Just watch this video on Youtube with the aim of trying to understand to understand how VPN works. In the Video the guy mentioned that a tunnel is created and then the traffic is passed through the tunnel making it secure.
I understand the basics of packet switching. Ie when two nodes are communicating, the data is broken into packets that is routed. Meaning that the path between does nodes need not pass through the same router.
Given the above, where then is the “tunnel”?
If packets are just being routed through routers, where is the tunnel? If routing paths are not fixed, then how is the tunnel still possible? Does it also change with the path?
Edit:
Saw another post that mentions encapsulation…and the explanation given sounds a lot like what you see in NAT. How are they then different?
The way I imagine it, if you think of the endpoints on the far right and left, and the stream of packets is between them (imagine like 10 packets, with the packets visually represented vertically oriented). You’ve got your payload, the layer 3 info, then the vpn encapsulation is farthest out on the top and bottom of every packet. That top and bottom is the tunnel.
gre. generic encapsulation (does not encrypt, you do that separately if you want it). DO you understand basic encapsulation? Like visualize it to understand a tunnel. It’s basically just extra headers on the packet with encryption added in optionally, so the recipient only reads the tacked on headers instead of the OG headers. Or picture a capsule like a medicine capsule, and that’s the original packet, then that gets put in a bigger capsule like a gel cap of a bigger size, that is not see through and only has a destination address printed on it, and that’s the new packet. so the OG packet is encapsulated into the bigger packet and the recipient only is able to open it up and crack into that smaller packet, all the other recipients along the way from source to destination only see that bigger packet and pass it along to the next hop, they never see any part of that smaller packet encapsulated inside the other packet. GEt it? Its like you’re trying to mail an envelope to a person in an office building, so you write their The tunnel is that only the source and destination are able to crack into that smaller packet which holds the actual data.
NAT is a different animal. NAT is about using solving the problem of using private IPs in your internal network (every company can use the same PRIVATE IPS, they are private and not known to anyone else aka any other entity on the routed internet), and at the same time, routing data to those devices in your private lan while also using internet to route publicly from one entity to another. So you use private (on your LAN) PORT ADDRESSES (like IP addresses but different, not going to get into it) instead of IP addresses on your LAN to route the traffic. The router gets the packet up, opens it up like a piece of mail, there’s another mail in there telling the router to send it to port 17934 or whatever the fuck, the router says ok that goes to this computer on our LAN and sends it to the recipient. But over the internet, publicly routed portion, the source and destination routers only see a source and destination IP like normal. STILL ENCAPSULATION, just different.
Tunneling doesn’t imply encryption. VPN also does not imply encryption. So by creating a tunnel it doesn’t make it secure.
IP Tunneling using a Tunneling Protocol serves to connect two places in one network (10.0.0.0 as an example) and these two places are reachable over a different network (public). Encryption is then added to the process if needed.
GRE does that. Imagine having a private network design that spans New York to San Francisco. How do you connect them to seem as one contiguous network? Use a GRE tunnel so that NY tunnels to SF by putting the private packet inside a new outer packet with an publicly routable address. So in essence we put a new IP header (public) in front of our original packet (private) and this is a GRE header.
Obviously the network we ride on is of concern. If it’s open internet we will then encrypt our data using something like IPSec. So we use GRE in conjunction with IPSec.
It’s like a grandmother writing a letter to her daughter, and including an envelope to give to her granddaughter - a letter inside a letter. While it is the responsibility of the post office to deliver the main letter to the daughter’s house, it is the daughter’s responsibility to deliver the inner letter to the granddaughter.
The same thing happens with a VPN tunnel. There are three important pieces of information in a packet: The source address, the destination address, and the data payload. With a VPN packet, that data payload is itself a data packet - one addressed to a destination on the internal network . It is the responsibility of the internet as a whole to deliver the main packet to the VPN server’s external address, and it is the VPN server’s responsibility to extract the internal packet from the data payload and transmit it to the internal destination.
This packet within a packet is called encapsulation. One of the things you can do with encapsulation is encryption. Another thing you can do with encapsulation is changing network transport. For example, there’s no need to stay on IPv6. Your inner packet could be IPX, Appletalk, or something really exotic: IPv4.
Where the concept of VPN and NAT differ is that NAT is just changing the source and destination address of the outer packet. It doesn’t do anything with the data payload. So if you’re on IPv4, you’re stuck on IPv4.
Tunnel is a logical representation for encapsulated and/or encrypted traffic where it is unusable data transmitted between the 2 endpoints of the tunnel.
I kind of visualise it like, between nodes left and right, where a tunnel exists between the two, the tunnel is literally like a tube.
Between the two nodes anything else exists, I.e routers etc… any thing in the between shouldn’t care or in most cases, see what’s in the tunnel.
So a VPN, take a remote access VPN because the world’s depending on them for remote working right now.
It’s literally like a tube between your PC and your corporate network.
Like looking into a binocular, you look at a tree across a field. You don’t see the rest of the field, you’ll just see the local area of the tree. That’s the intended scope of your tunnel.
I think the concept of a tunnel is one of those that you just used to opposed to knowing right away. It was for me anyway.