Does the VPN provide anonymity?

It is probably no longer news or surprise that we cannot feel anonymous online. Even if our activity is not directly linked to us through social network identifiers, we can still be identified in other ways, and there are several of them. Our Internet provider knows exactly which websites we have accessed and which services we have used. Some of you will say that you have nothing to hide, others will say that they are outraged by the lack of privacy. Regardless of which group you belong to, you should be aware that there are technologies that are quite quickly associated with privacy and anonymity. Let’s think whether they actually provide it.

Virtual Private Networks, or VPNs. If we started to ask random people we met on the street what they think a VPN is, we would probably hear answers such as “a secure network that hides your IP number”, “a method of connecting to the office” or “a network that allows you to be anonymous”. And while each of these answers carries a bit of truth, the lack of full context means that we often get the wrong idea about what a VPN actually is and is not. Let’s systematize this knowledge so that after listening to this episode everyone could answer the question whether a VPN really provides anonymity and privacy.

Let’s start with what a VPN is. We can imagine VPN as any other client-server service. Our computer is the client and the server is simply another computer that waits for connections from clients. The server additionally verifies the clients that are trying to connect and provides some additional functionality. From a VPN application standpoint, we use the service just like many others. We simply connect to the server. However, the effect of such a connection is unique in its own way because we gain access to an additional network through it. From the point of view of our device it will be basically the same network as any other. But there are two aspects that make this network special. First, the secondary network, will be able to physically run through any number of intermediaries, such as our ISP, numerous autonomous systems or intermediary devices, but from our perspective as a user it will appear as a network directly connected to our device. In other words, the network to which we connect may be physically separated from us by multiple networks, but to us it will be visible as if we were directly connected to it. The second aspect of such connection is encryption. All our activity that will take place in this additional virtual connection will be encrypted in both directions of communication all the way between the server and our client. We say that such a connection that creates an additional virtual network, and in this case also encrypted, is what we call a “tunnel”. We say “tunnel” because in such a tunnel we are able to hide our communications, even if the websites we are communicating with do not themselves provide encryption. However, I must point out that the tunnel is only present between the server and the client. So if the server passes our connection somewhere further, we should remember about proper security measures, like TLS. VPN starts where the server can forward our connections to some trusted network. And this brings us to the essence of VPN applications. VPN is most often used as a gateway enabling connection with office or some remote infrastructure.

In order to systematize our knowledge about VPN and better understand how it works, it is useful to understand the general mechanism of connecting to this network. The mechanism is quite similar to the “handshake” I described in the previous section, however, it is even more restrictive. In this case, both the client and server have their own cryptographic key pairs. That is, each side has its own public key, which it shares with the other side, and its own private key, which it keeps just for itself. Each key from the pair works in such a way that if we encrypt a message with one of them, we can decrypt it with the other key. That is, if we encrypt a message with the public key, only the owner of the private key can read it and vice versa. Due to the fact that the private key is never shared and the public key may be publicly available, encryption with the private key is generally called “signing”. If someone “signs” a message with their private key, someone in possession of the public key can always verify that the message was actually signed with the correct key. In the process of connecting to a VPN, the client and server exchange their public keys. It is as if, for example, the server sent me its public key saying “here’s my public key, encrypt with it the messages you will address to me, because only I will understand their content”. Additionally, both sides of the VPN communication have a certificate from a “certificate authority” so that they can verify each other’s identity. Both parties can be sure that the public key they received from the other party over the Internet actually belongs to the other party and was not intercepted somewhere along the way and swapped out for some crafted key. Once both parties have verified each other correctly, the client generates a random string that is encrypted with the server’s public key. The string is used to create a shared session key. From then on, both the client and server use the shared key for encryption. Such a session creates a “tunnel” through which messages only encrypted with the key just established pass. The server also becomes a router, meaning that every connection passes through it and is forwarded if necessary. Commercial VPN providers operate in such a way that they allow all their traffic to pass through their servers. For example, if we connect to a server in Madrid, we can see in the web browser that the web pages are in Spanish. This is because the server in Madrid is now our router and the website we are connecting to has automatically matched the language to the IP of the sender. When we are connected to such a VPN server in Madrid, our ISP only knows that we are using a VPN server that stands somewhere in Madrid. It does not know anything else. However, our entire communication is already known to the VPN provider. So in effect we simply made our Internet activity known to someone else. What is worse, the VPN provider often requires registration, which makes it easier for him to associate our person with a particular activity. We definitely do not gain anonymity this way.

Now, let’s tell you what a VPN definitely isn’t and what it doesn’t do. Sometimes you may come across “I use a VPN, I’m safe” opinions. The very statement “be safe” sounds frankly a bit funny in the context of computers, but let’s try to list some of the most popular myths. VPN does not protect us from malware. It is really just a method of passing connections through an encrypted tunnel. It has nothing to do with scanning or blocking any software. If you use VPN to connect to some suspicious site or receive an email with a virus, the effect will be the same as if you did it without VPN. Another myth concerns anonymity. VPN does not provide it. Since the VPN server plays the role of a router, it overwrites the IP number during routing. The destination server to which you connect via VPN will actually see the IP number of the VPN server. However, it is worth asking yourself – so what. The vast majority of Internet users do not have a public IP number, and every time an Internet user wants to connect to someone, his IP is repeatedly overwritten by routers that stand in the way of his ISP’s server room anyway. In such circumstances, the target server from which we want to hide the IP will rather see some IP belonging to our ISP anyway and thus will not associate our person with this activity. It can, however, associate our person through the cookies that our web browser stores. If we have cookies stored in our browser that are designed to identify clients, the destination server will know perfectly well whether we are connecting via VPN or directly. Besides, if we decide to log in with our personal credentials (user and password), all anonymity ends.

After all, we made an explicit login and the server knows it’s us, whether through VPN or directly. I have also come across the statement that VPN is illegal. This is absolutely false. Countless companies use VPNs to share their resources with employees working remotely. VPNs are also heavily used as site to site connections i.e. between two centers that are geographically distant from each other but need to remain in constant communication. Perhaps this stereotype was born when someone used this technology for the wrong purposes.

Now that we know that a VPN does not really provide anonymity, let’s consider what we can use it for. When does it make sense to use it? The most natural example of VPN application is remote access to the office network. Let’s assume that in the office we have a file base, a database, and several computers. We want to be able to connect to each of these components remotely. If we do not have VPN, each component should be somehow made available and visible on the Internet. It is connected with additional configuration of services, router and what is the worst, with additional risk that someone will find vulnerabilities and use them to attack our infrastructure. In such a situation it would be better to leave all the services running in the office to work only within it, but make the VPN server available to the Internet as the only service accessible from the outside. An authorized VPN client could log in, go through a restrictive authorization process and, after it is completed, use the services located in the office as if they were physically present there. This would, of course, require configuring a VPN server in their office.

A VPN can also be useful when using some untrusted network. Have you ever connected to wifi in a coffee shop and not been asked for your password? A VPN is a pretty good option when using a network that you don’t fully trust because it provides encryption at some distance. If someone at the coffee shop has crafted a Wi-Fi access point and we connect to it, we could be eavesdropped on. A VPN will provide us with encryption even if the connection is transmitted in open text. Again, keep in mind that VPN encryption only occurs from the client to the server and not beyond. So if we are not sure whether we can take such a risk, it is better just to refrain from it.

So is it worth using a VPN to feel more anonymous and secure on the Internet? No, because a VPN was not created with anonymity in mind. We can, of course, hide our communications from our ISP, but it will then be transferred to the VPN provider. If we don’t trust the ISP, why should we trust the VPN provider? We will get more by changing our habits, to more careful use of the Internet. VPN can only serve as an addition here.

Is it worth using a VPN to access remote resources? Absolutely, VPN was created to create a secure tunnel that allows you to use not just one, but many resources of a remote network. In a way, it simplifies IT infrastructures, because instead of making many services available on the Internet, it allows you to make one service available, which in a way makes it possible to make them all available in bulk and in a quite safe way.

The IT world abhors a vacuum. When a need arises, a tool appears quite quickly. This feature is particularly characteristic of Open Source. In fact, in building IT infrastructures, the problem is not the lack of tools, but finding and choosing the right tools for your needs. VPN is definitely a great tool for connecting to networks where we have some hidden services. However, for anonymity, there are much better tools, which we will talk about in the next episode.