Virtual it because the nodes are not merged by physical lines and virtual connections that are created by the software (SW) VPN.
VPN is a private since it can only connect nodes company that created this network, instead of everyone. VPN on each node of the network needs to operate on the VPN. Yet there must be the keys and certificates that provide access to the nodes of a VPN and cryptographic protection of data transmitted.
Thus, VPN network can share resources (servers and workstations) companies into a single secure virtual network, created on the basis of the Internet. And now employees working remotely (from home or from another country) will be, as it was in the public network of the company. VPN is suitable for the consolidation of the territorial division of the company’s offices.
OpenVPN software transmits the data over the network using TCP or UDP protocols using TUN / TAP driver. TUN and UDP protocol allows the driver to connect to OpenVPN server clients that are located behind NAT.
OpenVPN can be selected for a random port that allows you to overcome the limitations of the firewall through which you access from the LAN to the Internet (if limits are set).
Security and Encryption
Security and Encryption OpenVPN provided by OpenSSL and the transport layer protocol Transport Layer Security (TLS). Instead of OpenSSL in new versions of OpenVPN can be used a PolarSSL library. TLS protocol is a secure transmission protocol enhancement data Secure Sockets Layer Secure Socket Layers (SSL).
In OpenSSL can be used symmetric and asymmetric cryptography.
In the first case, it is necessary to put the same secret key before data transfer to all nodes in the network. This raises the problem of the safe transfer of the key through an insecure Internet.
In the second case, each communication participant has two keys – a public (free) and private (secret).
The public key is used for data encryption and private – for decryption. The encryption is based on a rather complex mathematics. Selected for SSL / TLS encryption algorithm of the public key enables decryption only by using the private key.
The private secret key, and should remain within the node on which it is created. The public key is to be transferred to participants exchange data.
For secure transfer of data necessary to identify the parties involved in the exchange of data. Otherwise, you may become a victim of the so-called “attack mediator” (Man in the Middle, MITM ). During such an attack the attacker connects to the data channel and listens to it. It can also intervene, delete or modify data.
To provide authentication (user authentication) TLS protocol uses public key infrastructure (Public Key Infrastructure, PKI) and asymmetric cryptography.
It is necessary to realize that without the presence of the data decryption private key is also possible, for example, by brute force. Although this method requires large computational resources, it is only a matter of time, when the data can be decrypted.
Although the size of the key influences on the complexity of the decryption key is not giving any guarantees complete data security. In addition, there is the possibility of abduction already decrypted data and key due to security vulnerabilities, and bookmarks in the operating system or application software as well as hardware for servers and workstations.
Encrypting data increases traffic and slows down communication. The longer the key used for encryption, the harder it will be to pick up, but also the more pronounced slowdown will exchange data.