Can someone get me the 101 of VPN?

Ever since VPNs have become mainstream, every piece of tech media promoted them. As a pre Patriot Act person, I get the appeal, and as a home server enjoyer, I’d like to be able to access my network from the outside.

I more or less understand the basics of the internet, and of VPNs. Something I’m not clear on however, is where on the network should the VPN sits: you can run your own server in the home network, you can set it up on the router, you can rent a VPS and run it on that…What are the pros and cons of each? In my use case, bring able to move my connection in another country (only possible with renting a VPS abroad in the aforementioned options) is not a necessity, but as it further hides my true location, that would be a plus.

NoordVPN and other VPN services of the like do not offer access to YOUR local network. All they do is allow “secure” access across the internet to all other services.

VPNs that you host internally (like OpenVPN) on your hardware, do allow you to access all of your network from anywhere outside of your network. I prefer to setup the VPN on the router/gateway just to simplify things. The advantage of running your own private VPN is if you are abroad, you can tunnel all of your traffic through it, and securing your internet traffic just like NordVPN.

Since your question has been well answered, I won’t bother going into that again

One bit of advice I will offer, is that if you ever need a ‘fake address’ style VPN, for the reasons of access, not secrecy, then renting a VPS with (almost) no storage but good bandwith is often about the same price; and that way, you know that the data isnt beign sniffed or MITM attacked.

I love that Wireguard has made this as easy as ‘photograph the screen’ with your phone, and you’re setup, haha.

There are two types of VPN software installations:

1. VPN server
2. VPN client

A VPN server would be installed at home for securely connecting a remote device (mobile phone, laptop, etc) to your home network. Some router/firewalls can host a VPN server directly. For example, pfSense has options for installing an OpenVPN server, an IPsec server, and I believe a WireGuard server in the latest version directly on the router/firewall. I installed an IPsec server because the clients are native in macOS, iOS, Windows, and probably other OSs. A VPN server also can be installed on a system inside the LAN, but a port will need to be forwarded from the firewall.

A VPN client would be used to protect device or network traffic from snooping by an ISP or public Wi-Fi provider (eg. A coffee shop). Most commercial VPN service providers have apps that customers can install on mobile devices, computers, etc. The better VPN providers also provide instructions for installing a VPN client for their service directly on a router/firewall.

The better VPN providers also can be used for place shifting. Their servers (and public IPs) are distributed around the world. A customer’s “location” will be represented by the server they connect to.

The best solution is the one that works for you.

EDIT: changed VPNs to VPN software installations.

The piece tech media advertises (paying to promote something and doing it for free is not the same) is a man in the middle where you send all your network traffic to, before them sending it to whatever website/endpoint you want to reach.

I’d rather tie my right testicle in a knot before routing all my network traffic through a single (American based) company over my highly regulated ISP. But then again, if you’re based in America I guess it doesn’t matter much wether share your traffic with your ISP or a VPN Provider. Maybe the latter is more susceptible to being breached or swayed to share more personal info to advertising money?

Not sure anyone had mentioned it here but you are able to do network wide VPN from your router. Not currently doing it as it causes more problems than it solves imo but I belive my PFSense router I could use possibly my PIA account. Essentially means all clients behind your router will be passing the your vpn provider. Having IOT devices and streaming devices such as firesticks are great reasons not to do this.

Can’t think of many reasons you would want this at home, but its possible.

Something you can check ive recently fallen in love with is TailScale. Currently my main route into my home network. Worth a look, and all free.

People have given you some really good information in here but I wanted to touch on one thing: CGNAT or Carrier grade Nat.
if your ISP uses CGNAT your real world ip address isn’t just yours. An inbound VPN connection is next to impossible.

There are ways around this. Some have mentioned VPS to you. Your server (or router) initiates an outbound connection and once the tunnel is achieved… Bob’s your uncle!

This is the way! it was the only way I could get to my BlueIris server on starlink. If you configure a router to connect to a VPS, then you can port forward from there.

Hamachi, which I think was bought out be Logmein, was my first foray into VPN. It’s easy as pie. Let us play lan games via internet.

OpenVPN used to have a free 3 concurrent VPS which might suit your needs if it’s still offered.

There aren’t really any pros or cons to which type of device do you choose. Most SBCs with 1gb RAM can handle a single Wireguard connection at a time with no problem. A “gaming” router can also probably handle it, but not a low-end one (something with less than 64mb RAM won’t even be supported by most of distros for routers, I believe). A VPS probably won’t be able to route you into your homelab (not sure), but it can be in a different country than you are.

There isn’t a lot of information revealed about you in your IP address. Unless you often use public Wi-Fis (prone to sniffing traffic) to connect to HTTP websites (not protected against man in the middle attacks through a SSL cert), there isn’t a lot of privacy offered by a VPN.

For connecting to a homelab, pick whichever of your servers can handle an another service and set up either Wireguard (ligthweight, common choice) or Outline (if you intend to connect often from a network that tends to block VPN traffic otherwise).

every piece of tech media promoted them.

They promote all kinds of things, not all of them good for humanity. I assume you are talking about “hosted VPN” services, many of which are literally owned by Facebook, or have been caught caught logging data (which might be worse than the logging from your ISP).

A VPN won’t automatically stop your browser from being tracked by cookies, super cookies, fingerprinting, etc. (But you can just run software to do that locally.)

It’s like buying an Iron Door for your house. Sure, it seems like you are more secure. But unless you also upgrade your windows and stop storing your key under the mat, it isn’t a good use of funds. In fact, you may just want to do those other things first, and not worry about the small incremental security of the Iron Door.

​

As a pre Patriot Act person, I get the appeal

Much of the appeal is overblown. For example, it’s likely that 99.9% of your data is encrypted already.

And it’s just moving from “Your ISP knows everything you do” to “Your VPN provider knows everything you do”.

​

and as a home server enjoyer, I’d like to be able to access my network from the outside.

You don’t need a VPN for this. You can use Dynamic DNS (and the “DMZ” feature of your router.)

In theory, you can run services like SSH and HTTPS inside your network, and not worry because it’s all encrypted. But in practice, that means you have to worry about vulnerabilities in giant code bases.

It’s better to have the only service exposed be WireGuard. From there, you can get to all your services. The difference is that all other protocols (including VPNs) can be scanned, so hackers know what you are running and can be ready to attack if there is a new vulnerability. But WireGuard doesn’t respond to probes, so hackers can’t tell if you are running it or not. And unlike SSH/HTTPS, WireGuard is only a few thousand lines of code.

Something I’m not clear on however, is where on the network should the VPN sits: you can run your own server in the home network, you can set it up on the router, you can rent a VPS and run it on that…What are the pros and cons of each?

Er, I mean, just think about which part of the connection is being protected and which is not…

Yeah looks like others have given you the deets but in short:

running a VPN on a VM with the ports forwarded gives you access to your network from anywhere.

External VPNs put you elsewhere.

In my use case, bring able to move my connection in another country (only possible with renting a VPS abroad in the aforementioned options) is not a necessity, but as it further hides my true location, that would be a plus.

Yes, this is exactly what a rented VPN will do for you.

Any connection you make to an outside entity through the VPN tunnel will appear to that service provider to them AS IF you are actually coming from the VPN endpoint’s country of origin instead of wherever you may be.

As far as your title question - the 101 of VPN - here’s my stab at it:

VPN’s are tunnels between two computers. Traffic across that tunnel is invisible to anyone but the VPN host and the VPN client. Corporate networks use this often to do business, banks, so on. Its of course encrypted with private key exchanges on each end, meaning even if the tunnel traffic were captured, its contents would be unknown, its just data.

In the case of a rented VPN, you pay a VPN provider to host and endpoint for you. NordVPN for example has hundreds of endpoints all around the planet - that is where their servers reside. When you make a connection to that endpoint from your VPN client, it is as I said earlier, it appears to any service provider on the other end to them as if your traffic is coming from the VPN provider’s servers rather than your personal computer or network.

In the case of a self-hosted VPN in a homeserver situation, this is often used so that you can remote into your homeserver when you are away from home via laptop, wifi, while at work and so on.

Otherwise, VPN’s are typically used in consumer scenarios with a VPN server being rented and you using a client to obscure your traffic.

As another commenter already mentioned: The majority of your traffic, especially web-based, is already encrypted with SSL/TLS/aka “https” anyway. However, your ISP, the website/service provider and everyone in-between know your IP address when doing that. Even moreso: SSL traffic is easily decryptable and many consider it unsafe due to man in the middle attacks. This often occurs on corporate networks, like at an office job: IT will decrypt SSL traffic real-time, and store the packets for later review, completely defeating the purpose of encryption entirely and violating your privacy. Free public wifi services at like McDonalds and Starbucks also do this.

All that being said, VPN is not an end-all-be-all solution to remaining private on the internet as tech media often suggests; it is however one major tool for such, or a major tool in the toolbox.

Other behaviors are required for OPSEC if you truly want to be private; this includes avoiding leaking your IP or identity accidently through other applications even while tunneling traffic through a VPN provider.

Hope this helps!

every piece of tech media promoted them

yep they get paid to say what the VPN company says that they do. But those services are just for people that do something shady, are on public wifi, want to watch movies/materials not available in their country and that’s basically it.

is where on the network should the VPN sits

If you want to connect to your machines you need your own VPN solution, as only it will grant that.

There are two types of VPNS:

• Remote Access VPNs: These allow access to your network
• “Privacy” VPNs: These obfuscate your IP address so that it appears you’re coming from and going to somewhere else to anyone observing.

But if the IP truely need to be secret then make sure to pay in bit coins so it cant be traced back to you

This isn’t entirely accurate. A VPN server and client are not different types of VPNs, they are always in play.

Using a service such as Nord or installing a server at home are both VPNs, you’re just changing the purpose, where you connect to and what you can access.

In both scenarios, you’re a client connecting to a server operated either by you at your home network or to a service.

What’s the issue with iot and streaming device traffic going through your VPN provider?

You reminded me I saw or read a article a few months ago that made me realize how much Facebook wants and collects data. They have or had a app that you could get paid $20 a month. All you had to do was run it on your phone that’d it. It was a VPN piping your data directly to their servers… I forgot how it was but it had something to do with a VPN provider company and facebook bought it and it went from there. So y’all are spot on about data moving from ISP to VPN provider.

OP is looking to remotely connect to their home network, not a large enterprise network with cyberinsurance policy requirements.

That doesn’t relate to the OP at all. “Where should the VPN sit, and what benefits do they have on my personal network vs. remote” is definitely not answered by “ZTNA”