How do virtual private networks (VPNs) help?

Wireless internet access is now commonplace in virtually all busy locations - from train stations and airports to hotels, cafés and shopping centres. For smartphone, tablet and laptop users, free WLAN hotspots are undoubtedly a welcome offering, enabling us all to stay online without eating into the monthly data limits of our mobile contract. But be careful: Using public WLANs is significantly more risky than surfing using your mobile data.

If you don't want to give up the convenience of public WLAN hotspots, you can minimise the risks involved by using a virtual private network (VPN). A VPN internet connection transmits all of your data in encrypted format as standard, eliminating any opportunity for other parties connected to the public WLAN to intercept your data.

VPNs should not be confused with the encrypted transmission protocol HTTPS (Hypertext Transfer Protocol Secure), which is designed to ensure integrity and confidentiality in communications between a specific web server and your browser on the world wide web. By contrast, a VPN encrypts the data communication between two end points - for example between your end device and a VPN server. This means that a VPN can also protect your information even if you're using a smartphone app, for example, rather than a browser. A VPN can also encrypt all of your internet traffic, rendering it impossible for third parties to read or modify your communications.

We recommend using a VPN when you want to access your home network via a WLAN hotspot - for example to access personal documents, private photos or your music collection. If you're using smart home applications, VPNs can also be a secure alternative to cloud-based control: If you can control your intelligent household devices, connected doors, blinds or heating thermostats directly via your own home network router, without a diversion to the cloud, you can avoid the risk of smart home data being utilised by the manufacturers, cloud providers or unauthorised third parties to create a profile of your private living habits.

Furthermore, using a VPN means that your household devices do not need to be directly accessible from the internet via approved ports or UPnP, which protects your data against third-party access attempts. As some smart home devices do require access to the manufacturer's cloud in order to function correctly, check before you purchase any intelligent device that it does not need to be accessible from the internet.

What exactly is a VPN?

A VPN is a virtual network. Unlike traditional networks like your home network, a VPN does not involve any direct physical connections between end devices or to a central router using network cables or a WLAN connection.

A VPN generally uses connection paths on the internet. In private applications, it usually creates a connection between an end device - such as your smartphone - and a VPN server. The VPN server assigns a new IP address to your end device internally. When you surf the internet, the original IP address for your device is replaced on the websites you visit with the external IP address of the VPN server. In addition, all of the data transmitted between the end device and the VPN server is encrypted, effectively sectioning it off from the rest of the internet.

The encrypted data channels in the VPN are commonly referred to as tunnels, as the encryption constructs a kind of secure tunnel through the unprotected internet - for example from your smartphone connected to a WLAN hotspot to your home network router, or from your home PC to an external VPN server. At the entrance to the tunnel, all of the information is packaged into encrypted data packages. It is unpacked - or decrypted - when it reaches the end of the tunnel. This means that the data is returned to its original form at the other end of the tunnel.

The exchange of keys required to complete this process takes place automatically when the connection is established. One of the main advantages of VPN is that tunnel connections allow users to securely exchange sensitive data with a local network from virtually any location - even another country or a different continent. However, some countries prohibit the use of VPNs.

Ways to use VPNs

There are many different ways to use VPNs, depending on the application. VPN clients: remote access can also be useful in the home. There are many advantages to setting up secure remote access to your home network. For example, a remote access solution enables inexperienced users to easily get help from more technically minded friends and relatives - perhaps to assist with the configuration of a router or to install new software. The "helper" can connect to the end device in question from home via a secure VPN connection and change the required settings without having to be physically present.

Another example application is in network storage with integrated web servers: In these systems - which are also referred to as network-attached storage, or NAS for short - saved films, music and photos can easily be loaded onto various end devices, including tablets and smartphones. However, many NAS web servers only achieve full functionality if the router is configured so that all incoming requests are forwarded to a specific destination port on the NAS device.

In turn, this port forwarding feature requires all of the ports that need to be accessed from the internet to be approved on the router and forwarded to the appropriate IP address. The problem is that these approved ports are also accessible to third parties via the internet. Potential attackers could use these ports to penetrate your home network and to infect the devices on it with malware.

Generally, the BSI recommends using port approvals sparingly. Only approve a port if you can accurately assess the technical consequences of doing so. If you are in any doubt, ask a friend or relative who knows more about the topic or contact a specialist service provider. When using NAS web servers and similar applications, it is best to refrain from risky port approvals altogether. To do so, you can either use a VPN-enabled NAS device or set up a VPN on your home network router. This means that all access attempts from the non-secure internet will be routed via encrypted VPN connections, which will protect your network from third parties accessing your network for criminal purposes.

Travelling: VPN bypasses geo-blocking

A VPN connection can be very useful when you go on holiday abroad, for example if you wish to watch a television program on an online platform while you are away. Outside Germany, you may find that licensing rules prevent you from streaming a great deal of German media content. This so-called geo-blocking system places a block on all IP addresses that are not assigned to Germany. With VPNsoftware on your tablet or laptop, this IP block will not work: Once your VPN has connected to a location in Germany via a VPN server, your smartphone or tablet will automatically be assigned an IP address that is not blocked in Germany, enabling you to get around the geo-blocking system.

Having said that, geo-blocking is declining in importance in the European Union: Since the first quarter of 2018, the Union has implemented new regulations designed to promote the portability of digital services across the EU. In other words, if you have paid to access films, sports reporting, music, e-books or games in your home country, you should also be able to access them in other EU countries, at least for a limited period of time. Outside the European Union, there are no signs that the geo-blocking rules will be relaxed any time soon.

When planning trips abroad, remember that VPNs are prohibited in some countries and that using them could mean that you are breaching local laws. VPN bans are most prevalent in countries with internet censorship, such as China.

VPN connects locations

In the world of work, VPNs are often used to facilitate mobile working - to securely connect home office workplaces to the company network, or to allow sales employees to access the company's central applications and files while they are on the road. Mobile devices for business use are often subject to company-specific security policies which aim, among other things, to prevent criminals from gaining access to sensitive data in the company network via a stolen device.

Another application for VPN technology is the virtual joining of two separate site networks - an option that is helpful not just for companies, but also for universities, government bodies and non-governmental organisations. In addition to encrypting all data traffic, the site connection can also be protected via a specially toughened VPN gateway to provide even better protection against cyber attacks.

So, as we've seen, VPN solutions are suited to a wide range of applications. In most circumstances, the limitations of the technology mean that the transfer speed is slower. However, in return, users benefit from encrypted VPN tunnels that allow guarantee secure communication via the internet - a medium that is, by comparison, not very safe or trustworthy. Visit our "Encryption" page to learn more about how you can use modern encryption techniques to minimise cyber risks.

VPNs: A brief guide

What you need to implement your own VPN solution will depend on how you plan to use it and the usage habits of the individual VPN users. Generally, all end devices used to surf the internet should be equipped with basic protection.

Setting up a VPN via your home network router

Some router manufacturers now allow you to set up a VPN server right at the heart of your home network. This option saves you time and money, as you no longer need to configure a separate VPN access point (VPN server) in your home network or set up the previously mentioned port forwarding to your router: As soon as a central router establishes an encrypted tunnel connection, all devices in the home network automatically benefit from secure communication. This also extends to connected devices that do not have their own VPN configuration, such as answering machines or IP cameras.

It is not possible to describe how to activate the VPN function on all routers, as the specific steps vary depending on the router model. Detailed instructions are usually provided on the website of the manufacturer. Some manufacturers also offer an app to access the VPN router from the end device.

In addition to using a router, a VPN server can also be set up on a network drive (NAS) or a computer in your home network. However, as these options often require port forwarding, which is a risky solution, they should only be employed by experienced users who know exactly what they are doing. In theory, even routers that are not equipped with VPN functionality may be transformed into a VPN access point. However, this process can be quite complex and requires specialist IT knowledge.

VPNs via smartphones, tablets and similar devices

One way to utilise a VPN is to install a VPN app on your end device. There are appropriate apps available for all common operating systems, from Windows and Android to iOS and Linux. Regardless of whether you prefer to use a smartphone or tablet or a PC or laptop, most VPN apps and programs work in the same way: To establish an encrypted connection to a VPN server, the app or program needs the IP address or domain name of the VPN server and the access data required to use it. The VPN server may be an appropriately configured home network router or the server of a VPN provider. The VPN app will indicate that communication is taking place via the VPN at any given moment by showing a small lock symbol at the edge of the display on Android devices, or by displaying the word "VPN" on an iPad or iPhone.

Selecting a suitable VPN provider

For day-to-day use, the speed of the connection to the VPN server is the first aspect to consider when selecting a suitable provider. Even when utilisation is high, a sufficiently fast internet connection should still be guaranteed. To achieve this, the VPN operator must have multiple server sites to absorb peaks when usage is high. However, remember that German data protection laws do not apply to servers in other countries. Many countries outside the European Union do not place anywhere near as much emphasis on data protection and informational self-determination as Germany. Generally, selecting a VPN provider comes down to trust. After all, all of your data traffic will be routed via your provider's servers where it could, in theory, be monitored and manipulated.

In addition to fee-based accounts for commercial VPN servers, there are also a number of free offerings on the market. It may be a good idea to try out multiple options to see what suits your individual circumstances. With free VPNs, functionality will usually be restricted, or the connection quality may be poor in comparison to other services. Often, users of free VPNs end up "paying" for the service with their personal data, which can be used for purposes such as marketing.

Browser plug-ins are another VPN variant. With plug-ins, only website data transfers are routed via encrypted tunnels. E-mails are still sent without encryption. If you want to encrypt all of your network traffic, you will generally need separate VPN software. Most commercial VPN server solutions offer corresponding apps, which you can download from the app store for your operating system. Once you have installed the relevant app, VPN mode can usually be activated with a simple touch of a button. Advanced users can usually configure the VPN function without using the provider's software by accessing the system settings of the operating system directly.

Safe surfing from any location

If you log into a VPN server at a WLAN hotspot via an app or browser plug-in, remember that your communication is only encrypted up to this VPN server. Even when you're remotely accessing a VPN-enabled home network router, the encryption ends at the router - all data transferred from this point to an NAS or to websites is sent without encryption. As a VPN router provides secure remote access to your home network, you will no longer need to take the more circuitous route of using a cloud when uploading data while travelling.

Regardless of the VPN variant you use, your device will usually receive the visible external IP address of the VPN server when you connect to the VPN. This makes it harder for internet providers to track your browsing. For example, if your own router acts as the VPN gateway, then an end device that is connected to the internet via this gateway always receives the visible IP address, just as it would if it were connected to the home network behind the router - regardless of where the connection is made from. VPNs offer a combination of high security and outstanding privacy. They can also further boost the security of your communication by giving priority to websites with HTTPS encryption while you surf, and by utilising encrypted messaging apps for chats.