# Blog

### The Math behind Virtual Private Networks

This article talks about how VPNs work. It explains how public-key cryptography secures your connection to a VPN server and the mathematical concept behind it.

Virtual Private Network Virtual Private Networks (VPNs) are computer networks that use a public telecommunication infrastructure like the Internet to provide remote offices or individual users with secure access to their organization's network. In a regular wider area network (WAN) without a VPN, there is typically only one way to get from the LAN of a building to another building: you have to go through a local ISP that provides Internet connectivity before connecting with another LAN. The VPN arrangement is an extension of this WAN, allowing you to have multiple connections between locations and offering a needless connection if one goes down. This way, we can guarantee the availability of communication after losing our wide-area connectivity. To start, let's consider the following scenario: A telecommunication network with a VPN.

Public-key cryptography Public or private key cryptography is a cryptographic algorithm that enables two parties to establish a shared secret key over an insecure communication channel without having any initial knowledge of each other. Public-key cryptography also allows parties to sign messages, providing sender authentication to receivers.

How VPNs work For our example, we will consider two buildings: Building-A and Building-B. Each building has a LAN as well as an ISP that provides Internet connectivity to other locations across the WAN (the public network).

Building A ISP

Building B ISP

Both sites have VPN tunnels established to each other.

Step 1: Building A has a secure connection with its ISP. The ISP for both buildings provides the same network infrastructure.

Step 2: Now, let's say that someone in building A wants to establish a connection with someone in building B. So, person-A sends out an unencrypted message using his or her default gateway information provided by their local ISP. Let’s further assume that this message arrives on one of the routers for building B's LAN. Public-key cryptography relies on the concept of asymmetric keys. An asymmetric key is a pair of keys: public and private. The "public" key can be made available to everyone while the "private" key must be kept secret. Data that is encrypted by one of the keys in this pair can only be decrypted by the other key in the pair.

Step 3: Now, R1 receives the message from person-A. Let's assume that R1 has already been configured with building A's public key generated during the establishment of the VPN tunnel. Before the router forwards the original message to its intended destination, it will run it through a decryption algorithm using building A's public key. The result is the original message in an encrypted form. The router then continues to forward this newly constituted message to its ultimate destination.

Step 4: Once received by B's ISP, this newly constituted encrypted data is forwarded onto B where it can be decrypted by applying B's private key counterpart to decrypt it into person-A's original unencrypted message. We can see those complex mathematical algorithms are used to encrypt and decrypt data. These algorithms can be so complex that it will take an extremely long time before someone successfully cracks the encryption by randomly guessing possible keys until one of them works.

How data packets would flow between person-A and person-B using a public key VPN protocol such as PPTP.

Step 1: Person-A wants to establish a connection with person-B so he or she sends an unencrypted message to R1 containing their IP address. Let's further assume that this message arrives on one of the routers for building B's LAN.

Step 2: Now, R1 receives the message from person-A. Let's assume that R1 has already been configured with building A's public key generated during the establishment of the VPN tunnel. Before the router forwards the original message to its intended destination, it will run it through a decryption algorithm using building A's public key. The result is the original message in an encrypted form.

Step 3: Once received by B's ISP, this newly constituted encrypted data is forwarded onto B where it can be decrypted by applying B's private key counterpart to decrypt it into person-A's original unencrypted message. The result is a series of messages containing random-looking characters.

Step 4: Finally, B responds by sending an unencrypted message back to A, whose ISP (R1) will decrypt using B's public key which results in the same random-looking characters. Now, R1 re-encrypts the data with person-A's public key and sends this information on its way toward person-A's ISP (R2). Person-A then receives the reply from Person-B (whose ISP decrypts it with person-B's private key), reverses steps 2 and 3 again, and now has access to the unencrypted message sent by Person-B.

<< Go back to the previous page

Last updated: Sunday, April 19th, 2020 - 12:42PM