As stated before, the principal use of the VPN is to attach a remote system or network to your local network as if they were sitting on a computer physically wired to it. Since the majority of modern networks use the TCP/IP network protocol suite, and thus have IP addresses identifying each computer on the network, we have a problem. Realistically speaking, if you have a home or business TCP/IP network, you are using one of the private address ranges (192.168.xxx.xxx, 10.xxx.xxx.xxx, 172.16-35.xxx.xxx).

The thing about these IP address ranges is that they are not routable, meaning they cannot pass data though the routers that connect together the public networks that make up the Internet.

This is why we always require a gateway for a private network, since all traffic originating from that network will appear to be from the gateway (which will have a legitimate, routable public IP address) and not the private addresses inside. Trouble is, if you have a local network using say the 192.168.5.xxx private address range and you wish to connect a remote computer to it by means of a VPN, that computer is going to need an IP address that is also in the 192.168.5.xxx private address range. The problems is that the computer needs to communicate data over the internet using this address, which can't be done as the first internet router which receives a data packet from an address in this range will simply drop the IP. That is a pickle isn't it? Never fear, there is always a solution, and that solution is called 'tunneling'.

The basic idea behind network tunneling is that you can take non-routable data packets and encapsulate them inside routable packets for transmission over the Internet. Then, at the destination the encapsulation will be stripped off and the original data will enter the private network as if it had come from a local source.

As far as the receiving computers on either end of the tunnel are concerned, they have a direct, point-to-point connection to each other for as long as the tunnel is in existence.

In fact, Most VPN implementations use Point-to-Point Protocol (PPP) to prepare the data for transmission, just as would be used to transmit the data over a direct connection such as dialing into the network via phone lines or ISDN. To govern the actual transmission of data through the many public networks composing the Internet a few more layers need to be added to the basic data packets.

This procedure is known as encapsulation, and goes something like this:

PPP information is first added to the original data, (and may be used also to encrypt it at this point), and then a tunneling protocol is used to encapsulate the resulting data. The tunneling protocol is the heart of the VPN, and handles authentication, forming and keeping the tunnel (data path) between the source and destination intact over the Internet and encrypting and decrypting data.

In order to actually transmit the data over the Internet, an additional layer needs to be added called the carrier protocol. This layer is composed of whatever protocol is used in the network the VPN data is to be sent over. In the case of the Internet, an IP packet. The carrier protocol transforms the private VPN data into a form that is routable over the Internet, enabling it to reach its destination, where the carrier, tunneling protocol and PPP layers will be stripped off (provided the correct authentication is provided) and the original data revealed.

Next up, we look further into setting up secure communications via your own Virtual Private