VPN & Tunneling — Trivia & Interesting Facts¶

Surprising, historical, and little-known facts about VPN technologies and network tunneling.

IPsec has two modes and most people use the wrong mental model¶

IPsec operates in transport mode (encrypts only the payload) or tunnel mode (encrypts the entire original packet and wraps it in a new IP header). Most site-to-site VPNs use tunnel mode, and most host-to-host VPNs use transport mode. The IKE (Internet Key Exchange) negotiation that establishes IPsec SAs is so complex that RFC 2409 (IKEv1) was 41 pages long, and IKEv2 (RFC 7296) is 142 pages. IPsec configuration remains one of the most error-prone tasks in network engineering.

WireGuard is about 4,000 lines of code — IPsec is over 400,000¶

Jason Donenfeld released WireGuard in 2016 with approximately 4,000 lines of kernel code. In contrast, the Linux IPsec implementation (XFRM framework, IKE daemons, etc.) spans hundreds of thousands of lines. WireGuard achieves this simplicity by making opinionated cryptographic choices (Curve25519, ChaCha20, Poly1305, BLAKE2) rather than negotiating algorithms. Linus Torvalds called it a "work of art" when it was merged into the Linux kernel in 2020 (kernel 5.6).

OpenVPN runs in userspace and was limited by that design decision for two decades¶

OpenVPN (first released in 2001) runs entirely in userspace, using the TUN/TAP interface to send and receive packets. Every packet must cross the kernel-userspace boundary twice (in and out), limiting throughput to approximately 200-500 Mbps on most hardware. WireGuard's kernel implementation avoids this overhead, achieving multi-gigabit throughput. OpenVPN's DCO (Data Channel Offload) module, added in 2022, finally moves data plane processing to the kernel.

GRE tunnels have no encryption and were never meant to be secure¶

Generic Routing Encapsulation (GRE, RFC 2784) wraps packets inside IP packets, creating a tunnel between two endpoints. It provides no encryption, no authentication, and no integrity checking. GRE was designed purely for encapsulation — connecting two networks over an IP backbone. When people need secure GRE tunnels, they typically run GRE inside IPsec, which adds the security layer that GRE lacks. This "GRE over IPsec" pattern is one of the most common site-to-site VPN configurations.

Split tunneling was controversial long before remote work¶

Split tunneling — routing only corporate traffic through the VPN while allowing other traffic to go directly to the Internet — has been debated since the 1990s. Security teams argue that split tunneling bypasses corporate security controls. Users argue that routing everything through the VPN wastes bandwidth and adds latency. The COVID-19 remote work shift in 2020 forced many organizations to enable split tunneling because their VPN concentrators couldn't handle the load of full-tunnel for all employees.

The "VPN on every device" model is being replaced by zero-trust networking¶

Traditional VPNs grant network-level access: once connected, a user can reach everything on the corporate network. Zero-trust network access (ZTNA) replaces this with per-application access: each request is authenticated and authorized independently, regardless of network location. Products like Zscaler Private Access, Cloudflare Access, and Tailscale represent this shift. Google's BeyondCorp (published 2014) was the foundational paper that argued VPNs should be eliminated entirely.

L2TP/IPsec was the enterprise VPN standard despite being terrible¶

Layer 2 Tunneling Protocol (L2TP, RFC 2661) combined with IPsec was the default remote access VPN for enterprises throughout the 2000s and 2010s. L2TP itself has no encryption — IPsec provides the security layer. The combination is complex to configure, performs poorly due to double encapsulation overhead, and uses UDP port 500 and ESP protocol 50 which are frequently blocked by hotel and airport networks. Despite these flaws, it was built into every operating system, making it the path of least resistance.

MPLS VPNs are "VPNs" without any encryption¶

MPLS L3VPN (RFC 4364) and L2VPN services provided by ISPs are called "VPNs" because they provide traffic isolation between customers using label switching and VRF tables. However, MPLS VPNs provide zero encryption — traffic flows in plaintext across the provider's backbone. The "privacy" comes from logical separation, not cryptography. Organizations requiring actual confidentiality over MPLS must add their own IPsec or MACsec encryption on top.

SSH tunneling is the world's most deployed ad-hoc VPN¶

ssh -L, ssh -R, and ssh -D (dynamic SOCKS proxy) have been used as ad-hoc VPN solutions since the 1990s. SSH port forwarding creates encrypted tunnels for individual TCP connections without any VPN software. The pattern of ssh -D 1080 jumphost plus a browser configured to use SOCKS5 proxy on localhost:1080 has been the go-to method for bypassing network restrictions for decades. It's technically a VPN for a single application — and it works everywhere SSH does.

Double VPN and onion routing serve different threat models¶

"Double VPN" (routing traffic through two VPN servers) prevents any single VPN provider from seeing both the source and destination. Tor's onion routing extends this to three hops with layered encryption. While both add latency, they serve different threat models: double VPN protects against a compromised VPN provider, while Tor protects against traffic analysis by adversaries who can observe multiple points of the network. Most users need neither, but the distinction matters for those who do.