Skip to content

VPN info for travellers and users of wireless networks

Author: Anna-Liisa | Published: 30.4.2020
Keywords: , , , , , , , , , , ,

The usefulness of a VPN connection cannot be overstated! It protects your devices from countless types of communication and network-based attacks and eavesdropping. Always use a VPN connection on unfamiliar networks and when you need to access services that only work on OAMK or university networks.

You don’t need a VPN connection if you use paid secure networks of network providers such as DNA, Elisa, Telia, and the online service you are using does not require a VPN to function.

Why is a VPN connection needed?

In computer networks, data is broken down into smaller packets for transport. From these packets, it is almost always possible to determine where the packet is coming from and where it is going. The data carried inside the packet is often in plain text, and anyone along the packet’s path can see that data as it is. Sometimes the data carried by the packets is encrypted, but the encryption can be broken in certain cases. Decryption is particularly successful if the user ignores warnings from the browser or other programs about incorrect credentials and continues to establish the connection despite the warnings.

The idea of a VPN connection is to encrypt all transported data packets and encapsulate that encrypted traffic within other packets for transport. The packets are sent to a VPN server, which can decrypt them and forward the traffic. A functioning VPN connection encrypts all transferred traffic, and it doesn’t matter much if an outsider sees those encrypted packets. Note that you can also use VPN connections for mobile and local network data transfers.

A VPN enables:

  1. Remote access to an organization’s information systems securely and with authentication
  2. Relatively safe use of unknown network connections with your own devices
  3. Better privacy protection

Examples of ways in which users of unprotected connections (remote users) are deceived:

  1. You are traveling by train in Finland, and there appears to be a free internet connection available in the carriage. The access point may be installed by VR with the name “VR” or some other passenger may be using the same “official name” for their access point, luring other passengers to use that network. Now, users of that unauthorized access point are at risk because the traffic passing through the unauthorized access point is recorded.
  2. You are enjoying a cold beer at a summer market and using the PanOulu network: It is an unencrypted wireless network that you can join without a password. Someone on a nearby patio is collecting the plain text traffic between your phone and the PanOulu access point!
  3. You are using PanOulu in your office with a laptop or phone. In a nearby classroom, a student has set up an unauthorized access point with the same name, and your laptop/phone has connected to that (false) access point.
  4. You are visiting London and using Heathrow’s free Wi-Fi network. In the same departure lounge, there are cybercriminals collecting all plain text wireless traffic for later use.
  5. You are visiting a French partner university and logging into their strongly protected WPA2 wireless local area network. You are using the credentials of the person hosting the event. Behind the wireless local area network, in the fixed network, there is a data breach or other external entity that sees the traffic coming from the access points as it is.
  6. Same as point 5, but you are in a hotel/B&B, and the traffic behind the wireless network is being recorded.

Eavesdropping on networks can occur without the user’s knowledge

Eavesdropping and network traffic interception are almost always automated and do not require real-time human control. Especially users of wireless local area networks (Wi-Fi) are relatively easy targets for eavesdroppers. If the wireless network does not use any encryption (encryption methods include WEP, nowadays WPA1/2), all transferred packets can be intercepted near the wireless access point. Completely unencrypted Wi-Fi networks are very common in Finland and abroad. For example, PanOulu is an unencrypted wireless network.

A potential eavesdropper can also be behind the access point in the fixed network, or the wireless access point may be a so-called “rogue access point,” meaning the access point has been set up without authorization. In this case, the eavesdropper has set up their own unauthorized access point with a credible or the same network name (BSSID) to deceive users.

The possible security of the wireless access point does not necessarily tell much about the connection’s security, as the owner of the access point is not always certain, and the user typically does not know what is happening in the network behind the access point.

Instructions for creating a VPN connection

ICT services have provided instructions for creating VPN connections: see VPN connection creation. Especially users of wireless guest networks should always first enable the VPN connection and only then use other network services.

In the services of Oulu universities, traffic is typically already protected – VPN is a good additional protection alongside other security methods.

Most commonly used services nowadays use secure connections. (You can recognize a website using a secure connection by the fact that the web page address is in https format.) Also, in all essential services of Oulu universities, traffic is protected. For example, email, intranets, Moodle, and Peppi use secure traffic (TLS, e.g., HTTPS). Websites using secure traffic have their own SSL certificate (=SSL certificate).

The purpose of an SSL certificate is to:

  • Ensure that you are on the site of the entity that obtained the certificate
  • Indicate that the site’s traffic is secure.

Obtaining an SSL certificate is chargeable, and certificates must be renewed periodically. The browser will notify you if there is no verified/valid certificate: In this case, the user must choose whether to continue to the service or not, knowing that it is possible that an intermediary is offering a false certificate for fraudulent purposes. In such a situation, you can check with the helpdesk whether it is safe to access the service, for example, if the certificate has just expired and its renewal is still in progress.

This problem can also affect the VPN service. Additionally, if we put on our tinfoil hat, we must consider that versions older than TLS 1.2 are vulnerable to a couple of attack methods, of which at least the “Beast” attack method and its variants are quite well known and proven to be effective attack methods. Note also that a secure connection does not help much if the target is wrong, so always check what the browser’s address bar says before logging in!

VPN should be seen primarily as good additional protection alongside other security methods. VPN helps against DNS spoofing. Some software does not use encrypted connections at all for checking or fetching updates. More info on this can be found, for example, by searching for “evilgrade.”

(The original text of the bulletin was written by Oamk’s information security officer in 02/2014.
The latest update was made 04/2020 -A-L)

« Back

This article was published in categories English version available, All instructions, Oamk , for Oamk staff, for Oamk students, for the University of Oulu staff, for the University of Oulu students, accessible content, UniOulu and tags , , , , , , , , , , , . Add the permalink to your favourites.