How does VPN route to the private address?

2

I am trying to understand how the connection to a server at my university through VPN works. The IP address of the server on the network is 172.27.xxx.xxx, which to my understanding is a private IP address (i.e. is reserved for internal use and is not allowed on the public internet). It is also my understanding that if you perform a DNS lookup for that server then it will return the IP address of one of the university's routers that connects to the public internet (perhaps the VPN router?) because of this What IP address is DNS service returning?, and not the private address. So when you send packets from your host on the public internet, they are encrypted and sent to the campus VPN router. Once they make it to the VPN they are decrypted, but at this point how does the router know where to send the packets since we never had the private IP address of the desired server?

Some related questions are here, but I haven't found anything that makes this point clear to me. How to access a VPN server with a private IP address? and How Does a VPN Manage Local IP Addresses and DNS lookup in internal network.

dpritch

Posted 2017-04-07T00:20:23.370

Reputation: 131

Answers

4

There are two fundamental concepts of most VPNs:

  • The notion of tunnelling, which means it encapsulates traffic of one type within another.

  • Most VPN client software creates a "virtual" network adapter on the system.

Traffic that is sent to this virtual network adapter is actually shunted to the VPN client software (most modern OSs support this type of network adapter which send traffic to an application or service and not directly out of a network adapter), which takes the packets and adds them as payload data in an encrypted protocol (SSL, etc.), and then ships the encrypted packets on to the VPN server via the Internet out of the real network adapter.

This whole process is called tunnelling - and encryption does not have to be involved but is used in the case of VPN.

The VPN server then undoes the encapsulation, and then has the original traffic. It can then route the, etc. normally.

Because a virtual network adapter is used at the client, and the encapsulation/deencapsulation is transparent to anything traveling over the virtual network adapter, addresses that exist at the other side of the VPN server can be used as though they were directly connected.

With regard to DNS, it's possible to tell a DNS server to return any address you want - including private IP ranges. The VPN server needs at least one public IP and DNS resolving to a public IP in order to allow VPN software to create the tunnel, but once the tunnel is up, it's perfectly fine for hosts "behind" the VPN can have private IP addresses that are accessible on a network only available "through" the VPN.

LawrenceC

Posted 2017-04-07T00:20:23.370

Reputation: 63 487

Thanks! That explains a lot that the OS allows the VPN client software to create the inner IP payload before passing off this payload to the usual network software on the system (I was going to ask about this in a separate question!). One key question still remains though: what does the VPN client place in the IP header for the inner payload so that the network router knows where to send the packet after removing the outer protocol? – dpritch – 2017-04-07T01:37:11.803

VPN servers are also routers. It doesn't modify the inner packet at all. If the encapsulated destination IP - available after un-encapsulating - is an IP accessible to the VPN server, the VPN server will send it on. This could be a private IP address range only accessible to the VPN server (normal for corporate VPNs, etc.), or an Internet-accessible host (this is how "privacy VPNs" work - they simply take your traffic and throw it back on the Internet). – LawrenceC – 2017-04-07T01:41:10.463

When I run nslookup domain.name.edu it returns the 172.27.xxx.xxx address of the server. So I presume that's the IP address that is placed in the encapsulated destination IP header? In other words, the DNS lookup allows for addresses that are not reachable on the public Internet. – dpritch – 2017-04-07T02:29:01.577

Looks like it. You can configure a DNS server to return any IP you want, even private range IPs, or even 127.0.0.1 if you really wanted. – LawrenceC – 2017-04-07T02:36:26.370

Thanks again! I've accepted this answer. But if you could add this last statement about being able to configure the DNS server to return the private range IP address I think that would be really helpful for future readers. – dpritch – 2017-04-07T14:10:55.567

0

Once they make it to the VPN they are decrypted, but at this point how does the router know where to send the packets since we never had the private IP address of the desired server?

If I am not dreadfully mistaken, I believe the process generally is to include the original request payload as part of the VPN packet. So if you request "internal.server.edu/something-something-darkside", that is included in the encrypted packet (and the VPN server will handle this request data according to it's configuration).

You can also be sure that most VPN servers allow network bridging and are likely aware of the local DNS servers.

Anaksunaman

Posted 2017-04-07T00:20:23.370

Reputation: 9 278

Asked: 2017-04-07T00:20:23.370

Viewed: 3 486 times

Active: 2017-04-07T14:37:43.327