
Site-to-site, remote access, MPLS
07
IPsec Protocol Suite
AH, ESP, IKE and security associations
08
SSL/TLS-Based VPNs
HTTPS tunnels and web-based access
Fundamentals of Protected Virtual Network Technologies
What Is a VPN?
Virtual Private Network — core concept
Definition
A Virtual Private Network (VPN) creates an encrypted, secure "tunnel" through a public network (such as the Internet), allowing remote users or offices to connect privately — as if directly linked on a local network.
Confidentiality
All traffic is encrypted — unreadable to eavesdroppers.
Integrity
Data is protected from tampering during transit.
Authentication
Only authorized users can establish a VPN connection.
Anonymity
Masks real IP address; hides identity from third parties.
Fundamentals of Protected Virtual Network Technologies
VPN Architecture & Components
The building blocks of a virtual private network
VPN Server
Central endpoint accepting inbound tunnels. Manages encryption and routing of all VPN traffic.
VPN Client
Software on the user device that initiates the encrypted tunnel and authenticates the user.
VPN Gateway
Hardware/software bridge between the private network and public internet — encrypts outbound data.
Auth Server (AAA)
RADIUS or LDAP server verifying user identity, authorization, and logging access records.
PKI / CA
Public Key Infrastructure issuing digital certificates for mutual device authentication.
Tunnel Interface
Virtual network adapter created per-session — carries encrypted payload across the public network.
Fundamentals of Protected Virtual Network Technologies
Tunneling Protocols
How data is encapsulated and transmitted securely
Protocol
Year
Encryption
Security
Notes
PPTP
1999
MPPE 128-bit
Low
Point-to-Point Tunneling Protocol. Fast but outdated — vulnerable to modern attacks. Avoid for new deployments.
L2TP/IPsec
2001
AES-256
High
Layer 2 Tunnel Protocol wrapped in IPsec. Strong security but double encapsulation adds overhead.
OpenVPN
2001
AES-256-GCM
High
Open-source SSL/TLS-based protocol. Highly configurable, firewall-friendly over UDP/TCP port 443.
IKEv2
2005
AES-256
High
Internet Key Exchange v2. Excellent for mobile clients due to MOBIKE — seamlessly re-establishes after drops.
WireGuard
2020
ChaCha20
V.High
Modern, minimalist VPN with only ~4,000 lines of code. Extremely fast and cryptographically sound.
SSTP
2007
AES-256
High
Secure Socket Tunneling Protocol — Microsoft proprietary. Travels over HTTPS; great for Windows environments.
Fundamentals of Protected Virtual Network Technologies
Encryption & Cryptography
The mathematical backbone of VPN security
Symmetric Encryption
Example: AES-256-GCM
Asymmetric Encryption
Example: RSA-2048 / ECDH
Cryptographic Hashing
Example: HMAC-SHA-256
Fundamentals of Protected Virtual Network Technologies
Authentication Mechanisms
Verifying identity before granting VPN access
Who can
connect?
Authentication ensures only
legitimate users and devices
can establish VPN tunnels.
Pre-Shared Keys (PSK)
Simple shared password between peers. Easy to deploy but hard to manage at scale.
Digital Certificates (PKI)
X.509 certificates issued by a CA; each party proves identity cryptographically.
RADIUS / LDAP / AD
Centralized user directory. VPN gateway queries an external auth server per login.
Multi-Factor Authentication
Combines something you know (password) + have (OTP token) + are (biometric).
Fundamentals of Protected Virtual Network Technologies
VPN Topologies
Different deployment models for different use cases
Remote Access VPN
Use case: Individual users connecting from home / road
Site-to-Site VPN
Use case: Connecting two or more fixed offices permanently
Extranet VPN
Use case: Connecting business partners and vendors securely
MPLS VPN
Use case: Carrier-grade enterprise WAN connectivity
Fundamentals of Protected Virtual Network Technologies
IPsec Protocol Suite
Internet Protocol Security — the industry-standard VPN framework
IKE (Internet Key Exchange)
Negotiates SAs, exchanges keys (DH), establishes secure channels — IKEv1 or IKEv2
AH — Authentication Header
Provides data integrity and origin authentication. No encryption — header only
ESP — Encapsulating Security Payload
Provides confidentiality (encryption), integrity, and optional authentication
Security Association (SA)
One-directional agreement defining algorithm, key, and duration for each direction
Fundamentals of Protected Virtual Network Technologies
IPsec Modes: Transport Mode (host-to-host, encrypts payload only) | Tunnel Mode (encrypts entire IP packet — used in site-to-site VPN)
SSL/TLS-Based VPNs
Secure socket layer tunneling for web-friendly remote access
How It Works
SSL/TLS VPNs use the same HTTPS protocol that protects websites — running over TCP port 443.
Two main types:
Portal VPN: User logs into a web browser. Gets access to specific internal applications only — no full tunnel.
Tunnel VPN: Full network-layer tunnel via a lightweight plugin or client. All traffic routed through VPN.
No client install required
Portal-mode works in any browser — ideal for BYOD and unmanaged devices.
Passes through most firewalls
Port 443 is rarely blocked — unlike IPsec UDP 500/4500 which may be filtered.
Per-app access control
Granular policies restrict which apps a user can reach after authentication.
TCP overhead in tunnel mode
Running TCP inside TCP causes retransmit storms — UDP preferred for inner traffic.
Fundamentals of Protected Virtual Network Technologies
WireGuard — Modern VPN Protocol
The next-generation cryptographically opinionated VPN
~4,000
Lines of Code
vs. 600,000 in OpenVPN
ChaCha20
Cipher
Poly1305 authentication
Curve25519
Key Exchange
Elliptic-curve DH
Noise IK
Handshake
1-RTT connection setup
Advantages
Technical Highlights
Fundamentals of Protected Virtual Network Technologies
Key Exchange & Perfect Forward Secrecy
How session keys are generated without prior secrets
Diffie-Hellman Key Exchange — Two parties derive the same secret over a public channel without ever transmitting it
Alice
Generates private key a
Computes A = g^a mod p
Public Parameters
Agreed: g (generator)
p (large prime)
Bob
Generates private key b
Computes B = g^b mod p
Both compute same shared secret: K = B^a mod p = A^b mod p
Perfect Forward Secrecy (PFS)
With PFS enabled, a unique ephemeral DH key pair is generated for EACH session. If an attacker later compromises the server's long-term private key, they cannot decrypt previously recorded sessions — because each session key was discarded after use and never stored.
Fundamentals of Protected Virtual Network Technologies
Split Tunneling vs. Full Tunneling
Controlling which traffic routes through the VPN
Full Tunnel
ALL traffic — including internet browsing — is routed through the VPN gateway.
Advantages:
Trade-offs:
Split Tunnel
Only traffic destined for corporate resources routes via VPN. Internet traffic goes direct.
Advantages:
Trade-offs:
Fundamentals of Protected Virtual Network Technologies
Common VPN Vulnerabilities & Attacks
Threats to be aware of and mitigate
Man-in-the-Middle
Attacker intercepts VPN handshake to impersonate the server. Mitigate with certificate pinning and MFA.
Credential Stuffing
Automated login attacks using leaked username/password pairs. Enforce MFA and account lockout policies.
DNS / IP Leaks
Real IP or DNS queries escape VPN tunnel. Mitigate with DNS leak tests and kill switches.
Outdated Protocols
PPTP and early IKEv1 are broken. Keep VPN software updated and disable legacy cipher suites.
Misconfiguration
Default keys, weak PSK passwords, open management ports. Follow CIS benchmarks for VPN hardening.
Unpatched CVEs
VPN appliances (e.g. Pulse Secure, Fortinet) frequently have critical CVEs. Patch within 24–48 hours.
Fundamentals of Protected Virtual Network Technologies
VPN Best Practices & Hardening
Essential steps to secure your VPN deployment
Use AES-256-GCM or ChaCha20 encryption — never DES/3DES
Enforce IKEv2 or WireGuard — disable PPTP and L2TP without IPsec
Enable Perfect Forward Secrecy (PFS) on all VPN sessions
Require MFA for all remote access VPN users
Use certificate-based authentication over PSK where possible
Implement a VPN kill switch to block traffic if tunnel drops
Run regular DNS leak tests and fix any leakage
Patch VPN software within 24–48 hours of CVE disclosure
Never expose VPN management interface to the internet
Log and monitor all VPN connections via SIEM
Fundamentals of Protected Virtual Network Technologies
Summary & Key Takeaways
1
A VPN creates an encrypted, authenticated tunnel over public infrastructure — ensuring confidentiality, integrity and access control.
2
Protocol choice matters: prefer WireGuard or IKEv2/IPsec for new deployments; avoid PPTP and unauthenticated L2TP.
3
Cryptography is the backbone: AES-256-GCM for bulk data, ECDH/DH for key exchange, HMAC-SHA-256 for integrity.
4
Always enable PFS, MFA, and certificate-based auth — the most commonly exploited VPNs lack these three controls.
5
VPNs must be actively maintained: patch promptly, monitor logs, and review topology as Zero Trust models evolve.
Protected Virtual Network Technologies • Security Through Cryptography • Continuous Hardening