VPNs, Encryption & Secure Protocols
45 min
Virtual Private Networks (VPNs)
A VPN creates an encrypted tunnel over a public network (internet), allowing remote users or branch offices to securely connect to private networks as if physically present.
VPN PROTOCOLS COMPARISON
─────────────────────────────────────────────────────────
Protocol Encryption Speed Security Use Case
─────────────────────────────────────────────────────────
OpenVPN AES-256 Medium Very High Corporate VPN
WireGuard ChaCha20 Fast Very High Modern standard
IKEv2/IPSec AES-256 Fast Very High Mobile devices
L2TP/IPSec AES-256 Medium High Legacy systems
PPTP RC4 Fast BROKEN ❌ Never use
─────────────────────────────────────────────────────────
IPSec — Internet Protocol Security
IPSec operates at the network layer and provides authentication and encryption for IP packets. Two modes:
- Transport Mode — Encrypts only the payload; IP header is unchanged. Used for end-to-end communication.
- Tunnel Mode — Encrypts entire original packet; wraps in new IP header. Used for site-to-site VPNs.
TLS 1.3 — Transport Layer Security
TLS 1.3 is the current gold standard for securing communication over the web (HTTPS). Key improvements over TLS 1.2:
- Removed weak cipher suites (RC4, 3DES, SHA-1)
- 1-RTT and 0-RTT handshakes (faster)
- Forward secrecy mandatory (ECDHE key exchange)
- Simplified: only 5 cipher suites supported
SSH — Secure Shell
SSH provides encrypted remote access to systems. Best practices:
SSH HARDENING CHECKLIST
✅ Use SSH key authentication (disable password auth)
✅ Change default port 22 to non-standard port
✅ Use ed25519 or RSA 4096-bit keys
✅ Configure fail2ban to block brute force
✅ Restrict SSH access by IP (firewall rules)
✅ Disable root login (PermitRootLogin no)
✅ Use AllowUsers directive to whitelist users