{{short description|Extension of a private network across a public one}} {{Redirect|VPN|other uses|VPN (disambiguation)|commercial services|VPN service}} {{More citations needed|date=September 2025}}

{{Use dmy dates|date=August 2017}} {{Use American English|date=April 2021}}thumb|upright=1.5|VPN connectivity overview, showing intranet site-to-site and remote-work configurations used together

A '''virtual private network''' ('''VPN''') is an overlay network that uses network virtualization to extend a private network across a public network, such as the Internet, via the use of encryption and tunneling protocols.<ref name="NIST">{{Cite web |title=virtual private network |url=https://csrc.nist.gov/glossary/term/virtual_private_network |url-status=live |archive-url=https://web.archive.org/web/20230102230546/https://csrc.nist.gov/glossary/term/virtual_private_network |archive-date=2 January 2023 |access-date=2 January 2023 |website=NIST Computer Security Resource Center Glossary}}</ref> In a VPN, a tunneling protocol is used to transfer network messages from one network host to another.

Host-to-network VPNs are commonly used by organizations to allow off-site users secure access to an office network over the Internet.<ref name="Cisco">{{Cite web |title=What Is a VPN? - Virtual Private Network |url=https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html |url-status=live |archive-url=https://web.archive.org/web/20211231100706/https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html |archive-date=31 December 2021 |access-date=2021-09-05 |website=Cisco |language=en}}</ref><ref>{{cite book |author=Mason, Andrew G. |url=https://archive.org/details/ciscosecurevirtu00andr |title=Cisco Secure Virtual Private Network |date=2002 |publisher=Cisco Press |isbn=978-1-58705-033-6 |page=[https://archive.org/details/ciscosecurevirtu00andr/page/7 7] |url-access=registration}}</ref> Site-to-site VPNs connect two networks, such as an office network and a datacenter. Provider-provisioned VPNs isolate parts of the provider's own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. Individuals also use VPNs to encrypt and anonymize their network traffic, with VPN services selling access to their own private networks.

VPNs can enhance usage privacy by making an ISP unable to access the private data exchanged across the VPN. Through encryption, VPNs enhance confidentiality and reduce the risk of successful data sniffing attacks.

== Background == {{Main|Computer network}}

A network is a group of communicating computers known as hosts, which communicate data to other hosts via communication protocols, as facilitated by networking hardware. Within a computer network, computers are identified by network addresses, which allow rule-based systems such as Internet Protocol (IP) to locate and identify hosts. Hosts may also have hostnames, memorable labels for the host nodes, which are rarely changed after initial assignment. The transmission medium that supports information exchange includes wired media like copper cables, optical fibers, and wireless radio-frequency media. The arrangement of hosts and hardware within a network architecture is known as the network topology.<ref>{{cite book |last1=Peterson |first1=Larry |url=https://book.systemsapproach.org/index.html |title=Computer Networks: A Systems Approach |last2=Davie |first2=Bruce |date=2000 |publisher=Harcourt Asia |isbn=978-981-4066-43-3 |location=Singapore |access-date=May 24, 2025}}</ref><ref>{{cite book |last=Anniss |first=Matthew |title=Understanding Computer Networks |date=2015 |publisher=Capstone |isbn=978-1-4846-0907-1 |location=United States}}</ref>

Apart from physical transmission media, networks comprise network nodes such as network interface controllers, repeaters, hubs, bridges, switches, routers, and modems:

* The network interface controller (NIC) is computer hardware that connects the computer to the network media. In Ethernet networks, each NIC has a unique Media Access Control (MAC) address, usually stored in the controller's permanent memory. * A repeater is an electronic device that receives a network signal, cleans it of unnecessary noise and regenerates it. The signal is retransmitted at a higher power level, or to the other side of obstruction so that the signal can cover longer distances without degradation. * An Ethernet repeater with multiple ports is known as an Ethernet hub. In addition to reconditioning and distributing network signals, a hub assists with collision detection and fault isolation for the network. Hubs and repeaters in LANs have been largely made obsolete by modern network switches. * Unlike hubs, which forward communication to all ports, network switches forward frames only to the ports involved in the communication. Switches normally have numerous ports, facilitating a star topology for devices, and for cascading additional switches. Network bridges are analogous to a two-port switch. ** Bridges and switches operate at the data link layer of the OSI model and bridge traffic between two or more network segments to form a single local network. Both are devices that forward frames of data between ports based on the destination MAC address in each frame. Network segmentation through bridging and switching helps break down a large, congested network into an aggregation of smaller, more efficient networks. * A router is an internetworking device that forwards packets between networks by processing the addressing or routing information included in the packet. * Modems (modulator-demodulator) are used to connect network nodes via wire not originally designed for digital network traffic, or for wireless.

=== Network communication === A communication protocol is a set of rules for exchanging information over a network. Communication protocols have various characteristics, such as being connection-oriented or connectionless, or using circuit switching or packet switching.

In a protocol stack, often constructed per the OSI model, communications functions are divided into protocol layers, where each layer leverages the services of the layer below it until the lowest layer controls the hardware that sends information across the media. The use of protocol layering is ubiquitous across the field of computer networking. An important example of a protocol stack is HTTP, the World Wide Web protocol. HTTP runs over TCP over IP, the internet protocols, which in turn run over IEEE 802.11, the Wi-Fi protocol. This stack is used between a wireless router and a personal computer when accessing the web.

Most modern computer networks use protocols based on packet-mode transmission. A network packet is a formatted unit of data carried by a packet-switched network. Packets consist of two types of data: control information and user data (payload). The control information provides data the network needs to deliver the user data, for example, source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers, with payload data in between.

The Internet protocol suite, also called TCP/IP, is the foundation of all modern networking and the defining set of protocols for the Internet. It offers connection-less and connection-oriented services over an inherently unreliable network traversed by datagram transmission using Internet protocol (IP). At its core, the protocol suite defines the addressing, identification, and routing specifications for Internet Protocol Version 4 (IPv4) and for IPv6, the next generation of the protocol with a much enlarged addressing capability.<ref name="Tanenbaum">{{cite book |last=Tanenbaum |first=Andrew S. |author-link=Andrew S. Tanenbaum |title=Computer Networks |date=2003 |publisher=Prentice Hall |edition=4th}}</ref> <!-- === Virtualization === *Open proxy * Route distinguisher * Virtual private cloud * Virtual private server * Virtual routing and forwarding -->

== Security == VPNs do not make connected users anonymous or unidentifiable to the untrusted medium network provider, such as an Internet service provider (ISP). However, VPNs can enhance usage privacy by making an ISP unable to access the private data exchanged across the VPN. Through encryption, VPNs enhance confidentiality and reduce the risk of successful data sniffing attacks. Data packets travelling across a VPN may also be secured by tamper proofing via a message authentication code, prevents the message from being altered or tampered without being rejected, enhancing data integrity.{{Citation needed|date=September 2025}}

A number of other implementations exist to ensure authentication of connecting parties. Tunnel endpoints can be authenticated in various ways during the VPN access initiation, such as by the whitelisting of endpoint IP address. Authentication may also occur after actual tunnels are already active, for example, with a web captive portal. Remote-access VPNs may also use passwords, biometrics, two-factor authentication, or other cryptographic methods. Site-to-site VPNs often use passwords (pre-shared keys) or digital certificates.{{Citation needed|date=September 2025}}

=== Split tunneling === Split tunneling allows a user to access distinct security domains at the same time, using the same or different network connections.<ref>{{Cite web |title=What is VPN Split Tunneling? |url=https://www.fortinet.com/resources/cyberglossary/vpn-split-tunneling |access-date=2025-06-11 |website=Fortinet |language=en}}</ref> This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN NIC, and virtual private network client software application. Split tunneling is most commonly configured via the use of a remote-access VPN client, which allows the user to simultaneously connect to a nearby wireless network, resources on an off-site corporate network, as well as websites over the Internet.

Not every VPN allows split tunneling.<ref>{{Cite web |title=VPN split tunneling |url=https://nordvpn.com/features/split-tunneling/ |website=NordVPN}}</ref><ref>{{Cite web |last=Long |first=Moe |date=2021-07-22 |title=Best VPN for Split Tunneling |url=https://techuplife.com/best-vpn-split-tunneling |access-date=2021-10-21 |website=Tech Up Your Life |language=en-US}}</ref><ref>{{Cite web |title=What is VPN split tunneling? All you need to know |url=https://surfshark.com/features/split-tunneling |access-date=2025-06-11 |website=Surfshark |language=en-US}}</ref> Advantages of split tunneling include alleviating bottlenecks, conserving bandwidth (as Internet traffic does not have to pass through the VPN server), and enabling a user to not have to continually connect and disconnect when remotely accessing resources..{{Citation needed|date=September 2025}} Disadvantages include DNS leaks and potentially bypassing gateway-level security that might be in place within the company infrastructure.<ref>{{citation |title=Remote Access VPN and a Twist on the Dangers of Split Tunneling |date=May 10, 2005 |url=http://techgenix.com/2004fixipsectunnel/ |access-date=2017-12-05}}</ref> Internet service providers often use split tunneling to that implement for DNS hijacking purposes.

== Classification == thumb|upright=1.5|VPN classification tree based on the topology first, then on the technology used

=== Topology === A ''host-to-network'' configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides computer access to a local area network of a remote site, or any wider enterprise networks, such as an intranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for remote workers, or to enable people accessing their private home or company resources without exposing them on the public Internet. {{Citation needed|date=September 2025}}

A ''site-to-site'' configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other. In the context of site-to-site configurations, the terms ''intranet'' and ''extranet'' are used to describe two different use cases.<ref>{{Cite IETF|title=RFC 3809 - Generic Requirements for Provider Provisioned Virtual Private Networks|rfc=3809|section=1.1}}</ref> An ''intranet'' site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an ''extranet'' site-to-site VPN joins sites belonging to multiple organizations.{{Citation needed|date=September 2025}}

A limitation of traditional VPNs is that they are point-to-point connections and do not tend to support broadcast domains. Therefore, communication, software, and networking that are based on layer 2 and broadcast packets (such as NetBIOS used in Windows networking) may not be fully supported as on a local area network. Variants on VPN such as Virtual Private LAN Service (VPLS) and layer 2 tunneling protocols are designed to overcome this limitation.<ref>{{Cite web |last=Sowells |first=Julia |date=2017-08-07 |title=Virtual Private Network (VPN): What VPN Is And How It Works |url=https://hackercombat.com/virtual-private-network/ |url-status=live |archive-url=https://web.archive.org/web/20220617083903/https://hackercombat.com/virtual-private-network/ |archive-date=17 June 2022 |access-date=2021-11-07 |website=Hackercombat}}</ref>

=== Trusted and secure delivery networks === Trusted VPNs do not use cryptographic tunneling; instead, they rely on the security of a single provider's network to protect the traffic.<ref>{{Cite book |last=Cisco Systems, Inc. |url=https://books.google.com/books?id=3Dn9KlIVM_EC |title=Internetworking Technologies Handbook |publisher=Cisco Press |year=2004 |isbn=978-1-58705-119-7 |edition=4 |series=Networking Technology Series |page=233 |quote=<nowiki>[...] VPNs using dedicated circuits, such as Frame Relay [...] are sometimes called </nowiki>''trusted VPN''s, because customers trust that the network facilities operated by the service providers will not be compromised. |access-date=2013-02-15}} </ref> Multiprotocol Label Switching (MPLS) often overlays trusted VPNs, often with quality-of-service control over a trusted delivery network. A secure VPN either trusts the underlying delivery network or enforces security with an internal mechanism. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.{{fact|date=June 2023}}

== Types ==

=== Mobile VPN === Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points without dropping the secure VPN session or losing application sessions.<ref name="Phifer">Phifer, Lisa. [http://searchmobilecomputing.techtarget.com/tip/0,289483,sid40_gci1210989_mem1,00.html "Mobile VPN: Closing the Gap"] {{Webarchive|url=https://web.archive.org/web/20200706084816/https://searchmobilecomputing.techtarget.com/tip/Mobile-VPN-Closing-the-gap|date=6 July 2020}}, ''SearchMobileComputing.com'', 16 July 2006. <!--accessed November 10, 2009--></ref> Mobile VPNs are widely used in public safety where they give law-enforcement officers access to applications such as computer-assisted dispatch and criminal databases,<ref>Willett, Andy. [http://www.officer.com/print/Law-Enforcement-Technology/Solving-the-Computing-Challenges-of-Mobile-Officers/1$30992 "Solving the Computing Challenges of Mobile Officers"] {{Webarchive|url=https://web.archive.org/web/20200412161947/https://www.officer.com/print/Law-Enforcement-Technology/Solving-the-Computing-Challenges-of-Mobile-Officers/1$30992|date=12 April 2020}}, ''www.officer.com'', May, 2006. <!--accessed November 10, 2009--></ref> and in other organizations with similar requirements such as field service management and healthcare.<ref name="Cheng">Cheng, Roger. [https://www.wsj.com/articles/SB119717610996418467 "Lost Connections"] {{Webarchive|url=https://web.archive.org/web/20180328101055/https://www.wsj.com/articles/SB119717610996418467|date=28 March 2018}}, ''The Wall Street Journal'', 11 December 2007. <!--accessed November 10, 2009--></ref>{{qn|date=June 2018}}

=== DMVPN === Dynamic Multipoint Virtual Private Network (DMVPN)<ref name="Cisco2006">{{cite web |last1=Cisco engineers |title=Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) |url=https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html |access-date=24 September 2017 |website=Cisco |publisher=Cisco |language=en}}</ref> is a dynamic tunneling form of a virtual private network supported on Cisco IOS-based routers, Huawei AR G3 routers,<ref>[http://support.huawei.com/enterprise/docinforeader.action?contentId=DOC1000019452&partNo=10092 Huawei DSVPN Configuration]</ref> and Unix-like operating systems.

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to statically pre-configure all possible tunnel end-point peers, such as IPsec and ISAKMP peers.<ref>{{Cite journal |last=Kurniadi |first=S. H. |last2=Utami |first2=E. |last3=Wibowo |first3=F. W. |date=Dec 2018 |title=Building Dynamic Mesh VPN Network using MikroTik Router |journal=Journal of Physics: Conference Series |language=en |volume=1140 |article-number=012039 |doi=10.1088/1742-6596/1140/1/012039 |issn=1742-6596 |doi-access=free}}</ref> DMVPN is initially configured to build a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes; no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes are dynamically built on demand without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.{{Citation needed|date=June 2025}}

=== EVPN === Ethernet VPN (EVPN) is a technology for carrying OSI layer 2 Ethernet traffic as a virtual private network using wide area network protocols. EVPN technologies include ''Ethernet over Multiprotocol Label Switching (MPLS)'' and ''Ethernet over Virtual Extensible LAN.''<ref>{{Cite web |title=EVPN Overview - TechLibrary - Juniper Networks |url=https://www.juniper.net/documentation/en_US/junos/topics/concept/evpns-overview.html |archive-url=https://web.archive.org/web/20170511093441/http://www.juniper.net/documentation/en_US/junos/topics/concept/evpns-overview.html |archive-date=May 11, 2017 |access-date=2019-12-19 |website=www.juniper.net}}</ref><ref>{{Cite web |title=Understanding EVPN with VXLAN Data Plane Encapsulation - TechLibrary - Juniper Networks |url=https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-vxlan-data-plane-encapsulation.html |archive-url=https://web.archive.org/web/20170513024302/http://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-vxlan-data-plane-encapsulation.html |archive-date=May 13, 2017 |access-date=2019-12-19 |website=www.juniper.net}}</ref>

=== MPLS VPN === Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on labels rather than network addresses.<ref>{{cite web |last1=Sturt |first1=Robert |last2=Rosencrance |first2=Linda |last3=Scarpati |first3=Jessica |date=28 March 2023 |title=What is Multiprotocol Label Switching (MPLS)? |url=https://searchnetworking.techtarget.com/definition/Multiprotocol-Label-Switching-MPLS |access-date=21 July 2025 |website=techtarget.com}}</ref> Whereas network addresses identify endpoints, MPLS labels identify established paths between endpoints. MPLS can encapsulate packets of various network protocols.

In practice, MPLS is mainly used to forward IP protocol data units and Virtual Private LAN Service Ethernet traffic. Major applications of MPLS are telecommunications traffic engineering and MPLS VPN. MPLS works in conjunction with IP and its routing protocols, usually interior gateway protocols (IGPs) and supports the creation of dynamic, transparent virtual networks with support for traffic engineering, the ability to transport layer VPNs with overlapping address spaces, and for layer-2 pseudowires that are capable of transporting a variety of transport payloads (IPv4, IPv6, ATM, Frame Relay, etc.).<ref>{{IETF RFC|3031}}</ref>{{Ref RFC|3985}}

=== VPLS === Virtual Private LAN Service (VPLS) is a virtual private network technology that provides Ethernet-based multipoint-to-multipoint communication over IP or MPLS networks. It allows geographically dispersed sites to share an Ethernet broadcast domain by connecting sites (including both servers and clients) through pseudowires.<ref>{{cite web |author=H. Shah (Cisco Systems) |date=January 2015 |title=RFC 7436: IP‑Only LAN Service (IPLS) |url=https://www.ietf.org/rfc/rfc7436.html |access-date=2025-08-07 |publisher=IETF}}</ref> The technologies that can be used as pseudo-wire can be Ethernet over MPLS, L2TPv3 or even GRE. There are two IETF standards-track RFCs (RFC 4761 and RFC 4762) describing VPLS establishment. In contrast to L2TPv3, which allows only point-to-point OSI layer 2 tunnels, VPLS allows any-to-any (multipoint) connectivity.<ref>{{Cite report |url=https://datatracker.ietf.org/doc/rfc4761/ |title=Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling |last=Rekhter |first=Yakov |last2=Kompella |first2=Kireeti |date=January 2007 |publisher=Internet Engineering Task Force |issue=RFC 4761}}</ref><ref>{{Cite report |url=https://datatracker.ietf.org/doc/rfc4762/ |title=Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling |last=Lasserre |first=Marc |last2=Kompella |first2=Vach |date=January 2007 |publisher=Internet Engineering Task Force |issue=RFC 4762}}</ref>

=== PPVPN === A provider-provisioned VPN (PPVPN) is a virtual private network (VPN) implemented by a connectivity service provider or large enterprise on a network they operate on their own, as opposed to a "customer-provisioned VPN" where the VPN is implemented by the customer who acquires the connectivity service on top of the technical specificities of the provider.

==Protocols== 300px|thumb|The life cycle phases of an IPSec tunnel in a virtual private network A virtual private network is based on a tunneling protocol, and may be combined with other network or application protocols to provide additional security and capabilities.

=== IPSec (1996) === Internet Protocol Security (IPsec) is a standards-based security protocol, initially developed by the Internet Engineering Task Force (IETF) for IPv6, and was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.{{ref RFC|6434|quote=Previously, IPv6 mandated implementation of IPsec and recommended the key management approach of IKE. This document updates that recommendation by making support of the IPsec Architecture RFC4301 a SHOULD for all IPv6 nodes. |p=17}} It is also widely used with IPv4.

The design of IPSec meets most security goals: availability, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination. IPsec is also often supported by network hardware accelerators,<ref>{{Cite web |title=Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S - VPN Acceleration Module [Support] |url=https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-s/sec-sec-for-vpns-w-ipsec-15-s-book/sec-vam.html |access-date=2024-07-09 |website=Cisco |language=en}}</ref> which makes IPsec VPN desirable for low-power scenarios, like always-on remote access VPN configurations.<ref>{{Cite web |title=VPN overview for Apple device deployment |url=https://support.apple.com/guide/deployment/vpn-overview-depae3d361d0/web |access-date=2024-07-09 |website=Apple Support |language=en}}</ref><ref>{{Cite web |last= |date=2023-05-22 |title=About Always On VPN for Windows Server Remote Access |url=https://learn.microsoft.com/en-us/windows-server/remote/remote-access/overview-always-on-vpn |access-date=2024-07-09 |website=learn.microsoft.com |language=en-us}}</ref>

IPsec tunnels are set up by the Internet Key Exchange (IKE) protocol. IPsec tunnels made with IKE version 1 (also known as IKEv1 tunnels, or often just "IPsec tunnels") can be used alone to provide VPN but are often combined with the Layer 2 Tunneling Protocol (L2TP) to reuse existing L2TP-related implementations for more flexible authentication features (e.g. Xauth).

IKE version 2, which was created by Microsoft and Cisco, can be used alone to provide IPsec VPN functionality. Its primary advantages are the native support for authenticating via the Extensible Authentication Protocol (EAP) and that the tunnel can be seamlessly restored when the IP address of the associated host is changing, which is typical of a roaming mobile device, whether on 3G or 4G LTE networks.

=== TLS/SSL (1999) === Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project<ref>{{Cite web |title=1. Ultimate Powerful VPN Connectivity |url=https://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#SoftEther_VPN's_Solution:_Using_HTTPS_Protocol_to_Establish_VPN_Tunnels |website=www.softether.org |publisher=SoftEther VPN Project |access-date=8 October 2022 |archive-date=8 October 2022 |archive-url=https://web.archive.org/web/20221008211349/https://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#SoftEther_VPN's_Solution:_Using_HTTPS_Protocol_to_Establish_VPN_Tunnels |url-status=live }}</ref>) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through TLS. A VPN based on TLS can connect from locations where the usual TLS web navigation (HTTPS) is supported without requiring additional configuration.

=== OpenSSH (1999) === OpenSSH offers VPN tunneling (distinct from port forwarding) to secure{{ambiguous|reason=unclear whether "secure" is a verb or adjective|date=March 2023}} remote connections to a network, inter-network links, and remote systems. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.<ref>{{Cite web |title=ssh(1) – OpenBSD manual pages |url=https://man.openbsd.org/ssh.1#SSH-BASED_VIRTUAL_PRIVATE_NETWORKS |url-status=live |archive-url=https://web.archive.org/web/20220705224554/https://man.openbsd.org/ssh.1#SSH-BASED_VIRTUAL_PRIVATE_NETWORKS |archive-date=5 July 2022 |access-date=4 February 2018 |website=man.openbsd.org}}

* {{Cite web |last=Barschel |first=Colin |title=Unix Toolbox |url=http://cb.vu/unixtoolbox.xhtml#vpn |archive-url=https://web.archive.org/web/20190528153959/http://cb.vu/unixtoolbox.xhtml#vpn |archive-date=28 May 2019 |access-date=2 August 2009 |website=cb.vu}} * {{Cite web |title=SSH_VPN – Community Help Wiki |url=https://help.ubuntu.com/community/SSH_VPN |url-status=live |archive-url=https://web.archive.org/web/20220702025833/https://help.ubuntu.com/community/SSH_VPN |archive-date=2 July 2022 |access-date=28 July 2009 |website=help.ubuntu.com}}</ref> SSH is more often used to remotely connect to machines or networks instead of a site to site VPN connection.

=== OpenVPN (2001) === OpenVPN is a free and open-source VPN protocol based on the TLS protocol. It supports perfect forward-secrecy, and most modern secure cipher suites, like AES, Serpent, TwoFish, etc. It is currently{{Current event inline|date=March 2023}} being developed and updated by OpenVPN Inc., a non-profit providing secure VPN technologies.

=== SSTP (2007) === Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.

=== Wireguard (2015) === WireGuard is a protocol designed to be more lightweight than OpenVPN.<ref name="acans-preneel">{{Cite book | publisher = Springer | isbn = 978-3-319-93387-0 | editor-last1 = Preneel | editor-first1 = Bart | editor-last2 = Vercauteren | editor-first2 = Frederik | title = Applied Cryptography and Network Security | url = https://books.google.com/books?id=UKJfDwAAQBAJ&pg=PA3 | date = 11 June 2018 | access-date = 25 June 2018 | archive-url = https://web.archive.org/web/20190218102858/https://books.google.com/books?id=UKJfDwAAQBAJ&pg=PA3 | archive-date = 18 February 2019 | url-status = live | df = dmy-all}}</ref> In 2020, WireGuard support was added to both the Linux<ref>{{Cite web |last=Salter |first=Jim |date=2020-03-30 |title=WireGuard VPN makes it to 1.0.0—and into the next Linux kernel |url=https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/ |url-status=live |archive-url=https://web.archive.org/web/20200331182738/https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/ |archive-date=31 March 2020 |access-date=2020-06-30 |website=Ars Technica |language=en-us}}</ref> and Android<ref>{{Cite web |title=Diff - 99761f1eac33d14a4b1613ae4b7076f41cb2df94^! - kernel/common - Git at Google |url=https://android.googlesource.com/kernel/common/+/99761f1eac33d14a4b1613ae4b7076f41cb2df94%5E! |url-status=live |archive-url=https://web.archive.org/web/20220629213243/https://android.googlesource.com/kernel/common/+/99761f1eac33d14a4b1613ae4b7076f41cb2df94%5E! |archive-date=29 June 2022 |access-date=2020-06-30 |website=android.googlesource.com}}</ref> kernels, opening it up to adoption by VPN providers. By default, WireGuard utilizes the Curve25519 protocol for key exchange and ChaCha20-Poly1305 for encryption and message authentication, but also includes the ability to pre-share a symmetric key between the client and server.<ref>{{Cite journal |last=Younglove |first=R. |date=December 2000 |title=Virtual private networks - how they work |url=https://ieeexplore.ieee.org/document/892887 |journal=Computing & Control Engineering Journal |volume=11 |issue=6 |pages=260–262 |doi=10.1049/cce:20000602 |doi-broken-date=12 July 2025 |issn=0956-3385 |url-access=subscription}}{{dead link|date=July 2024|bot=medic}}{{cbignore|bot=medic}}

* {{Cite journal |last=Benjamin Dowling, and Kenneth G. Paterson |date=12 June 2018 |title=A cryptographic analysis of the WireGuard protocol |journal=International Conference on Applied Cryptography and Network Security |isbn=978-3-319-93386-3}}</ref>

=== Other === * Datagram Transport Layer Security (DTLS) – used in Cisco AnyConnect VPN and in OpenConnect VPN<ref>{{Cite web |title=OpenConnect |url=https://www.infradead.org/openconnect/index.html |access-date=2013-04-08 |quote=<nowiki>OpenConnect is a client for Cisco's AnyConnect SSL VPN [...] OpenConnect is not officially supported by, or associated in any way with, Cisco Systems. It just happens to interoperate with their equipment.</nowiki> |archive-date=29 June 2022 |archive-url=https://web.archive.org/web/20220629202852/https://www.infradead.org/openconnect/index.html |url-status=live }}</ref> to solve the issues TLS has with tunneling over TCP (SSL/TLS are TCP-based, and tunneling TCP over TCP can lead to big delays and connection aborts<ref>{{Cite web |title=Why TCP Over TCP Is A Bad Idea |url=http://sites.inka.de/~W1011/devel/tcp-tcp.html |access-date=2018-10-24 |website=sites.inka.de |archive-date=6 March 2015 |archive-url=https://web.archive.org/web/20150306050429/http://sites.inka.de/~W1011/devel/tcp-tcp.html |url-status=live }}</ref>). * Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms. * Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL/TLS channel (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1). * Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark "MPVPN".{{relevance inline|date=March 2023}}<ref>{{Cite web |title=Trademark Status & Document Retrieval |url=https://tarr.uspto.gov/servlet/tarr?regser=serial&entry=78063238&action=Request+Status |website=tarr.uspto.gov |access-date=8 October 2022 |archive-date=21 March 2012 |archive-url=https://web.archive.org/web/20120321221027/http://tarr.uspto.gov/servlet/tarr?regser=serial&entry=78063238&action=Request+Status |url-status=live }}</ref> *Crypto IP Encapsulation (CIPE) is a free and open-source VPN implementation for tunneling IPv4 packets over UDP via encapsulation.<ref>{{cite book |last1=Fuller |first1=Johnray |last2=Ha |first2=John |date=2002 |title=Red Hat Linux 9: Red Hat Linux Security Guide |url=https://archive.download.redhat.com/pub/redhat/linux/9/en/doc/RH-DOCS/pdf-en/rhl-sg-en.pdf |location=United States |publisher=Red Hat, Inc. |pages=48–53 |access-date=8 September 2022 |archive-date=14 October 2022 |archive-url=https://web.archive.org/web/20221014101152/https://archive.download.redhat.com/pub/redhat/linux/9/en/doc/RH-DOCS/pdf-en/rhl-sg-en.pdf |url-status=live }} *{{cite book |last=Petersen |first=Richard |date=2004 |title=Red Hat - The Complete Reference Enterprise Linux & Fedora Edition |url=http://litux.nl/Reference/index.html?page=books%2F7213%2Fddu0001.html |location=United States |publisher=McGraw-Hill/Osborne |chapter=Chapter 17: Internet Protocol Security: IPsec, Crypto IP Encapsulation for Virtual Private Networks |chapter-url=http://litux.nl/Reference/index.html?page=books/7213/ddu0125.html |isbn=0-07-223075-4 |access-date=17 January 2023 |archive-date=17 January 2023 |archive-url=https://web.archive.org/web/20230117215057/http://litux.nl/Reference/index.html?page=books%2F7213%2Fddu0001.html |url-status=live }}</ref> CIPE was developed for Linux operating systems by Olaf Titz, with a Windows port implemented by Damion K. Wilson.<ref>{{cite web |url=http://sites.inka.de/sites/bigred/devel/cipe.html |title=CIPE - Crypto IP Encapsulation |last=Titz |first=Olaf |date=2011-12-20 |website=CIPE - Crypto IP Encapsulation |access-date=2022-09-08 |archive-date=18 May 2022 |archive-url=https://web.archive.org/web/20220518123239/http://sites.inka.de/sites/bigred/devel/cipe.html |url-status=live }}</ref> Development for CIPE ended in 2002.<ref>{{cite web |url=https://sourceforge.net/projects/cipe-linux/ |title=CIPE - encrypted IP in UDP tunneling |last=Titz |first=Olaf |date=2013-04-02 |website=SourceForge |access-date=2022-09-08 |archive-date=8 September 2022 |archive-url=https://web.archive.org/web/20220908122718/https://sourceforge.net/projects/cipe-linux/ |url-status=live }} *{{cite web |url=https://cipe-win32.sourceforge.net/ |title=CIPE-Win32 - Crypto IP Encapsulation for Windows NT/2000 |last=Wilson |first=Damion |date=2002-10-19 |website=SourceForge |access-date=2022-09-08 |archive-date=8 September 2022 |archive-url=https://web.archive.org/web/20220908122719/http://cipe-win32.sourceforge.net/ |url-status=live }}</ref> *L2TP<ref>[https://www.ietf.org/rfc/rfc2661.txt Layer Two Tunneling Protocol "L2TP"] {{Webarchive|url=https://web.archive.org/web/20220630094743/https://www.ietf.org/rfc/rfc2661.txt|date=30 June 2022}}, {{IETF RFC|2661}}, W. Townsley ''et al.'', August 1999</ref> which is a standards-based replacement for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F)<ref>[https://www.ietf.org/rfc/rfc2341.txt IP Based Virtual Private Networks] {{Webarchive|url=https://web.archive.org/web/20220709081725/https://www.ietf.org/rfc/rfc2341.txt|date=9 July 2022}}, {{IETF RFC|2341}}, A. Valencia ''et al.'', May 1998</ref> (obsolete {{As of | 2009 | alt =as of 2009}}) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).<ref>[https://www.ietf.org/rfc/rfc2637.txt Point-to-Point Tunneling Protocol (PPTP)] {{Webarchive|url=https://web.archive.org/web/20220702054527/https://www.ietf.org/rfc/rfc2637.txt|date=2 July 2022}}, {{IETF RFC|2637}}, K. Hamzeh ''et al.'', July 1999</ref>

== Native and third-party support == Desktop, smartphone and other end-user device operating systems usually support configuring remote access VPN from their graphical or command-line tools.<ref>{{Cite web |title=Connect to a VPN in Windows - Microsoft Support |url=https://support.microsoft.com/en-us/windows/connect-to-a-vpn-in-windows-3d29aeb1-f497-f6b7-7633-115722c1009c |access-date=2024-07-11 |website=support.microsoft.com}}</ref><ref>{{Cite web |title=Connect to a virtual private network (VPN) on Android |url=https://support.google.com/android/answer/9089766?hl=en |access-date=11 July 2024}}</ref><ref>{{Cite web |title=VPN settings overview for Apple devices |url=https://support.apple.com/guide/deployment/vpn-settings-overview-dep2d2adb35d/web |access-date=2024-07-11 |website=Apple Support |language=en}}</ref> However, due to the variety of, often non standard, VPN protocols, there exist many third-party applications that implement additional protocols not yet or no longer natively supported by the OS. For instance, Android lacked native IPsec IKEv2 support until version 11,<ref>{{Cite web |title=IPsec/IKEv2 Library |url=https://source.android.com/docs/core/ota/modular-system/ipsec |access-date=2024-07-11 |website=Android Open Source Project |language=en}}</ref> and users needed to install third-party apps in order to connect that kind of VPN. Conversely, Windows does not natively support plain IPsec IKEv1 remote access native VPN configuration (commonly used by Cisco and Fritz!Box VPN solutions).

Network appliances, such as firewalls, often include VPN gateway functionality for either remote access or site-to-site configurations. Their administration interfaces often facilitate setting up virtual private networks with a selection of supported protocols. In some cases, like in the open source operating systems devoted to firewalls and network devices (like OpenWrt, IPFire, PfSense or OPNsense), it is possible to add support for additional VPN protocols by installing missing software components or third-party apps.{{Citation needed|date=September 2025}}

Commercial appliances with VPN features based on proprietary hardware or software platforms usually support a consistent VPN protocol across their products, but do not allow customizations outside the use cases they implement. This is often the case for appliances that rely on hardware acceleration of VPNs to provide higher throughput or support a larger number of simultaneously connected users.{{Citation needed|date=September 2025}}

== Society and culture ==

=== Individual users === According to a 2022 estimate, 3% of Chinese netizens use VPNs, compared to 8.5% of Americans.<ref name=":5">{{Cite web |last1=Batke |first1=Jessica |last2=Edelson |first2=Laura |date=June 30, 2025 |title=The Locknet: How China Controls Its Internet and Why It Matters |url=https://locknet.chinafile.com/the-locknet/intro/ |access-date=2025-07-07 |website=ChinaFile |publisher=Asia Society |language=en}}</ref><ref>{{Cite web |last=Edwards |first=David |date=2022-07-21 |title=Key VPN Statistics: What Are the Numbers Telling Us? |url=https://roboticsandautomationnews.com/2022/07/21/key-vpn-statistics-what-are-the-numbers-telling-us/53067/ |access-date=2026-05-17 |website=Robotics & Automation News |language=en-US}}</ref> In China, VPNs are increasingly blocked and unauthorized usage can be subject to fines and legal prosecution.<ref name=":5" />

{{As of|2025}}, approximately 1.75 billion people used VPNs. By 2027, this market is projected to grow to $76 billion.<ref>{{Cite web |last=Hooson |first=Mark |date=2025-03-03 |title=VPN Statistics |url=https://www.forbes.com/uk/advisor/business/vpn-statistics/ |access-date=2025-03-19 |website=Forbes UK |language=en-GB}}</ref>

Amid Internet restrictions and blocking in Russia, Internet activists created the Amnezia VPN project in 2020 during a digital rights hackathon organized by Roskomsvoboda. The service gained popularity among Russian users by providing access to blocked resources, as well as features aimed at enhancing anonymity and resistance to traffic analysis.<ref>{{Cite web |last=Borak |first=Masha |date=7 April 2023 |title=The Open Source VPN Out-Maneuvering Russian Censorship |url=https://www.wired.com/story/amnezia-vpn-russia-censorship/ |website=Wired |access-date=2026-04-28}}</ref><ref>{{Cite web |last=Gill |first=Mark |date=27 March 2026 |title=Amnezia VPN review 2026 |url=https://www.techradar.com/vpn/amnezia-vpn-review-year |website=TechRadar |access-date=2026-04-28}}</ref>

==See also== {{Portal|Free Software|Internet}} * Internet privacy * Opportunistic encryption * VPNLab <!-- please keep entries in alphabetical order -->

==References== {{reflist}}

==Further reading== * {{Cite journal |last=Kelly |first=Sean |date=August 2001 |title=Necessity is the mother of VPN invention |url=http://www.comnews.com/cgi-bin/arttop.asp?Page=c0801necessity.htm |journal=Communication News |pages=26–28 |issn=0010-3632 |archive-url=https://web.archive.org/web/20011217153420/http://www.comnews.com/cgi-bin/arttop.asp?Page=c0801necessity.htm |archive-date=2001-12-17}}

{{VPN}} {{Cryptographic software}} {{Internet censorship circumvention technologies}}

{{DEFAULTSORT:Virtual Private Network}} Category:Network architecture Category:Internet privacy Category:Virtual private networks