A VPN or Virtual Private Network is used to connect two separate networks over a third network. With a VPN, these two networks can act as if they were physically connected together - that’s why it’s called a virtual private network.
A demarcation point is the place where your network ends and your ISP’s network begins.
NAT
Client/server or Remote Access
In a remote access VPN setup, one device makes a VPN connection over the Internet to a router at the edge of another network. Once this connection is established, the client device can use the remote network as if it was physically connected to it.
If you connect to a commercial VPN like ProtonVPN, your traffic is encrypted from your device all the way to Proton’s servers, where it’s decrypted and sent to its final destination from the IP address of the VPN exit node Proton runs. When a response comes back to the exit node, it’s encrypted and sent back to your device over the VPN connection.
DirectAccess is a Microsoft VPN product that automatically connects users to a VPN if they’re outside the company network and keeps the VPN disconnected if they’re inside.
Site to site
In a site-to-site VPN setup, two routers establish a VPN connection to each other over the Internet. They can then pass traffic to each other as if they were phsyically connected.
A router at the edge of your network in Tokyo with a 192.168.1.0/24 network can send traffic over the Internet through the VPN connection to your 172.20.0.0/16 office network in Berlin.
Split tunneling
By default, when you connect to a VPN, all your traffic is sent through that VPN. Split tunneling allows you to split where traffic goes.
For example, traffic to your office file server will go over the work VPN while traffic to YouTube will ignore the VPN and be sent straight out to the Internet (instead of going to your work network and then out to the Internet from there).
DMZ
A DMZ or demilitarized zone is an area of your network with much more lax firewall rules. You’re going to put servers that need to be reachable from the Internet in this zone.
Port forwarding
We’re using a Windows server with RRAS as a substitute for an actual router. We’ve configured it to forward requests it receives on port 80 to the internal IP address of our web server. This is called port forwarding.
Port forwarding works like older firewalls. It looks at the destination port and IP address and decides whether to pass that traffic on to an internal server or just drop it.
A reverse proxy goes one step farther and processes traffic that comes in.
A Next-Generation Firewall (NGFW) is capable of scanning traffic rather than just looking at ports and addresses. This allows it to scan traffic for malware, do load balancing, and block hacking attempts.
A reverse proxy works like newer firewalls. It looks at the data in the traffic, not just source and destination ports/IP addresses.
Note
You need a Next-Generation Firewall to be able to do reverse proxying.
RADIUS
A RADIUS server is basically an authentication database server storing usernames and passwords. You really don’t want this server to be anywhere near the Internet. This brings up a problem: you need a way to check passwords for people that are connecting to your network.
RADIUS solves this problem by having the router or switch authenticate new devices before they’re allowed to talk to anything else on the network.
The only device allowed to talk to the RADIUS server is the router or switch handling authentication. For example, in the lab, you authorized 10.1.1.1 to talk to your NPS server.
So the untrusted device sends a login request to your RRAS, RRAS passes it off to NPS, NPS returns a yes, and RRAS lets the device connect.