As stated before, the principal use of the VPN is to
attach a remote system or network to your local network as if they were
sitting on a computer physically wired to it. Since the majority of modern
networks use the TCP/IP network protocol suite, and thus have IP addresses identifying each
computer on the network, we have a problem. Realistically
speaking, if you have a home or business TCP/IP network, you are using one
of the private address ranges (192.168.xxx.xxx, 10.xxx.xxx.xxx, 172.16-35.xxx.xxx).
The thing
about these IP address ranges is that they are not routable, meaning they cannot pass data though the routers that connect together
the public networks that make up the Internet.
This is why we
always require a gateway for a private network, since all traffic originating
from that network will appear to be from the gateway (which will have a legitimate,
routable public IP address) and not the private addresses inside. Trouble is,
if you have a local network using say the 192.168.5.xxx private address range
and you wish to connect a remote computer to it by means of a
VPN, that computer is going to need an IP address that is also
in the 192.168.5.xxx private address range. The problems is that the computer needs to communicate data over
the internet using this address, which can't be done as the first internet router
which receives a data packet from an address in this range will simply
drop the IP. That is a pickle isn't it? Never fear, there is always
a solution, and that solution is called 'tunneling'.
The
basic idea behind network tunneling is that you can take non-routable data packets and encapsulate
them inside routable packets for transmission over the Internet. Then, at the
destination the encapsulation will be stripped off and the original data will enter the private
network as if it had come from a local source.
As far as the receiving computers on
either end of the tunnel are concerned, they have a direct, point-to-point connection to each
other for as long as the tunnel is in existence.
In fact, Most
VPN implementations use Point-to-Point Protocol (PPP) to prepare the data for transmission, just
as would be used to transmit the data over a direct connection such as
dialing into the network via phone lines or ISDN. To govern the
actual transmission of data through the many public networks composing the Internet a few more
layers need to be added to the basic data packets.
This procedure is known as encapsulation, and goes something like this:
PPP information is
first added to the original data, (and may be used also to encrypt it at this point),
and then a tunneling protocol is used to encapsulate the resulting data. The
tunneling protocol is the heart of the VPN, and handles authentication, forming
and keeping the tunnel (data path) between the source and destination intact
over the Internet and encrypting and decrypting data.
In order to actually transmit the
data over the Internet, an additional layer needs to be added called the carrier
protocol. This layer is composed of whatever protocol is used in the network the
VPN data is to be sent over. In the case of the Internet, an IP packet. The
carrier protocol transforms the private VPN data into a form that is routable
over the Internet, enabling it to reach its destination, where the carrier,
tunneling protocol and PPP layers will be stripped off (provided the correct
authentication is provided) and the original data revealed.
Next up, we look further into
setting up secure communications via your own Virtual Private