Skip to content

Vpn

← Back to all decks

17 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What is WireGuard and why is it considered the modern VPN standard?

Show answer WireGuard is a VPN protocol built into the Linux kernel (5.6+) with only ~4000 lines of code. It uses UDP, identifies peers by public keys (not certificates), uses ChaCha20 + Poly1305 encryption, and is silent by design (does not respond to unauthenticated packets). Its simplicity and performance make it the modern default.

Remember: "VPN = encrypted tunnel over untrusted network." Two types: site-to-site (connect offices) and remote access (connect users).

Who made it: Jason Donenfeld created WireGuard. It was merged into Linux kernel 5.6 in March 2020.

Number anchor: ~4000 lines of code vs OpenVPN\'s ~100,000. Smaller codebase = easier to audit for security.

2. What is the difference between a Layer 2 (TAP) and Layer 3 (TUN) VPN tunnel?

Show answer Layer 2 tunnels carry Ethernet frames, making both sides appear on the same LAN (broadcasts and ARP work). Layer 3 tunnels carry IP packets, with each side on its own subnet (no broadcasts). Most VPNs are Layer 3. Layer 2 is used for bridging sites or legacy protocols requiring broadcast traffic.

Name origin: TUN = "tunnel" (L3 IP packets), TAP = "network tap" (L2 Ethernet frames). The device names /dev/tunX and /dev/tapX reflect this.

3. What is SSH local port forwarding and when would you use it?

Show answer ssh -L 5432:db.internal:5432 bastion.example.com forwards local port 5432 through the bastion to reach db.internal:5432. Use it for quick access to services behind firewalls without setting up a full VPN. It is not meant for production use but is invaluable for ad-hoc database or service access.

Example: `ssh -L 3000:grafana.internal:3000 bastion` lets you access Grafana at localhost:3000 through the bastion.

🟡 Medium (4)

1. What does AllowedIPs do in WireGuard and why does it confuse people?

Show answer AllowedIPs serves two purposes: for outgoing traffic, it determines which destination IPs are routed through the peer; for incoming traffic, it determines which source IPs are accepted from the peer. Setting 0.0.0.0/0 creates a full tunnel (all traffic), while 10.0.0.0/24 creates a split tunnel (only VPN subnet traffic).

Analogy: AllowedIPs is like a routing table and firewall rule combined — it controls both where traffic goes and what\'s accepted.

2. Why should you prefer UDP over TCP for OpenVPN, and when is TCP necessary?

Show answer UDP has lower latency and avoids TCP-over-TCP meltdown (where retransmissions on both the tunnel and inner connection cause exponential delays). TCP is only needed when UDP is blocked by firewalls, and can run on port 443 to look like HTTPS traffic. Always try UDP first.

Name origin: TCP-over-TCP meltdown was described by Olaf Titz (2001). Both layers try to retransmit lost packets, causing exponential delays.

3. What are the two phases of IPSec tunnel establishment?

Show answer Phase 1 (IKE SA): peers authenticate, negotiate encryption algorithms, and establish a secure management channel. Phase 2 (IPSec SA / Child SA): peers negotiate data encryption parameters, define what traffic to protect via selectors, and create the actual tunnel for data transfer using ESP.

Remember: "Phase 1 = management tunnel (IKE SA), Phase 2 = data tunnel (IPSec SA)." Think: handshake first, then data.

4. What is the difference between split tunneling and full tunneling, and when should you use each?

Show answer Full tunnel routes all traffic through the VPN (WireGuard AllowedIPs = 0.0.0.0/0) — simpler but slower for internet. Split tunnel routes only specific subnets (AllowedIPs = 10.0.0.0/24) — faster but some traffic is unprotected. Use split for developer access to internal resources; use full for compliance requirements or untrusted networks.

Remember: "Full tunnel = everything through VPN (secure but slow). Split tunnel = only internal traffic through VPN (fast but some traffic unprotected)."

🔴 Hard (3)

1. What is the difference between IPSec transport mode and tunnel mode?

Show answer Transport mode preserves the original IP header and encrypts only the payload — used for host-to-host communication. Tunnel mode encrypts the entire original packet and wraps it in a new IP header — used for site-to-site VPN (most common). Tunnel mode hides the original source and destination from observers on the transit network.

Remember: "Transport = host-to-host (encrypts payload). Tunnel = site-to-site (encrypts entire packet + new header)." Tunnel mode is far more common.

2. How does SSH dynamic port forwarding (SOCKS proxy) work and how does autossh improve SSH tunnels?

Show answer ssh -D 1080 bastion.example.com creates a SOCKS5 proxy on localhost:1080 that routes all configured traffic through the bastion. autossh wraps SSH with auto-reconnect on failure (autossh -M 0 -o ServerAliveInterval=60 -fN -L ...), monitoring the connection and restarting it if it drops.

Under the hood: SOCKS5 proxy supports both TCP and UDP. Configure browsers or curl with `--proxy socks5h://localhost:1080` (the h means DNS goes through the proxy too).

3. Compare WireGuard, OpenVPN, IPSec, and SSH tunnels across performance, complexity, and use cases.

Show answer WireGuard: excellent performance, very simple, ~4000 LOC, UDP only — best for general VPN. OpenVPN: good performance, moderate complexity, UDP or TCP — best for enterprise with PKI/LDAP. IPSec: good performance, complex, in-kernel — best for site-to-site with hardware routers. SSH tunnels: fair performance, simple, TCP only — best for quick access to individual services.

Interview tip: WireGuard for greenfield, OpenVPN for legacy PKI environments, IPSec for site-to-site with hardware routers, SSH tunnels for ad-hoc access.