This is a machine-translated text that may contain errors!
VPN, or Virtual Private Network, is a solution that allows us to create a secure (encrypted) connection to another network and device(s) over the internet.
First, what is a private network? (not a VPN)
A private network is a network that is isolated from other networks. This can be a corporate network, a home network, or another type of network that is not open to everyone. An open network, such as at an airport, is also technically a private network, but they are usually configured to isolate devices from each other to increase security.
Imagined scenario
Imagine you have a printer at home that you want to use to print a document. This printer is connected to your home network and therefore has a private IP address that is only accessible to devices connected to your own network. You can use your machine at home to print without problems, but your neighbor is on a different network and cannot reach your printer directly.
You also cannot communicate with your printer from, for example, school or other networks, because the printer is not exposed to the internet (which it shouldn’t be for security reasons).
Note: No rules without exceptions…
Some devices, however, offer solutions where they use VPN-related technology to allow you to print documents from anywhere in the world, as long as you have internet access. This may involve a security risk, so be aware of what you connect to your network, especially with IoT devices or surveillance cameras.
Have you noticed that every time you connect to a new network, you get a question about whether you are connecting to a “private” or “public” network?
This is because Windows (or other operating systems) uses this information to determine which firewall rules should be used to protect your device. A private network is usually unsecured (all connected devices automatically trust each other), and is therefore vulnerable to other devices on the same network. In return, you can more easily share printers, files and other resources when machines are on the same network.
Commercial Actors
There are many commercial actors who offer VPN services, advertising that they can protect your privacy on the internet and allow you to surf anonymously. This is not necessarily the whole truth, and it is important to be aware of what a VPN actually does.
In practice, one moves the network connection to another location (often another country), as we use VPN servers as an intermediary from our client to the internet.
Commercial VPN != security
Many actors market themselves as a service that offers increased security, but for most users this is not the case. When we visit websites that use HTTPS (even on public wifi), the connection is already encrypted, and a VPN will therefore not necessarily offer any extra security. It also cannot “hide” your activity from your internet provider entirely.
However, in certain countries or places it may be beneficial, but it is important to be aware that you are moving your trust from your internet provider to the VPN provider.
Public networks
We often hear that we should not connect to unsecured public networks, such as those in cafes, airports, hotels, etc. This is not necessarily problematic as long as we use HTTPS (encrypted) to visit websites.
What can be problematic is if someone sets up a “false” network with, for example, a malicious Captive Portal (a website that usually requires login or acceptance of terms before we get access to the internet).
Have you checked if you have “automatic connection” to open networks on your mobile phone or laptop? This can cause your device to connect to a malicious network without you being aware of it.
What can we use a VPN for?
A VPN can be used to connect devices across networks, as if they were on the same (private) network, in a more secure way than exposing the devices directly to the internet (opening ports in the firewall). Note that we still need a VPN server to connect to, we can either set it up ourselves (requires opening in the firewall), or use a provider that offers a relay (intermediary) for us. Popular options are OpenVPN, WireGuard, and IPsec.
Eksempel
You have a gaming PC that you want to connect to with your laptop when you are at school via Remote Desktop software (RDP). You can then set up a VPN solution that allows you to connect to your home network, and then use RDP to connect to your gaming PC as if you were at home.
In our case, we will use it to access the resources here at school from other places in the world, and we will later look at cloud computing where we want to connect to virtual servers in the cloud in a secure way. Normally, we open a port to our server to set this up, before locking down the server afterwards (usually a Site-to-site VPN).
The only practical difference is that we get a different IP address over our VPN network (e.g. 100.64.x.x/10 is often used for VPN), but the functionality is as if we were on the same network. This means that we can use e.g. RDP, SSH, FTP (File Transfer Protocol), etc. without having to open up our services in the firewall.
Task 1 - Installation of TailScale VPN
Fortunately for us, installing a VPN is simple, especially if you use a service like TailScale. This is a commercial service that offers an easy way to set up a WireGuard VPN, which provides us with more than enough functionality at its free level (100 devices).
Follow the installation process as described in the documentation: https://tailscale.com/download
Merk
You need a VPN on all devices you want to connect to the network with. This includes servers, PCs, mobiles, etc.
Task 2 - Set up an Exit Node
An Exit Node in TailScale is a device in your network that functions as a gateway for all traffic from other devices in the TailScale network. This routes all traffic through this device, which can be useful for accessing resources on a specific network, or obtaining a new IP address to bypass geographical restrictions.
We use Nginx Proxy Manager to restrict access to certain resources based on IP address (e.g. your Proxmox server), with an Exit Node at school you will be able to get an IP address that is “at school” no matter where you are in the world.
Follow the documentation to set up an Exit Node: https://tailscale.com/kb/1103/exit-nodes#configure-an-exit-node
Note! “Edit Routes” menu
Don’t forget the step of turning on “Use as Exit Node” in the TailScale menu on the device you have set up as an Exit Node. This is a common step to forget.
Exit-Node on a VPS in the cloud!
If you set up a virtual machine in another country via e.g. Azure (where you get free credit as a student), you can easily set up an Exit-Node to get an IP address in that country - just like a commercial VPN service, with fewer restrictions and more learning!