Introduction: The Core of Secure Communication - Encryption and VPN

In modern network environments, when data is transmitted over the Internet, it passes through numerous routers and network devices. During this process, there is always a risk that malicious attackers could eavesdrop on or tamper with the data. Encryption technology and VPN (Virtual Private Network) are core technologies that protect data from these threats.

In this Part 5, we will cover encryption fundamentals, SSL/TLS protocols, PKI (Public Key Infrastructure), various VPN technologies, and practical implementation methods in detail.

1. Encryption Basics

Encryption is the technology of converting plaintext into ciphertext so that unauthorized users cannot understand the content. Encryption methods are broadly divided into symmetric key encryption, asymmetric key encryption, and hash functions.

1.1 Symmetric Key Encryption

Symmetric key encryption uses the same key for both encryption and decryption. Processing speed is fast, but there is a key exchange problem.

Major Symmetric Key Algorithms:

  • AES (Advanced Encryption Standard): Currently the most widely used symmetric key algorithm, supporting 128/192/256-bit key lengths.
  • 3DES (Triple DES): Applies DES three times, used in legacy systems.
  • ChaCha20: A stream cipher optimized for software implementation, popular in mobile environments.
  • Blowfish/Twofish: Block cipher algorithms with free licensing.
# AES Encryption Example in Python
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad

# Generate 256-bit key
key = get_random_bytes(32)

# Encryption
cipher = AES.new(key, AES.MODE_CBC)
plaintext = b"This is a secret message"
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
iv = cipher.iv

print(f"IV: {iv.hex()}")
print(f"Ciphertext: {ciphertext.hex()}")

# Decryption
decipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = unpad(decipher.decrypt(ciphertext), AES.block_size)
print(f"Decrypted: {decrypted.decode()}")

1.2 Asymmetric Key Encryption

Asymmetric key encryption uses a public key and private key pair. Data encrypted with the public key can only be decrypted with the private key.

Major Asymmetric Key Algorithms:

  • RSA: The most widely used asymmetric key algorithm, based on the difficulty of integer factorization. Generally uses keys of 2048 bits or more.
  • ECC (Elliptic Curve Cryptography): An algorithm based on elliptic curve mathematics, providing equivalent security with shorter keys than RSA.
  • Diffie-Hellman: A key exchange protocol for exchanging shared secrets over an insecure channel.
  • ECDH (Elliptic Curve Diffie-Hellman): A Diffie-Hellman variant using ECC.
# RSA Key Pair Generation and Encryption Example in Python
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

# Generate RSA key pair
key = RSA.generate(2048)
private_key = key.export_key()
public_key = key.publickey().export_key()

# Encrypt with public key
recipient_key = RSA.import_key(public_key)
cipher_rsa = PKCS1_OAEP.new(recipient_key)
encrypted = cipher_rsa.encrypt(b"Secret message")

# Decrypt with private key
private_rsa = RSA.import_key(private_key)
decipher_rsa = PKCS1_OAEP.new(private_rsa)
decrypted = decipher_rsa.decrypt(encrypted)
print(f"Decrypted: {decrypted.decode()}")

1.3 Hash Functions

Hash functions transform input of arbitrary length into output of fixed length (hash value or digest). As a one-way function, the original cannot be recovered from the hash value.

Major Hash Algorithms:

  • SHA-256/SHA-384/SHA-512: SHA-2 family, currently used as standards.
  • SHA-3: Latest SHA standard based on Keccak algorithm.
  • BLAKE2/BLAKE3: Very fast cryptographic hash functions.
  • MD5/SHA-1: Vulnerabilities discovered, not used for security purposes.
Algorithm Output Size Security Status Use Case
MD5 128 bits Vulnerable File checksum (non-security)
SHA-1 160 bits Vulnerable Legacy systems
SHA-256 256 bits Secure Digital signatures, TLS
SHA-3-256 256 bits Secure Modern systems

2. SSL/TLS Protocol

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that provide encryption, authentication, and integrity for network communications. SSL is no longer used, and TLS 1.2 and TLS 1.3 are currently standard.

2.1 TLS Handshake Process

TLS 1.2 Handshake:

  1. Client Hello: Client sends supported TLS version, cipher suites, random data
  2. Server Hello: Server sends selected TLS version, cipher suite, random data
  3. Server Certificate: Server sends its certificate
  4. Server Key Exchange: Sends parameters needed for key exchange (optional)
  5. Server Hello Done: Notification that server Hello phase is complete
  6. Client Key Exchange: Client sends pre-master secret
  7. Change Cipher Spec: Both sides notify start of encryption
  8. Finished: Handshake completion confirmation

TLS 1.3 Handshake (Improvements):

  • 1-RTT (Round Trip Time) reduces handshake time
  • 0-RTT reconnection support for even faster connections
  • Removed vulnerable cipher suites (RC4, 3DES, MD5, etc.)
  • Perfect Forward Secrecy (PFS) mandatory

2.2 TLS Cipher Suites

TLS cipher suites are combinations of key exchange, authentication, encryption, and hash algorithms.

# Check supported cipher suites with OpenSSL
openssl ciphers -v

# Check TLS 1.3 cipher suites
openssl ciphers -v -tls1_3

# Recommended cipher suite examples (TLS 1.3)
# TLS_AES_256_GCM_SHA384
# TLS_CHACHA20_POLY1305_SHA256
# TLS_AES_128_GCM_SHA256

# Test server TLS configuration
openssl s_client -connect example.com:443 -tls1_3

2.3 Nginx TLS Configuration

# /etc/nginx/conf.d/ssl.conf
server {
    listen 443 ssl http2;
    server_name example.com;

    # Certificate configuration
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;

    # TLS version settings (allow only 1.2, 1.3)
    ssl_protocols TLSv1.2 TLSv1.3;

    # Cipher suite settings
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/chain.pem;

    # SSL session cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=63072000" always;
}

3. Certificates and PKI (Public Key Infrastructure)

3.1 Digital Certificates

A digital certificate is an electronic document containing a public key and owner information signed by a trusted authority (CA). X.509 is the most widely used certificate standard.

Certificate Components:

  • Version
  • Serial Number
  • Signature Algorithm
  • Issuer
  • Validity Period
  • Subject
  • Public Key Info
  • Extensions
  • Signature
# View certificate contents
openssl x509 -in certificate.pem -text -noout

# Verify certificate chain
openssl verify -CAfile ca-bundle.crt certificate.pem

# Download and verify server certificate
openssl s_client -connect example.com:443 -showcerts

3.2 PKI Components

  • CA (Certificate Authority): Trusted authority that issues and signs certificates
  • RA (Registration Authority): Authority that validates certificate issuance requests
  • CRL (Certificate Revocation List): List of revoked certificates
  • OCSP (Online Certificate Status Protocol): Protocol for real-time certificate validity verification

3.3 Free Certificate Issuance with Let's Encrypt

# Install Certbot (Ubuntu/Debian)
sudo apt update
sudo apt install certbot python3-certbot-nginx

# Issue certificate for Nginx
sudo certbot --nginx -d example.com -d www.example.com

# Test automatic certificate renewal
sudo certbot renew --dry-run

# Manual certificate issuance (DNS verification)
sudo certbot certonly --manual --preferred-challenges dns -d *.example.com

# Certificate renewal cron setup
# /etc/cron.d/certbot
0 0,12 * * * root certbot renew --quiet

4. VPN Types

4.1 Site-to-Site VPN

Site-to-Site VPN connects two or more networks (sites) to operate as a single logical network. Mainly used for connecting headquarters and branch offices.

Characteristics:

  • Configured at router or firewall level
  • Maintains permanent connection
  • Encrypts entire network traffic
  • Users don't need separate VPN clients

4.2 Remote Access VPN

Remote Access VPN is used when individual users connect to the corporate network remotely. Frequently used for remote work and business trips.

Characteristics:

  • Client software required
  • Connect/disconnect as needed
  • User authentication required
  • Split Tunneling option available

4.3 SSL VPN vs IPSec VPN Comparison

Characteristic SSL VPN IPSec VPN
OSI Layer Application/Transport Network
Client Web browser possible Dedicated client required
NAT Traversal Easy NAT-T required
Port 443 (HTTPS) 500, 4500 (UDP)
Configuration Complexity Low High
Use Case Remote Access Site-to-Site

5. VPN Protocols

5.1 IPSec (Internet Protocol Security)

IPSec is a protocol suite that provides encryption and authentication at the IP layer.

Main Components:

  • AH (Authentication Header): Provides integrity and authentication, no encryption
  • ESP (Encapsulating Security Payload): Provides confidentiality, integrity, and authentication
  • IKE (Internet Key Exchange): Security Association (SA) negotiation and key exchange

IPSec Modes:

  • Transport Mode: Encrypts only IP payload, host-to-host communication
  • Tunnel Mode: Encrypts entire IP packet, VPN gateway-to-gateway communication
# Install strongSwan IPSec (Ubuntu)
sudo apt install strongswan strongswan-pki

# Check IPSec status
sudo ipsec status

# Check SA (Security Association)
sudo ipsec statusall

5.2 OpenVPN

OpenVPN is an open-source VPN solution based on SSL/TLS, providing high flexibility and security.

Characteristics:

  • Firewall-friendly using SSL/TLS
  • Supports UDP/TCP
  • Customizable encryption algorithm selection
  • Supports TAP (bridge) or TUN (routing) modes
# Install OpenVPN Server (Ubuntu)
sudo apt update
sudo apt install openvpn easy-rsa

# Initialize Easy-RSA
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca

# Generate server key
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate DH parameters
./easyrsa gen-dh

# Generate TLS key
openvpn --genkey secret ta.key

5.3 WireGuard

WireGuard is a modern and concise VPN protocol using minimal codebase and cutting-edge cryptography.

Characteristics:

  • Concise code of approximately 4,000 lines (1/100 compared to OpenVPN)
  • Modern encryption: ChaCha20, Curve25519, BLAKE2s
  • High performance with kernel-level implementation
  • Simple configuration
  • UDP-based (TCP not supported)

6. WireGuard Server Setup

6.1 Server Installation and Configuration

# Install WireGuard (Ubuntu 20.04+)
sudo apt update
sudo apt install wireguard

# Generate server key pair
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

# Generate client key pair
wg genkey | tee /etc/wireguard/client1_private.key | wg pubkey > /etc/wireguard/client1_public.key

6.2 Server Configuration File

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY_HERE

# IP forwarding and NAT configuration
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.2/32

# Client 2
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.3/32

6.3 Client Configuration File

# client1.conf
[Interface]
PrivateKey = CLIENT1_PRIVATE_KEY_HERE
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0  # Route all traffic through VPN
# AllowedIPs = 10.0.0.0/24, 192.168.1.0/24  # Split Tunneling
PersistentKeepalive = 25

6.4 Starting WireGuard Service

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Start WireGuard interface
sudo wg-quick up wg0

# Auto-start on boot
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg show

# Real-time monitoring
sudo watch wg show

6.5 Firewall Configuration

# When using UFW
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw enable

# When using iptables directly
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wg0 -j ACCEPT

7. SSL VPN Configuration (OpenVPN)

7.1 OpenVPN Server Configuration

# /etc/openvpn/server.conf
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3

7.2 Client Configuration File Generation Script

#!/bin/bash
# generate-client-config.sh

CLIENT_NAME=$1
OUTPUT_DIR="/etc/openvpn/client-configs"

# Generate client key
cd ~/openvpn-ca
./easyrsa gen-req ${CLIENT_NAME} nopass
./easyrsa sign-req client ${CLIENT_NAME}

# Generate configuration file
cat > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn << EOF
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3


$(cat /etc/openvpn/ca.crt)


$(cat ~/openvpn-ca/pki/issued/${CLIENT_NAME}.crt)


$(cat ~/openvpn-ca/pki/private/${CLIENT_NAME}.key)


$(cat /etc/openvpn/ta.key)

EOF

echo "Client config created: ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn"

7.3 OpenVPN Service Management

# Start service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

# Check status
sudo systemctl status openvpn@server

# Check connected clients
sudo cat /var/log/openvpn/openvpn-status.log

# Check logs
sudo tail -f /var/log/openvpn/openvpn.log

8. VPN Security Considerations

8.1 Authentication Hardening

  • Multi-Factor Authentication (MFA): Certificate + OTP or Certificate + Password combination
  • Certificate-based Authentication: Stronger security than shared passwords
  • LDAP/RADIUS Integration: Centralized user management
# OpenVPN LDAP Authentication Plugin Configuration
# /etc/openvpn/auth-ldap.conf

    URL ldaps://ldap.example.com
    BindDN cn=admin,dc=example,dc=com
    Password secretpassword
    Timeout 15
    TLSEnable yes


    BaseDN ou=users,dc=example,dc=com
    SearchFilter "(&(uid=%u)(memberOf=cn=vpnusers,ou=groups,dc=example,dc=com))"
    RequireGroup true

8.2 Network Separation

  • VPN Dedicated Subnet: Place VPN users in a separate network
  • Access Control Lists (ACL): Limit resources VPN users can access
  • Micro-segmentation: Apply granular access policies

8.3 Monitoring and Logging

# WireGuard Connection Logging Script
#!/bin/bash
# /etc/wireguard/log-connections.sh

while true; do
    TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
    wg show wg0 dump | while read line; do
        PUBLIC_KEY=$(echo $line | awk '{print $1}')
        ENDPOINT=$(echo $line | awk '{print $3}')
        LAST_HANDSHAKE=$(echo $line | awk '{print $5}')
        RX=$(echo $line | awk '{print $6}')
        TX=$(echo $line | awk '{print $7}')

        if [ "$LAST_HANDSHAKE" != "0" ]; then
            echo "$TIMESTAMP - Peer: $PUBLIC_KEY, Endpoint: $ENDPOINT, RX: $RX, TX: $TX"
        fi
    done >> /var/log/wireguard/connections.log
    sleep 60
done

8.4 Security Best Practices

  1. Use Strong Encryption: Use modern algorithms like AES-256-GCM, ChaCha20-Poly1305
  2. Regular Key Rotation: Periodically renew certificates and Pre-Shared Keys
  3. Perfect Forward Secrecy: Protect past sessions using ECDHE key exchange
  4. Kill Switch: Block internet when VPN connection drops
  5. DNS Leak Prevention: Force DNS queries through VPN tunnel
  6. Split Tunneling Caution: Use only when necessary and be aware of risks

8.5 VPN Protocol Comparison

Protocol Security Speed Configuration Difficulty Platform Support
WireGuard Very High Very Fast Easy Most Platforms
OpenVPN High Medium Medium All Platforms
IPSec/IKEv2 High Fast Difficult Native Support
L2TP/IPSec Medium Medium Easy Native Support
PPTP Vulnerable Fast Easy Legacy

Conclusion

VPN and encryption technologies are core elements of modern network security. Summary of topics covered in this article:

  • Encryption Basics: Understand the characteristics and uses of symmetric keys, asymmetric keys, and hash functions
  • SSL/TLS: Standard protocol for secure communication, TLS 1.3 recommended
  • PKI: Build certificate-based trust system
  • VPN Types: Understand characteristics of Site-to-Site and Remote Access VPN
  • VPN Protocols: Choose appropriate protocol for use case (WireGuard recommended for new deployments)
  • Security Considerations: Authentication hardening, network separation, monitoring essential

In Part 6, we will explore web application security and OWASP Top 10 in detail.