100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

VPNs

Understand how Virtual Private Networks use tunneling and encryption to create secure connections over untrusted networks.

Network SecurityIntermediate10 min readJul 8, 2026
Analogies

Introduction

A Virtual Private Network (VPN) creates a secure, logical connection over a public or untrusted network such as the internet, making it behave as if the two endpoints were on the same private network. VPNs are used to let remote employees securely reach internal company resources, to connect branch offices to headquarters, and to protect traffic on untrusted networks like public Wi-Fi.

🏏

Cricket analogy: A VPN is like a private, secure charter that lets a touring team based overseas still access their home board's internal scouting reports as if they were sitting in the domestic office, even while physically playing an away series on unfamiliar, untrusted grounds.

Explanation

A VPN provides two core functions: tunneling and encryption. Tunneling encapsulates one packet inside another — the original packet (with its private source/destination) is wrapped inside a new outer packet that can be routed across the public internet, then unwrapped at the other end. Encryption scrambles the payload of that tunnel so that anyone intercepting the traffic in transit cannot read or usefully modify it; this is typically combined with integrity checks so tampering is detectable. There are two common deployment models. Site-to-site VPNs connect entire networks to each other — for example, linking a branch office's router to headquarters' router — so that all traffic between the two sites is automatically tunneled without any per-user configuration. Remote-access VPNs connect an individual device (like a laptop) to a private network, typically via a VPN client, so a remote worker's traffic to internal resources is tunneled as if they were physically in the office. Common protocols include IPsec, which operates at the network layer and is widely used for both site-to-site and remote-access VPNs and supports strong, standardized encryption and authentication; WireGuard, a modern, lightweight protocol known for simplicity, small codebase, and high performance using state-of-the-art cryptography; and OpenVPN, a flexible, widely-supported protocol that runs over TCP or UDP and uses TLS for key negotiation.

🏏

Cricket analogy: Tunneling is like shipping a team's confidential playing XI inside a sealed, unmarked equipment bag through public courier (encapsulation), while encryption is like locking that bag so only the intended coach can open it, with a tamper seal to detect interference; a site-to-site VPN is like two permanent franchise academies automatically sharing all training data (branch-to-branch), while remote-access is like one individual scout on the road logging into head office (device-to-network); choosing IPsec is like the traditional, heavily standardized team protocol used by most boards, WireGuard is like a lean, fast modern scouting app, and OpenVPN is like a flexible system that works around whatever network restrictions a touring venue imposes.

Example

bash
# Minimal example of a WireGuard interface configuration (remote-access style)
# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <client-private-key>
Address = 10.8.0.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 10.8.0.0/24, 192.168.1.0/24
# AllowedIPs defines what traffic gets tunneled through the VPN

Analysis

The key insight is that tunneling and encryption solve different problems: tunneling is about routing (making private addresses reachable across a public network), while encryption is about confidentiality and integrity (making the tunneled traffic unreadable and tamper-evident to outsiders). A VPN could theoretically tunnel without encrypting, but that would leave data exposed — which is why virtually all modern VPNs bundle both. Choosing between site-to-site and remote-access depends on the use case: site-to-site suits static office-to-office links, while remote-access suits individual, often mobile, users. Protocol choice trades off performance, auditability, and compatibility — WireGuard favors simplicity and speed, IPsec favors broad enterprise/vendor support, and OpenVPN favors flexibility across restrictive networks.

🏏

Cricket analogy: Getting the team bus to the away ground (tunneling/routing) is a completely different problem from making sure no one can eavesdrop on the team's tactical huddle inside it (encryption/confidentiality) — a bus could drive there with open windows, but no serious team would risk that, so both are always paired; a permanent academy-to-academy data link suits routine season-long sharing (site-to-site), while an individual scout's laptop on the road suits one-off away trips (remote-access), and choosing WireGuard is picking speed and simplicity, IPsec is picking broad board-wide standardization, and OpenVPN is picking flexibility for grounds with restrictive network policies.

Key Takeaways

  • A VPN's two core functions are tunneling (encapsulating packets for routing) and encryption (protecting confidentiality/integrity).
  • Site-to-site VPNs connect whole networks; remote-access VPNs connect individual devices to a private network.
  • IPsec, WireGuard, and OpenVPN are common VPN protocols with different tradeoffs in performance and compatibility.
  • AllowedIPs / routing rules determine exactly which traffic is sent through the tunnel.

Practice what you learned

Was this page helpful?

Topics covered

#Python#ComputerNetworksStudyNotes#ComputerNetworks#VPNs#Explanation#Example#Analysis#Key#StudyNotes#SkillVeris