VPNs (Virtual Private Networks) create encrypted tunnels over public networks, enabling secure remote access and site-to-site connectivity.
Use Cases
- Remote access - Securely connect to office/home network
- Site-to-site - Connect multiple office locations
- Privacy - Mask traffic from ISPs
- Bypass geo-restrictions - Access region-locked content
- Secure public WiFi - Encrypt traffic on untrusted networks
VPN Protocols Comparison
| Protocol | Security | Speed | Ease of Setup | Best For |
|---|---|---|---|---|
| WireGuard | Excellent | Excellent | Easy | Modern deployments |
| OpenVPN | Excellent | Good | Moderate | Compatibility, enterprise |
| IPsec/IKEv2 | Excellent | Good | Complex | Mobile, site-to-site |
| L2TP/IPsec | Good | Moderate | Moderate | Legacy compatibility |
| PPTP | Poor | Good | Easy | Avoid (broken crypto) |
WireGuard
Modern, fast, and simple VPN protocol. Recommended for most use cases.
Why WireGuard?
- ~4,000 lines of code (vs ~100,000 for OpenVPN)
- Built into Linux kernel (5.6+)
- Faster connection establishment
- Better performance (uses modern cryptography)
- Simpler configuration
OpenVPN
Mature, widely supported, highly configurable.
Key Differences from WireGuard
| Aspect | OpenVPN | WireGuard |
|---|---|---|
| Config complexity | High | Low |
| Certificate management | Required | Keys only |
| Dynamic IPs | Easier | Requires extra config |
| Protocol | TCP or UDP | UDP only |
| Firewall traversal | Better (TCP 443) | UDP only |
IPsec / IKEv2
Strong security, native support in most operating systems.
Split Tunnelling
Route only specific traffic through VPN, not all traffic.
Self-Hosted VPN Solutions
| Solution | Notes |
|---|---|
| PiVPN | Easy WireGuard/OpenVPN installer for Raspberry Pi |
| Algo VPN | Ansible scripts for IKEv2 VPN on cloud |
| Tailscale | WireGuard-based mesh VPN, zero config |
| Headscale | Self-hosted Tailscale control server |
| Netbird | WireGuard-based, self-hostable |
Security Considerations
- Key rotation - Periodically regenerate keys
- Kill switch - Block traffic if VPN drops
- DNS leaks - Ensure DNS queries go through VPN
- IPv6 leaks - Disable IPv6 or route through VPN
- Logging policy - For privacy, use providers with no-logs policy