VPNs, Proxies and Secure Tunnels Explained (Deepdive)
Vložit
- čas přidán 6. 06. 2024
- What is a secure "tunnel"? When I started to learn about computers the name confused me. I couldn't imagine how it works on a technical level. In this video we build upon knowledge from the previous videos, to develop an intuition for what a tunnel, VPN or proxy is.
LiveOverfont (advertisement): shop.liveoverflow.com
1. Server Explained: • What is a Server? (Dee...
2. Protocol Explained: • What is a Protocol? (D...
3. Computer Networking: • Computer Networking (D...
Grab the forwarder.py code: gist.github.com/LiveOverflow/...
Chapters:
00:00 - Intro and Background
00:53 - Networking as a Blackbox
01:24 - forwarder.py: Forward Data via Networking
02:43 - Using forwarder.py as a Proxy
04:31 - xor_forwarder.py: Forward "XOR Encrypted" Data via Networking
06:58 - The VPN Blackbox
08:10 - VPNs Forward Entire Packets
10:01 - Virtual Network Cards with TUN/TAP
12:34 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
I'd really enjoy a Deepdive about TLS.
czcams.com/video/6G14NrjekLQ/video.html
Yeah, that would be great
Check out Practical Networking he has a entries series on this topic and it's as deep as it can be I would say
As a network engineer, tunnels are by far the most deceptive concepts. At their simplest, you're just shoving IP within IP, at their most complex, you get complaints ;).
Hmmm its more like IP within TCP or UDP
@@creepr524 Yes, but TCP and UDP are themselves inside of IP, so the statement is still correct.
@@creepr524 IPSEC has entered the chat
Yeah, i Always hated vpn
@@creepr524 huuuum actually 🤓 whoops, we're all nerds here, that was inappropriate.
I was just wondering about this and then got a notification.
It's like he knows what we are thinking...like a hacker perhaps
@@MrDeltaRing yeah, maybe he is a social hacker/engineer too...
@@crafterboy27 wasnt wondering and got a notifaciton
😮
Literally same wtff
I would appreciate a video about OAuth & JWT, generally these authentication methods and how these tokens are created, sent and stored via HTTP and how they relate to user roles and permissions I find difficult to understand.
yes different types of authentication are really confusing .... and i really struggled to make authentication when i was making my first java server...
in python and node, it's much simpler...
Definitely... As well as Stateful vs. Stateless Authentication/Architecture, Cookies vs. Tokens and So On... The Whole Thing around
You should watch okta devs video on ouath
Great video! The most important part is your smiling face at 6:57 when you talk about the "beautiful way". The next time I'm struggling with incompatible IPSec-tunnels, I'll remember your face and all frustration will be gone.
You oversimplified a bit: not all tunnels have their own interface. We all love good old SSH tunnelling, as we do with recent websocket tunnels.
This series is actually a gold mine
Great video content for those, who start learning networking. Even basic understanding how routing works will surely make VPNs much easier to grasp. Especially those, which use virtual interfaces. On the other hand, policy-based ipsec tunnels, which do not have nor their own routes, nor endpoint IPs, yet can somehow connect private networks just as fine as those tun/tap devices always amazed me. While I certainly can configure & use that, I never could understand how it works on a packet level, would be a nice if you could do some explanation video, thanks!
Great video! From a perspective of a graduated cyberdefence student and actual penetration tester, these questions "from the past" are 100% in point! Other thing that bothered me in the past is for example "How the email systems actually works?"
I feel lucky that you still share the knowledge with us. literally gold channel
Amazing video! It would be awesome to do a second version, but diving deeper and complex! Again, thanks for your videos, they are very informative and easy to follow
This is such a good explanation. You are so good at explaining these topics and such a natural in front of the camera
This was great! Have actually never completely understood how vpns work, great explaination!
Really detailed video, I’ve been experimenting with tunnels recently & I think you explained the underlying concepts extremely well 🥳🥳.
Wow, this was complex but you explained it really well. Also thnx for including the python code.
I really love your enthusiasm about the topics! 👍
Thank you so much for sharing the knowledge in such a simple manner
I'm really enjoying these explainer videos. I had this ah ha! moment half way and I finally get tunnels. That was way simpler than I could have imagined.
Can it be a coincidence that a server on the IP you used in your video now hosts an nginx instance with some weird XSS-like payload in its TLS-certificate common name? ('"'>')
Thanks a ton for this I was confused about this today in class!
I love the mini videos with you encapsulating packets hahah
Absolutely loved this video!
Using swIPE protocol I was part of a small team that implemented one of the first VPN tunnels over the internet with the tunnel running between two proxy based firewalls. I also implemented a DOS/Windows vpn client. This was around 1996. Later ipsec and TLS became available. Things have really changed now that encrypted comms is the norm : )
your videos teaching things are awesome
Absolutely excellent video super helpful thank you!
Really awesome and deep explanation thank you
really good explaining
Brilliant. Thank you so very much.
Perfect video man! Keep it coming ^^
Wow, the networking world is amazing, thank you
I'd love a deepdive on WireGuard protocol and how things like Tailscale work under the hood to get around CGNAT. Thanks for the awesome videos!
I love your content. Please, please, please, create a video comparing and exploring the differences between the source code of Linux and FreeBSD
If you mix these concepts with SSL that would be very interesting at least for me. Thank you for sharing knowledge
If you imagine that SSL/TLS is just another layer on top of TCP (but below HTTP for example, even though this only applies to HTTP/1.X), it stays exactly the same, but instead of redirecting the HTTP traffic, it redirects the SSL/TLS/HTTPS traffic.
For the VPN provider the only thing that changes is that without SSL/TLS it could read your traffic, whereas with encryption it can't
@@RoiEXLab Thank you.
There is also stunnel, a tool that allows you to essentially wrap any traffic in TLS. With it you can, for example, do SSH-over-TLS (for whatever reason)
@@gregorykhvatsky7668 A more commonly used example is FTP over SSL, because it was never made with proper encryption in mind :)
Great video, thank you!
Hey you did a great job with this deep dive series I must say. I was wondering if you could do another about "storage" in detail; i.e. differences between block storage, file storage and their usages with examples ? Thanks!
Slightly related, checkout my Linux Driver video. It’s a different style but might answer some questions
Can you make a video on relay its types and when/why we need it and how they work and are they different from routing and just everything about relays. Especially out of the context of TOR so we can understand relay and ultimately the TOR.
Love your videos ^^
I would absolutely KILL for a video discussing how Kerberos works. Or, if possible, every step that happens from plugging a smart card into a windows machine during Interactive Sign On to Kerb to successfully getting into you computer.
i deff subscribed for your minecraft content. its great
What a great video! ❤
Thanks, well explained 👍
Just wonder, how do you make these animated images?
Nice animation of the osi layers
Please do a IPSec version of this. It's not TUN/TAP(despite VTI) but something rather old fashion. I think many people get confused when dealing with both kinds. Also I think it's worth to talk about the routing table magic when using TUN/TAP tunnel, like why I route everything into it but it doesn't loop?
How about a deep dive on building/making software? There are a number of tools that expedite build processes, but how all the dependencies and sub-modules work together would be useful.
are you still doing the Minecraft series? i think you should go over most of the third party "schematic" file formats (as most of them are just NBT, though some are text based and/or custom binary encodings)
Nice video! Could you make a video on files, sockets and streams :D
Great video!
Talk about certificates, I'm using them, issuing them but don't *really* understand it. CA Authority, TLS, SSL.
UP!
Hello is it possible to make a video about certificates (deepdive)? Ty
Thanks Fabien
Very nice explanation! Thank you.
One question, you said "you can tell the operating system please route ALMOST all traffic..."
Why almost? What data isn't routed?
Thank You😊
One detail what I would have liked to see here is some detail on what the IPs "within" the tunnel really are. Are they just artifacts of packing a whole TCP/IP packet as data into another TCP/IP packet or do they have more meaning, e.g. in terms of routing?
If it's a GRE tunnel, it's just IP within IP. The IP packet is encapsulated as data (the payload) in another IP packet. That IP packet is routed across the tunnel (often the public internet) and once it reaches its remote tunnel endpoint, that endpoint decapsulates it, revealing the "real" IP packet, which then gets routed/forwarded to it's destination "normally".
@@ajko000 I think that's exactly the point where I'm wondering why the tunnel IPs are needed. The two VPN endpoints exchanging encrypted payloads (the encapsulated 'local' IP packets) know each other's WAN/public IP, so why is there a need for a "tunnel" in the sense of a static route between virtual private IPs? If the two endpoints, each in their own respective part of the virtual private network, just acted as two proxies communicating using their counterpart's public IP the whole thing would still work in my mind and there would be no need for the virtual tunnel IPs.
you could do a video about containerization, i don't exactly know the name, but you know, explain concepts used in docker or in virtualbox
Can't wait for a video on Union routing. c:
computerphile did a nice one on the subject, but guess he might do better
I like the LiveOverflow university
Greater video thank you! Could you maybe make a video about reverse proxy to?
Great content :)
Great Video!
Something about TLS?
Our favorite hacker is back. Let's go!
Amazing vid
yay deepdives!
So the tun/tap, which is not a network card, is treated like one, in a similar way that usb drives can be treated as keyboards, even if they're not?
do you think you could teach chatgpt to buffer overflow its own text prediction's return variable?
Please please please can you make a video about application layer or more specifically DNS and its hierarchy and types? Or routing explanation in a nonconfusing way?
Sorry if I asked maybe something unrelated to what you wanted to do
I'd like to see a deepdive into a file structure.
A file is made up of a header data and the content data. How can we inspect the header data and where is the meta data stored - in the header? Are there common flags that indicate where the content data starts and ends? etc.
Can you do a video about hardware based root of trust in embedded systems? Using secure storage for keys etc. And public key cryptography
learned a lot
Muy bueno !!!!
Thanks!
tbh I like the ad at the end
You should make more of these videos explaining concepts. Why did you stoped?
if the IP and TCP packets are left unchanged and just released on the private network ... how does the other side know how to send data back through the VPN Server program ?
Is there any security issue / government tracking problem if we create our won vpn? Need sugesstions thankyou❤️
Hi
,pls talk about how to keep our phones secure and anonymous, im talking about ads loclisation ,...Or that there is no escaping from this in return for obtaining Google services !!
Generally, proxies offer quicker connection speeds compared to VPNs. This is because proxies selectively route specific traffic, while VPNs encrypt all internet activity, potentially slowing down speeds. Zeus Proxy offers a rotating residential proxy ideal for tasks like e-commerce multi-account registrations, data crawling, airdrops, and gaming.
If traffic from a computer goes into a VPN and then to a server on the internet, how does the server know to respond to the VPN, not the computer (since the ip source header would contain the computer’s ip address if the same exact packet that the computer sent would be released into the VPN) and if yes how does the vpn know how to send the server’s response back to the computer since the server had no idea that it was talking to a vpn
If by "server" you mean machine other that on which VPN server is run (e.g. accesing third-party site through VPN), then it should be like your wifi router (acting as NAT) -- your local device initiates TCP connection, router opens outbound port for it and remembers with which local device that port is associated with, forwards following incoming traffic for that port accordingly.
So from my understanding, in the example with your version of "OpenVPN", you can route your packets to the virtual network interface card, and that's really a program like a VPN client. After the program does what it needs to do (ie putting on new headers, encrypting the data), does the program then hand off this new encapsulated packet back to the real network interface card so that it can reach the VPN server? I guess I'm a little confused as to what the next steps would be after the packet goes to the vNIC
The vNIC sends the packet to another server over the physical network. That server then unpacks the packet on a vNIC on its end, and then it handles the packet the same way as a router handles packets that come in on one NIC and need to be sent along through another NIC.
@@codahighland Thank you for the clarification
@@maxdobrei5117 Any time!
thanks
Great video but the image quality was kind of low. Maybe you should consider to upload in 4K in the future.
Can you do "What is a registry" next? I have heard about the windows registry or docker registry etc... But i have no clue what it actually is (not completely i know you can store something, but looking at it in a more technical way) 🤔
A registry is just a database with a well known location. That's literally all it is. The DNS registry is a database of domain names and IP addresses that you can find at a location given to you by your ISP. The Windows registry is a database of configuration settings that any program can access using a standard API. A Docker registry is a database of Docker images and you share the address with the hosts that you want to have access to it.
ty :)
I felt like you were on the same page as I was for a second
I think there is also potential for a BIOS/UEFI/bootloader/boot etc. Video but that could be rather short
How do programs utilize drivers? Why do anticheats use them?
Can we get a video about TCP meltdown?
I always take issue when "transparent" is used when describing technology. I think most of the time people actually mean "opaque". Let's say you have a loadbalancer to some API and it forwards incoming traffic to multiple backend servers (e.g. round robin). You could describe this as transparent since the request goes _through_ the loadbalancer, like through a glass window and still reaches the server. But I would argue this loadbalancer is opaque to the API client. The client has no idea that different servers are targeted, only the API endpoint is relevant for it to function (ignore header shenanigans, etc.). The loadbalancer takes care if a backend server is unreachable. On the other hand, if you use multiple DNS Records ("DNS Loadbalancing" or "poor man's load balancing") and show that there are multiple servers answering requests, you need to take care to retry if one of those servers looses connection. (You should always build in retries though!)
In the case of a VPN (or tunnel) the client (curl, nc, browser, etc.) is not aware that it is using a VPN (you can of course detect it, if you want, but this is not the point). The client just does its thing, it does not care if there is something extra. If you want to be more technical you could say you hand this problem down to your network stack then then chooses the right interface (which would be a tap, tun, or wg interface etc.).
I think "transparent" is so widely used for opaque technology, because it sounds more positive and because the request/operation reaches its target "through" something. In practice, I find it confusing to talk about actual transparent technologies, for example that implement transparent caching or failover; here the client has to do actual work.
Sorry for the rant! I actually quite enjoyed the video!
I'd say it uses word transparent as invisible by clients
@@passerby184 What would you call transparent caching then? Or something like etags?
@@Syphdias transparent cache is still transparent: (actually it needs cache to be a transparent proxy):
What about the server response? The terminal server is gonna send the response packet destined for your actual computer and the not the vpn server. Can't your isp just look these incoming packets and use the source to figure out what websites you're actually talking to? I'd reckon at the very least the vpn server would modify the ip header of the actual packet and make itself the source so that it can receive the response from the terminal server.
I was exactly looking for tunneling and spliting stuff and i was thinking where are you, why this dude didn't post anything for about 2 weeks
I didn't understand why you'd want to use the VPN protocol which has these added steps to preserve your IP header?
Wasn't the proxy setup simpler, and possibly more performant?
VPN works with all protocols - if it is a Layer2 VPN, it can even work with non-ip packets (for example IPX/SPX, NetBIOS etc). Proxy works only with some application protocols (HTTP(S) proxy) or only with TCP and UDP (Socks proxy). TCP Proxy is also always a server that only clients can use. A VPN can be ad-hoc (see wireguard point-to-point) or even mesh (see tailscale). Also, why would it be more performant? You have two TCP stacks in a proxy (complex), versus two UDP or even raw IP stacks (simpler) in a VPN endpoint.
7:00 note the emphasis on "private network", VPNs allow to bridge remote networks into one without revealing any of them to the public internet (e.g. your home network may have 10s of devices, but they all sit behind one public-facing IP of your router -- so for example you wouldn't be able to connect to your phone from outside; VPN allows to connect to your home network remotely and speak to devices within network as if you were connected to it locally).
Also his proxy setup is overly simplistic for demo purposes:
1) Always proxied traffic to same remote machine (ipinfo io) -- there's no way to specify to which remote IP/port data should be forwarded; To do so you'd have to wrap payload data in your own layer/data protocol, where you can put this info in some headers.
2) After you made your own proxy protocol you have issue of any third-party software not being aware of how your protocol works and thus not sending data correctly. So you can only use it with software you build/modified yourself -- VPS are transparent to software.
Do they actually use TCP packets? I thought that they use UDP to avoid a TCP Meltdown?
I read pixies. Pixy based security would be awesome
thanks for saving us from the scanning work ;)
Unlike VPNs, Zeus Proxy ensures that proxies exclusively change the IP address for the specific browser in which they are installed.
*Secretttttt Tunnelllllll!!!*
👍
Push!
based
maybe docker explanation?
You mentioned it in passing, but through VPN you can work with any protocol on top of IP. UDP works on top of IP, for example DNS. ICMP works on top of IP, for example ping.
ICMP works over IP not UDP. Well, in the normal scenario anyway; i'm sure one can cobble together some unholy monstrosity that routes ICMP over UDP.
A bunch of corrections to your message.
1. Whether you can actually run a protocol over VPN depends heavily on implementation - for example if you use OpenVPN tun device, you are limited to using protocols from OSI layer 3+. You can't use VLANs, CDP, LLDP and many other useful protocols over a tun device. Actually most of VPN types won't allow you to use Layer 2 protocols, with a notable exception of OpenVPN tap device in bridging mode.
2. modern DNS should prefer running over TCP as best practice (see rfc9210).
3. ICMP works on top of IPv4, it is a separate protocol, just as TCP or UDP, so it does not need anything besides IPv4. Most important it does not need the devices to know about each other to function properly
@@pitust heh, right, I knew that just made mistake xD
@@anonymousperson2640 1. I didn't know you can run OSI layer 2 over openvpn. Should it be better called something like virtual router, and not virtual private network?
2. that's true, but there are other protocols over UDP, and we will have QUIC. DNS was just for an example. And using old DNS over UDP inside local networks is still fine (am i right?)
3. this was my mistake, i knew that
@@Z3rgatul yes, openvpn tap device allows raw ethernet frames, so you can even use something like IPX instead of IP inside. Downside would be pretty high traffic usage, since every frame from each connected client will be distributed to all other clients (aka star network). DNS should answer on both UDP & TCP, since UDP-only version has some problems with DNSSEC not fitting into 512 byte limit (you wouldn't want to run a modern dns-server without enforced dnssec verification, would you? :))
Me watching after I set up my own personal VPN 😄
I am often struggling with proxy and reverse proxy. Isn’t it like that every reverse proxy is a proxy, it just depends on which side the client is? Maybe someone has a good explanation for me^^
Cloudfare documentation about reverse proxy.