Everything VPN Is New Again

“Everything VPN Is New Again”
Communications of the ACM, April 2021, Vol. 64 No. 4, Pages 130-134
Practice
By David Crawshaw

“The growing number of end-user devices and a new layer of virtualization in datacenters has subtly but profoundly changed how the VPN abstraction fits into networking.”

The virtual private network (VPN) is 24 years old. The concept—cryptographically secure tunnels used as virtual wires for networking—was created for a radically different Internet from the one we know today. As the Internet grew and changed, so did VPN users and applications. The VPN had an awkward adolescence in the Internet of the 2000s, interacting poorly with other widely popular abstractions such as multiuser operating systems. In the past decade the Internet has changed again, and this new Internet offers new uses for VPNs. The development of a radically new protocol, WireGuard, provides a technology on which to build these new VPNs.

This article is a narrative history of the VPN. All narratives necessarily generalize and cannot capture every nuance, but it is a good-faith effort to (critically) celebrate some of the recent technical history of networking and to capture the mood and attitudes of software engineers and network administrators toward the VPN.

The First Age: Fiefdoms and Leased Lines

Before the Internet there were networks: corporate networks, university networks, government networks. These networks were made of relatively expensive computers, had relatively few trusted people (at least by the standards of today’s multibillion-person Internet), were managed by full-time network administrators, and were geographically clustered into buildings or campuses.

…

The Second Age: Satellite Offices and Consumer Privacy

By the early 2000s in the U.S., it was possible for almost all desktops and laptops to reach the Internet, though many remained disconnected for reasons of policy, price sensitivity, or lack of adequate networking software. (Often this lack of software meant not that it was impossible to route a local network onto the Internet, but that doing so required a great deal of manual intervention by an expert, and experts were in short supply.)

…

The Third Age: Single-Use Devices and Virtual Network Namespaces

The big exciting VPN development of the past few years is WireGuard, a completely new implementation of IP encapsulation using the latest in cryptographic algorithms and principles.

WireGuard, the creation of Jason A. Donenfeld, is built on top of the cryptographic primitives curve25519 and chacha20. The protocol creates a tunnel between two equal peers, each identified with public/private key pairs rather than the common client-server architecture of VPNs with gateways and concentrators. It adopts handshake techniques and principles of the Noise Protocol9 to make it practically impossible for adversaries even to know a machine is running a Wire-Guard endpoint. There is no standard port to scan for on a network.