How to Build a Virtual Private Network
VPNs are an excellent cost-effective way to extend local area networks to remote networks and remote computer users over the Internet. Its greatest advantage is that communication between offsite subnets is as secure as if they were within a single subnet, hence the name Virtual Private Network.
The three essential elements of a VPN
1. IP encapsulation
The first essential element of a VPN system is the use of IP encapsulation. If an IP packet contains other IP packets, it is called IP encapsulation. IP encapsulation can make two physically separate network computers appear to be next to each other - separated from each other only by a router - but they are separated by many network routers and gateways, which may also not use the same address space.
For example, if there are two IP networks connected by a RAS (Remote Access Service) server using PPTP (Point-to-Point Tunneling Protocol), one LAN has a network address of 10.1.1 and the other is 10.1.2. Each RAS server on the network provides a connection to the Internet. One RAS server has a LAN IP address of 10.1.1.1 and an ISP-assigned Internet address of 250.121.13.12, while the other RAS server has a LAN address of 10.1.2.1 and an ISP-assigned Internet address of 184.108.40.206. At this point if a computer in the 10.1.1 network, assumed to be 10.1.1.23, needs to send an IP packet to a computer in the 10.1.2 network, assumed to be 10.1.2.99. The communication process is as follows.
1) The sender's computer first notices that the network portion of the destination address 10.1.2.99 does not match its own network address.
2) Instead of sending the packet directly to the destination address, the sender sends the packet to the default gateway address of its own subnet, 10.1.1.1.
3) The RAS server on this 10.1.1 network reads this packet.
4) The RAS server on network 10.1.1 determines that this packet should be placed on a subnet of network 10.1.2.
5) The RAS server encrypts this package and encapsulates it in another package.
6) The router sends this encapsulated packet from its network interface (which is connected to the Internet, assuming the address 220.127.116.11) to the Internet address 18.104.22.168 of the RAS server on the 10.1.2 network subnet.
7) 10.1.2 The RAS server of the network subnet reads this encapsulated and encrypted packet from its Internet interface.
8) 10.1.2 The RAS server on the network subnet decrypts this encapsulated IP packet and verifies that it is a valid IP packet, i.e. that it has not been altered and is from a reliable source.
9) The RAS server on the 10.1.2 network subnet sends this packet from its adapter to the destination address 10.1.2.99 on the network subnet.
10) The target computer reads this package.
This is the IP encapsulation process for a simple VPN.
2. Encrypted authentication
Password authentication is used to securely and efficiently authenticate remote users so that the system can determine the appropriate level of security for that user. For example, a VPN may use password authentication to determine whether a user can participate in an encrypted channel.
3. Data payload encryption
Data payload encryption is used to encrypt the data being encapsulated.
Domestic and international VPN products
VPN is an emerging technology. It is cheaper than a dedicated WAN, but slower than a LAN and less secure than a separate LAN or WAN. Many large domestic and foreign network security product companies have launched their own VPN products, most of these VPN products are combined with their own firewall products, but there are some companies' VPN products are separate. Domestic products include the SJW11 network cryptograph (VPN) product from Tianrongxin, and the upcoming NetEye VPN from Dongda Alpine.