VPN: Choose a Vendor or Build-your-own?
A virtual private network — most often referred to as a VPN — seeks to secure network traffic between a device and the VPN service. Once the VPN connection is established, network requests appear to route out from the VPN provider instead of the source device (i.e., phone, tablet, laptop, or desktop). Use of a VPN service typically obscures your device’s internet address. A VPN connection also helps protect you from intervening devices that intercept your network traffic, such as a maliciously configured WiFi access point, modem, router, switch, or cable.
But a VPN doesn’t ensure anonymity or privacy. Your device configuration and browser settings — along with any information you actively share with websites you visit — may reveal a significant amount of information. Additionally, a VPN adds only marginal value when you use a device to access web-based applications, since most Software-as-a-Service (SaaS) providers rely on authentication and encryption to protect data.
A VPN may be most useful for people in two specific circumstances. First, a VPN may allow people to access sites or services that would otherwise be blocked (by a network manager, internet service provider, or government officials). Second, a VPN can serve as an additional layer of protection for people who are either mobile (and rely on unfamiliar connections) or who access sensitive information. In these cases, a VPN makes it more difficult for malicious operators to monitor network traffic.
For control, deploy your own VPN
If you and your team have sufficient technical skills, you may prefer to deploy your own VPN. This will undoubtedly deliver you the most control over VPN services, since you can configure and monitor all software and network access.
Mid-sized to large organizations typically configure a VPN within the organization’s infrastructure and deploy software to each individual person’s device. Historically, however, VPN client software has been less-than-elegant to use, which can significantly reduce adoption and use in practice.
The key choice you’ll need to make will be to choose which VPN protocol to deploy. IPsec, OpenVPN, and WireGuard each have significant merit. Of the three, WireGuard is the newest and, in many cases, the fastest performing system. However, OpenVPN and IPsec have a longer legacy of enterprise deployment, which also means these systems have endured “real world” use and attacks. IPsec was developed in the mid-1990s, OpenVPN launched in the early 2000s, while WireGuard was integrated into the Linux kernel only in 2020.
For simplicity, choose a VPN service
A VPN vendor may make sense when a VPN is viewed as a small portion of a larger security setup or when an organization lacks the technical expertise needed to deploy, monitor, and maintain VPN services internally.
Vendor reliability and trust easily outrank all other factors when you select a VPN vendor. However, other criteria might include things such as:
- the location of the vendor and their server sites (Which country? Subject to which laws?),
- supported platforms (Windows, macOS, Linux, Android, iOS?),
- performance (actual vs. promised speeds?),
- protocols supported (as mentioned above, IPsec, OpenVPN, WireGuard?),
- management capabilities (filtering, monitoring, alerting), and, of course,
Several enterprise-focused vendors (e.g., Cisco, Duo Security, NetMotion, Perimeter 81, Pulse Secure, among others) offer solutions designed to support centralized management and deployment of VPN services. Alternatively, some consumer focused vendors also seek to serve the small to mid-sized business market, such as NordVPN Teams or PerfectPrivacy VPN for Business. (The VPN Comparison tool at That One Privacy Site offers a helpful tool, if you want to filter and compare VPN vendors based on a variety of criteria.)
The challenge with any VPN vendor remains verification: Every vendor claims to not track traffic, but there are few reliable ways to verify that monitoring does not occur. Much like an internet service provider, a VPN vendor gains access to network traffic routed through that vendor. Put another way: Select a vendor you trust as much (more?) than your ISP.
What’s your practice?
Remember, a VPN seeks to secure the connection between your device and the VPN service and to mask the actual source of network traffic. That’s it. It can help you connect to sites that might otherwise be blocked, and it can guard against network traffic interceptors.
Do you use a VPN? Have you deployed a VPN for use by people in your organization? Let me know — either in the comments or on Twitter (@awolber) whether you chose to deploy your own VPN setup, or whether you elected to pay a VPN service provider. What criteria drove your selection of either the VPN protocol or vendor?