What is a VPN?

Using a VPN (Virtual Private Network) service will create a trusted network connection on top of an existing untrusted/public internet connection. VPNs do this by establishing an encrypted, private tunnel between remote users and the networks or resources they wish to access.  

When most people use the term “VPN,” they are talking about a remote access VPN.  This type allows remote users to connect to restricted network resources.  There are also site-to-site VPNs, but these are used to create secure tunnels between two different sites – these VPNs create one larger logical network out of two, smaller remote networks.

Why would I need a VPN?

Organizations may set up VPN services to allow their employees to access restricted network resources while they are off-site. In such cases, the off-site employee would need to authenticate with their credentials before access is granted.

If you travel often, or connect to public internet frequently, you should consider using a personal VPN to secure your connection, particularly if you are transmitting or accessing protected information or sensitive personal data.  Using a personal VPN will help protect you and your data, because there is zero guarantee that the network equipment you would connect to has all of its security updates, or that the equipment is configured securely.

VPNs can also provide additional privacy and anonymity while on the internet.  There can never be “perfect” privacy or anonymity, even with a VPN, but many people consider the extra configuration and cost of a VPN to be worth the added protection.

I want to use a VPN for work, what next?

Your organization may not offer VPN access.  If it does, you will likely need to request access, and there are probably additional restrictions on the network resources that will be available.  

SUNY Oswego offers a VPN for faculty and staff, for specific, limited purposes.  This link has more information about the SUNY Oswego VPN:  https://www.oswego.edu/cts/web-vpn-client

I want to use a VPN for my personal devices, what next?

The first step is identifying what kinds of connections and devices you want to protect.  For instance, are you primarily connecting with a smartphone, a tablet, or a laptop?  Are your devices running Mac OS, Windows, Android, or iOS?  What will you be doing on the VPN, general internet browsing, accessing cloud-based services, or connecting to your home network?  Will you be streaming video content?  How concerned are you about keeping your web activities private and anonymous?  How often will you be using your personal VPN service?

Once you’ve inventoried your devices and usage scenarios, it’s time to compare VPN service providers.  It wouldn’t be feasible to document every feature of every provider here, so you are encouraged to do some research - there are many good, up-to-date comparison articles available on the internet.  Look for recent articles that outline the subscription costs, the underlying technologies and the operational policies. In general, however, you will want to choose a VPN service provider that:

  • Is not free.  The service provider will need to make revenue somewhere, so if your VPN service is free, you will likely see lots of advertisements, the service is lacking features, or the provider is collecting and selling your usage data.

  • Has policies that you read and understand, particularly the Terms and Conditions and the privacy policy.  You really need to read them - they may outline data caps, what data the provider may gather on you and what they do with it, what the provider logs about your activities and how long the logs are kept, what level of outsourcing the provider does for their services, and many other items.

  • Has a reputable history.  There are many fake, fly-by-night VPN services that may look appealing for various reasons, but you will want to avoid them in favor of a vendor who has been in business for several years.  When you use a VPN, you are sending them ALL your network traffic, so you need to trust the provider.  Customer service and reliability ratings should factor in here, also.

  • Operates only in reputable countries.  The headquarters and the physical servers should be in countries without oppressive governments; avoid eastern European countries, China, North Korea, Mexico, Iran and the like.

  • Uses OpenVPN - this is considered the de facto technology standard.  Some smaller mobile devices (smartphones or tablets) may not support OpenVPN, so look for L2TP/IPsec or IKEv2/IPsec.  Avoid PPTP, it is insecure.    

  • Offers solid customer service and usage documentation.  If you don’t know how to configure your VPN connection in the most secure manner, you shouldn’t use it – your provider should offer good documentation that explains their VPN and its settings, and offers you support when you can’t figure it out yourself.  

  • Supports all the types of devices that you want to secure.   

For most people, in most cases, making appropriate choices with the features already mentioned will be sufficient to protect their online activities.  However, privacy and anonymity are often priorities for advanced users, or users who are targeted in malicious campaigns (such as civil rights activists or journalists).  There are additional factors to consider for people in these situations, such as whether the provider allows TOR connections, or the payment methods that the provider accepts, or configuration of DNS settings, amongst many others.  Again, research is the key, but the considerations mentioned earlier will still be a good start in selecting a VPN service provider.