What A VPN REALLY Is - Deep Dive

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone in this video I'm going to talk about what a VPN is now when I say VPN I'm talking about the real network side of a virtual private network I'm not talking about the VPNs that get advertised commonly on YouTube as it is about how to protect your ID online and all that sort of business I might touch on them but really what I'm talking about is the technology of what the definition of a virtual private network is and I'm going to have some raspberry PI's here is set up as routers and create a VPN here to demonstrate that so if you feel like getting nerdy stick around [Music] first of all I'll introduce the raspberry PI's here that are going to be in this video these are set up as routers okay so you can see they've got two network interfaces on them except for the end one here which is just a host at the other end of the network and this black one here connects to my normal network so I can connect to it from the computer where I'll be doing all the screenshots and stuff and I've just got them set up as routers so you can see I've got a USB nic on there as well as the inbuilt one to give me the two network interfaces so that's the setup that's what I'll be using but I'll be doing everything on the computer on the big screen I'll start with a network diagram now this is the network I use at home it's just 192.168.1.0 slash 24 that means all the hosts on there we'll start with 192.168.1 is their IP address now on that network there's a host with the IP address of 191 6:8 1.9 now that's the Machine I'm going to be using here to connect into that first black Raspberry Pi okay and as such that Raspberry Pi is also part of that network it has an interface 192.168.1.5 6 now those hosts are on the same network so there's no routing required to send packets between them I'll just put a picture of the setup there so you can visualize it as well as I draw this diagram around it ok so let's say there's another network over here that is the one on two one six eight dot 2.0 slash 24 Network it can have a bunch of hosts that all start with one or two 168 - but they won't directly be able to talk to anything on the other network because it's a different network to do that they need a route to get there so on this router the thing that's doing the routing it has an interface on this 192.168 2.0 network as well so the black router which is the Raspberry Pi the black one it has two network interfaces and each one is part of a different network now we can forward packets between those networks and become a so as long as the hosts on each network know that they've got to go through the IP address of the router to get to the other one then they can talk to each other so the first Network one on 2 1 6 8 or 1.0 if it wants to get to hosts on that one on two two one six eight dot 2.0 Network it knows that it has to go via 192.168.1 but 46 so we can continue on and do the same sort of thing on the blue router I've got an interface which is part of the one on two one six eight dot two of zero network so that can talk with hosts in that network as well and then it also has another adapter on one one two one six 8.30 network okay so adjoining networks up here and as long as they know which host to use in this case the router IP addresses we can send traffic around various networks and so I've got another one here again to connect to yet another network and on that last network I've got a host sitting there which is that red Raspberry Pi at the end so it's part of the one line - one six eight dot 4 dot 0/24 Network ok I'll start on this machine here which is the demo host on this diagram ok I've just got a couple of consoles open and trying to lay it out as best I can so from here you see that my IP address is 1.9 the one over here so I can SSH to that black router 1.46 and I can get into it ok so on that black router I can look at the routes that are available by IP route and it shows you here that it knows of two networks it knows of the 1.0 network which is on its Ethernet 0 device this one and the 2.0 Network which is on Ethernet one that's this one ok so from there if I log in down here as well 1:46 I'll go to that black router and from there the because it's part of this one on two one six eight 2.0 Network I will be able to connect to this host here 2.47 because it's on the same same network okay so if I go ssh one two or one sector 2.47 i'll go into the blue router okay and if i look at its routes you can see it knows of the 2.0 network 102 one six eight 2.0 and one line 8 1 9 2 1 6 8 3.0 which is down here okay it doesn't know of this network back here one or two ones it's a 1.0 and if i go back here again back to this demo host and i try to go there directly 2.47 so i'm trying to go to the blue router directly from this demo host it'll say network unreachable because remember in its routing table this one over here only knows of this network it doesn't know anything else it doesn't know how to get to that directly but the way i got to this a second ago was i went first to the black router and then to the blue router okay now down to the yellow one I could do a similar sort of thing one by one so SSH one or two dot one six eight dot one dot 46 to get into the black router SSH 192.168 2.47 to get into the blue router then ssh at one or two dot one six eight dot 3.48 to get into the yellow router now that's not a direct connection from this demo host here I'm actually doing a bunch of connections I'm connecting to here then to there and then to there but to go directly I would have to set up some routing on these these routers here and let all the hosts know which way to go so if I do that let me just jump back a bit I can't get back to the blue one and get back to this host here okay so I'm back at the demo host if I try to ping the blue router dot 2.47 we know it says network unreachable so to get to that network the blue router from here I'll have to add a route to it so I just go IP were out ad 192.168.0 slash 24 which is this this network here that we're talking about and say it's you get there via 192.168.1 246 okay so now if I look at the routing table on this demo host here it of course knows the network that it's on because it's it's on there but I've also told it that to get to the 1 & 2 1 6 8 - 0 network you go via this host here so now if I try to ping the blue router I won't get a response but at least it's trying it doesn't say network unreachable anymore so what's happening it's sending it to this router and it'll be sending it there problem is the blue router has to send the traffic back and as we just saw it doesn't know how to get to one line 2 1 6 8 1 0 network which is where this came from so I have to add a route so IP or out add 1 and two dot one sixty eight dot one box 0/24 via now I'm on the blue router here so to get there it has to go via this address here so 192.168.1 saiad that you can see the ping start working so now this network that well this host on this network knows how to get to this network and this this host here this router knows how to get back to there so now from this demo host here I'll be able to SSH that blue router directly okay bangs straight in so I didn't have to hop I mean the routing the packet went via this router but I didn't have to login to this router and then start a new connection from there okay so so far I've got routing from this network to this network let's now work over here now if I want to go to the yellow one I'll just exit that and start back again same sort of thing I can't ping anything on this three Network because again if I look at my routing table it only knows about this one that worked to network but know about three so I'll add it I'll say IP route one or two dot one six eight got 3.0 slash 24 via the same has to go via this thing again so that's fire 192.168.1 246 as well now I can try and ping that 192.168.0 48 but it won't thing there it tries it sends it here but you can see even though I'm trying to ping 3.48 I stop there I'm trying to ping 3.48 down here but I'm getting a response from 1.46 which is this router where I send it to and it's saying not reachable because on the black router it doesn't have a route for this so I'll go ahead and set up all the routing between those routers okay I've just put all the routes on all these routers here so if you look at the black one look at IP route okay we know that 1 & 2 are directly connected so it knows where they are and for 3 or 4 it says go fire 1 so 2.47 so for this network and this one it says send them through this gateway here ok now on this blue router if I show the routing table again it's directly connected to the 2 & 3 network but the 1 & 4 well the 1 has to go via 2.46 up here because it's that way and the 4 network which is over here has to go via 3.48 which is here and similar on the yellow one you know it's directly connected to 3 & 4 & 4 the other two it sends them through this gateway now on the red host here on this network it's slightly different all I've done there is put a default gateway ok now it knows its own network the 4 network cuz it's part of it it's hanging out here but for any other network just send it to 4 dot 48 I mean don't have to be specific for this one because everything's going to be through that gateway anyway so that's the default gateway ok so now I have routing setup between all the routers if I just go back to this this host here where I am in 192.168.1.2 ping the red host directly but for that one okay I can ping it I don't have to login to each device along the way because I have full routing between these routers what I'm gonna do now is set up a VPN and I'm gonna set it up between the black router and the yellow router so what will happen is I'll have a tunnel created which goes through the blue router but there won't be any end points there the end points are just the black route or in the yellow router so I'll build up a tunnel and I'll give that'll bit that'll create a new interface on each of those routers so they'll be three interfaces on them and I'll just give it the IP address of 10001 for the black router and 10002 for the yellow router so I'll do that now okay so on the black router here I'll start the VPN server and on the yellow router I'll start the VPN client so once they establish you'll see it here in their little output logs you will see once it establishes ok there we go we have a link now between these two the tunnel nuisance I should say so now if I look at the black router IP route here I have an extra route I have I have it saying the 1000 - which is down here is via this tunnel tunnel 0 interface okay that's the new interface that just got made if I go to the yellow router and have a look at IP route again it's got the other end 1000won is up here now the traffic that's going through here is UDP so what I could do is if I just I go to the blue router in the middle I'll just go to the blue router and do a TCP dump of Ethernet 0 event 1 UDP port 1 on 194 which is what OpenVPN uses if I look at that and I'll start the the VPN again okay so I'll start the server start the client and just look what goes through the blue rouler okay as that establishes when it gets to establishing we can see some traffic ok and it's marked it as open e VPN ok if I didn't resolve that I just put dash in there it would come up with the port 1 194 okay so there's the traffic that's floating around and it's between 2.46 which is up here on the background and 3.48 which is the yellow router so up here on the black router if I ping the other end of that tunnel 10.0.0.0 we don't see ICMP on the blue router we just see the UDP one one nine four traffic okay for the VPN so that ping is traveling through the VPN to the other end okay one thing I want to point out is that a VPN isn't necessarily encrypted I mean they generally are but that's not what it's about it's a virtual network as in it doesn't really exist on the routers out here but it gives you a tunnel it's a virtual network in that sense and it's it's private in the sense that you can't just put a packet on here this router doesn't know about those networks it's private the router here only knows about the two network and the 192.168 three network it doesn't know anything about this network the 1000 one 1000 two endpoints it doesn't know about them so it's private in that sense and it's virtual because it's just a tunnel that we made so that is what a VPN actually is okay so I'll just start TCP dump on the blue router and have a look at the UDP traffic that OpenVPN uses okay uses UDP port 194 and I'll just show that on Wireshark here just so we can see what goes through so what I'll do is I'll start the VPN server again and I'll start the client okay we should see a bit of something come through on Wireshark once it establishes I think it's round to it there it is okay so the VPN is established and we see the stuff coming through and why shark knows it's a Open VPN okay there's Open VPN stuff in there it's wind in a bit but that's all right you can see you see it's there so as I said if I if I ping that over and again you'll see you won't see ICMP traffic going through you'll just see Open VPN and because I've got encryption running this you can't really tell anything from this okay but as I said it doesn't have to be encrypted if I do something like cipher none okay and same with the client you can see it gives nice big warnings up here saying warning there's no encryption and off and stuff okay so it tries to warn ya but we can do it okay once that starts up I can ping the other end and you can see well if I have a look on here you can see there's the ping the ping traffic in the clear now from the black router in scape II if I send a crafted ICMP message and just say your mama was a snow blower okay I can send that packet and if we have a look in the capture you can see it in the clear your mom or was it snow law okay so it doesn't necessarily mean it's encrypted but it's still a VPN okay because it's still a virtual private network that you know it's routing tables don't come into any of this stuff that's in the middle because that could be there could be hundreds of routers in between but as far as that packets concerned its next hop was the other end so that's the meaning of a virtual private network in the true sense and you can use that you know if you've got two corporate sites with private addressing like 192 168 stuff for example and you can't route that through the public Internet you could set up a VPN between your sites and just have your own routing to go through them and you'll have your own virtual private network ok while I'm at home I'm on the land so I can get to my one line 2 1 6 8.1 addresses because these phones also on that network there's no routing involved and I can just go to my internal servers here and do things but if I get out on the internet on the way and I'm not on this this network anymore I wouldn't be able to do that without some connection in and I'm going to use the VPN to do that ok so now I'm out in the wild here with the crocodiles and stuff obviously I'm not on my homeland but now on the mobile network so to connect to that internal server which is a non roundup or IP address the 192 168 address I just start open VPN on the phone connect to my VPN server at home and then I'll have a tunnel through the public Internet and be able to connect to my internal IP address host just like I was there so I'll do that now so on the phone if I start open VPN and connect ok I'm connected to my home a VPN server and now I can refresh that page and leave our NMS will come up again you know the address if you can see it it's still 1 9 2 1 6 8.1 address ok so that's obviously not an Internet address but I'm connected to it and of course if I disconnect my my VPN and try and refresh it now it's just not going to go anywhere it's just going to struggle ok so you can use a VPN to connect to internal servers when you're out in the wild so there it is that's what a VPN is now all these public VPNs that people advertise they're basically doing the same thing I am here accepted I'm going from my client the phone here to my VPN server at home whereas those services offer you a VPN server that's who-knows-where ok but your data is going to pop out of their server anyway so if you really want to control your data you just want to send it home and use your own ISP ok so if you're out and about you can set up a VPN so you can get to your internal network and at the same time if you are worried about a hotspot if even though we use HTTP for most things you can still use the same thing and go via your home with an open VPN server rather than paying for some service but anyway I just wanted to show you at a network level what a VPN actually is so have fun with that you've got questions leave them in the comments and I'll see if I can answer them so until next time take it easy [Music]

Info

Channel: Tall Paul Tech

Views: 5,078

Rating: 4.9901962 out of 5

Keywords: VPN, openvpn, virtual private network, nordvpn, network vpn

Id: MTG9YeDNvHE

Channel Id: undefined

Length: 19min 27sec (1167 seconds)

Published: Fri Apr 03 2020