This here’s a machine-translated text that might contain some errors!
VPN, or Virtual Private Network, is a solution that lets us create a secure (encrypted) connection to another network and device(s) over the internet.
First, What is a Private Network? (Not a VPN)
A private network is a network that’s isolated from other networks. This can be a corporate network, a home network, or another type of network that ain’t open to just anybody. An open network, like ya might find at an airport, is also technically a private network, but they’re usually set up to keep devices separate from each other to boost security.
Thought-up scenario
Imagine you have a printer at home that you want to use to print a document. This printer is connected to your home network, and therefore has a private IP address that is only accessible to devices connected to your own network. You can use your machine at home to print without problems, but your neighbor is on a different network and cannot reach your printer without further ado.
You also cannot communicate with your printer from, for example, school or other networks, because the printer is not exposed to the internet (which it shouldn’t be for security reasons).
Note: No rules without exceptions…
Some devices, however, offer solutions where they use VPN-related technology to let you print documents from anywhere in the world, as long as you have internet access. This may entail a security risk, so be aware of what you connect to your network, especially with IoT devices or surveillance cameras.
Have ya noticed that ever’ time ya connect to a new network, ya get asked if yer connectin’ to a “private” or “public” network?
This here’s ‘cause Windows (or other operatin’ systems) uses this information to decide which firewall rules to use to protect yer device. A private network is usually unsecured (all connected devices trust each other automatically), and is therefore vulnerable to other devices on the same network. In return, ya can more easily share printers, files, and other resources when machines are on the same network.
Commercial Operators
There’s a heap of commercial operators offerin’ VPN services, claimin’ they can protect yer privacy on the internet and let ya browse anonymous-like. That ain’t necessarily the whole truth, and it’s important to be aware of what a VPN actually does.
In practice, ya move yer network connection to another place (often another country), seein’ as we use VPN servers as a middleman from our client to the internet.
Kommersiell VPN != sikkerhet
A heap of folks are sellin’ themselves as a service that offers increased security, but for most users, that ain’t the case. When we visit websites usin’ HTTPS (even on public wifi), the connection’s already encrypted, and a VPN won’t necessarily offer any extra security. It also can’t “hide” your activity from your internet provider completely.
In certain countries or places though, it might be beneficial, but it’s important to be aware that you’re movin’ your trust from your internet provider to the VPN provider.
Public Networks
We often hear that we shouldn’t connect to unsecured public networks, like those at cafes, airports, hotels, etc. This isn’t necessarily problematic as long as we use HTTPS (encrypted) to visit websites.
What can be problematic is if someone sets up a “fake” network with, for example, a malicious Captive Portal (a webpage that usually requires login or acceptance of terms before we get access to the internet).
Have you checked if you have “automatic connection” to open networks on your mobile or laptop? This can cause your device to connect to a malicious network without you being aware of it.
What Can We Use a VPN For?
A VPN can be used to connect devices across networks, as if they were on the same (private) network, in a safer way than exposing the devices directly to the internet (opening ports in the firewall). Note that we still need a VPN server to connect to, we can either set it up ourselves (requires opening in the firewall), or use a provider that offers a relay (intermediary) for us. Popular options are OpenVPN, WireGuard, and IPsec.
Eksempel
You got a gaming rig you wanna hook up with your laptop when you’re at school usin’ Remote Desktop software (RDP). You can then set up a VPN solution that lets you connect to your home network, and then use RDP to connect to your gaming PC like you was home.
Now, in our case, we aim to use this here to get access to the resources here at school from other parts of the world, and later on we’ll be lookin’ at cloud computin’ where we wanna connect to virtual servers in the cloud in a safe manner. Usually, we open up a port to our server to get this set up, then we lock down the server afterwards (generally a Site-to-site VPN).
The only practical difference is that we get a different IP address over our VPN network (like 100.64.x.x/10 is often used for VPN), but the functionality is as if we were on the same network. This means we can use things like RDP, SSH, FTP (File Transfer Protocol), and the like without havin’ to open up our services in the firewall.
Task 1 - Installin’ TailScale VPN
Luckily for us, installin’ a VPN is simple, specially if ya use a service like TailScale. This here’s a commercial service that offers an easy way to set up a WireGuard VPN, which gives us more’n enough functionality for our needs on its free tier (100 devices).
Follow the installation process as described in the documentation: https://tailscale.com/download
Merk
You need a VPN on all the devices you wanna connect to the network with. This includes servers, PCs, mobiles, and the like.
Task 2 - Set Up an Exit Node
An Exit Node in TailScale is a device on yer network that acts as a gateway for all traffic from other devices on the TailScale network. This routes all traffic through this here device, which can be mighty useful for gettin’ access to resources on a specific network, or gettin’ a new IP address to bypass geographical restrictions.
We’re usin’ Nginx Proxy Manager to limit access to certain resources based on IP address (like yer Proxmox server), with an Exit Node at school, you’ll be able to get an IP address that’s “at school” no matter where you are in the world.
Follow the documentation to set up an Exit Node: https://tailscale.com/kb/1103/exit-nodes#configure-an-exit-node
Obs! “Edit Routes” menu
Don’t forget the step of turning on “Use as Exit Node” in the TailScale menu on the device you’ve set up as an Exit Node. This is a common step to forget.
Exit-Node on a VPS in the cloud!
If you set up a virtual machine in another country via e.g. Azure (where you get free credit as a student), you can easily set up an Exit-Node to get an IP address in that country - just like a commercial VPN service, with fewer restrictions and more learnin’!