What the hell is a VPN, anyway?
March 16, 2020 9:18 PM   Subscribe

What the hell is a VPN? And why does a lack of decent one hamper the ability to let me work from home, anyway?

I *think* a VPN is some kind of ...private server thing or other? But I don't really know squat about what that is, how they work, how much, etc. It sounds like how you log into all the databases we need at work from home, I guess?

Asking because one of the reasons my work cites as not letting me work from home (note: 70% of the office just got allowed to work from home today, but not me!) is because of the VPN, something along the lines of "it can't handle having so many people using it." And I guess it's not fixable?

Anyway, please explain this to me like I'm a 5-year-old, because I am dumb on tech.
posted by jenfullmoon to Computers & Internet (18 answers total) 10 users marked this as a favorite
File servers where you share things, or other computers that you connect to with your work computer are often behind a firewall. That means that only computers inside your work's network can talk to it, and people outside who might want to do malicious things with your data have a much harder time getting to it. This is a good thing.

But what if you're not physically at work and still need to get to a file that's on that shared drive? That's where a VPN comes in. When you connect through a VPN, it makes it look like your computer is now inside the work network, in a secure way.

If your VPN was not sized to handle the entire company at once, and everyone tries to connect, it'll be like bad plumbing. The pipes are only so big, and only so much data will get through, so everything will slow to a crawl.
posted by chrisamiller at 9:28 PM on March 16, 2020 [8 favorites]

A VPN is a gated and walled internet garden (passworded) filled with applications. Your company built one on a server to let people do just work things on it. It is resource intensive in that your using the server computer to give you a bunch of information that otherwise couldn't be on your home computer. Most of the actual computer thinking is happening on the VPN.

Depending on the type of work you do and how resource intensive it is, there are very real slow downs that Happen when to many people access to small of a VPN at the same time. The only way to fix it is to upgrade hardware to make the garden bigger so to as speak.
posted by AlexiaSky at 9:28 PM on March 16, 2020

A network is a bunch of computers that can talk to each other. These computers have to be connected in some way (this is what cable, dsl, wifi, whatever does). A network can be small, or big. But it's a bunch of computers that are physically connected and can talk to each other.

The internet is a big network that the world's computers can use to talk to each other.

Companies have their own, private networks. In your case, the computers that can use this network must be connected to the network -- they have it wired such that their offices are connected to the network. The databases etc live on this network. If you're not connected to the network, you cannot talk to anything on the network.

Now, you might think: why can't I access the network from home? The company computers can talk to the internet, after all. This is beyond the scope of the answer but the answer is that they set it up that way...an employee's computer can talk to multiple networks (the private network and the internet), but the databases etc are only on the private network.

A VPN is a virtual private network -- it lets you get into a private network (eg your work network) via the internet. A company needs to set this up with servers and bandwidth and stuff.

Is this fixable? Absolutely. How fixable? Depends on the technical resources available to the company. Sounds like a cop out to me.
posted by wooh at 9:30 PM on March 16, 2020 [6 favorites]

A VPN is a “virtual private network”. In effect, it puts your computer on the same internal network it would be if you connected to the internal WiFi at work, or plugged into a jack in the office.

Most VPNs do this by encrypting all the network traffic from your computer and sending it to a server on your work network. In most cases this is everything, not just the work-related traffic. So if a website like Google Maps looks at your IP to guess where you are, it guesses the office rather than your house.

From your work’s perspective, this often matters because a lot of the computers on the internal network just don’t have a public Internet address at all. You have to be on the internal network to access them... and if your connection is coming through the VPN server, you are!

VPNs can be limited due to physical capacity, e.g. the VPN server can only handle so many connections without overloading. They can also be limited to a number of “seats” due to software licensing, e.g. it artificially limits connections to 50 because that’s what you paid for. ;)

My employer has had to both install more physical servers and buy more license seats to enable the whole company to WFH. Buying more licenses is usually fast, if expensive; adding more hardware can take a while because someone has to ship and install it.
posted by a device for making your enemy change his mind at 9:35 PM on March 16, 2020 [6 favorites]

A VPN is a gated and walled internet garden (passworded) filled with applications. Your company built one on a server to let people do just work things on it. It is resource intensive in that your using the server computer to give you a bunch of information that otherwise couldn't be on your home computer. Most of the actual computer thinking is happening on the VPN.

This sounds more like VDI, not a VPN.
posted by zamboni at 9:36 PM on March 16, 2020 [7 favorites]

zamboni That's true. my VPN does have permission to then do VDI for reasons. I forget they aren't actually the same thing.
posted by AlexiaSky at 9:45 PM on March 16, 2020 [1 favorite]

I have a bunch of computers and computer-like objects in my house. (Printers, Smart TVs, Amazon Alexas, etc.) Because they're all on my home network, they can all talk to each other, and because I have a gateway to the Internet, they can talk to any computer in the world.

My firewall mostly restricts the latter, to prevent you from, say, printing to my printer, changing the channel on my TV, or doing more nefarious things. Generally, communication requests initiated outside my home network are silently dropped at the firewall. There is no path from your laptop to my printer.

However, I could set up a hole in the firewall to my printer. Then, you could talk directly to it and print to it.

That would be dumb. If you could do it, anyone else could do it, and it wouldn't be too long before my printer was spewing out continuous memes.

So, instead, we'll open up a hole, not to my printer, but to a Virtual Private Network server on my network. You can still talk to that device, but not directly to anything else on my network. And we would encrypt the connection so that nobody could see what's going back and forth, and force you to log in with a username, password, two-factor authentication, and whatever else we use to ensure that only you can access it.

Your standard modern PC has two network devices, the wired network and the wireless network. Usually, only one of them is active. When software on your computer wants to send information to the network, it'll get routed to the active network connection.

What VPN software does is create a 'new' network connection. It's not physical hardware like the other two, but that doesn't matter. It still says to the system, 'hey, here I am, send me network data.' So, with the right software on your end, and a willing server on my end, we can set it up so that you have a third network connection that talks directly to a device inside my network. And while you can only talk directly to the VPN server, it is on my network and can talk to any device inside it.

With a bit of magic jiggery-pokery, we can put all of these pieces together and put your laptop onto my network. That VPN connection that we established would bypass my firewall and act like a really long network cable. Once connected, it would be logically the same as if you were in my house and connected to my Wi-Fi, with the exception that the network connections would be slower. You could access my printer, file shares, smart TV, security cameras, or whatever else.

As a less techie example, imagine if we added one more stop onto the New York City subway system, a Stargate-style portal between one station and a park in a small town in rural Nebraska. That park would, in every way, just be one more stop in the subway system.
posted by Hatashran at 9:47 PM on March 16, 2020 [3 favorites]

I like the portal example!

The internet is greyhound buses -- you can go wherever you want.

Your work is the new york subway -- you can go where you want inside of New York, and have to get into the system.

The VPN is like a free transfer ticket.
posted by wooh at 10:07 PM on March 16, 2020 [1 favorite]

In the office your computer is connected via ethernet cable or maybe via Wifi. You are on the Local Network.

You want to access the Local Network from home. Rather than run a really really long piece of ethernet cable to your house, we create a virtual ethernet cable. And another one to your coworker, and anyone else working at home. Collectively all of those virtual ethernet cables make up a Virtual Private Network (VPN).

The VPN server sits between the Local Network and the VPN and organizes everything. It sounds like yours is overloaded and is raising the little white flag.
posted by Tell Me No Lies at 10:21 PM on March 16, 2020

re: "something along the lines of "it can't handle having so many people using it."

Yes, this actually can be a thing. Various potential reasons. Perhaps they didn't pay enough licenses for the VPN server/software that allows remote people to connect. Perhaps they didn't buy enough hardware (processor/ram, etc.) to power that server well enough to handle the load. Or purchase an internet connection big enough, on the INBOUND side, to accomodate all the traffic. Entirely possible there are other dipshit reasons. My best friend works for one of the top 10 largest banks in the world, and they are having the same. exact. problem. Not 'cause they can't afford it! But likely because some beancounter or IT exec didn't think ahead, or had more pressing projects to spent money on.
posted by armoir from antproof case at 10:56 PM on March 16, 2020 [2 favorites]

Lots of people have already answered what a VPN is.
I will try to answer some common reasons why you may not be able to use it.
Most companies that have offices expect most people to be in the office. So when they are scoping remote access system they don't aim to have capacity for 100% of people.
Increasing the capacity might be as simple as purchasing more licences in some cases. Or it might be that the hardware or Internet connection only has a certain capacity, that would take much longer to resolve than just buying licences. (especially when every company is trying to do it at the same time)
Finally, you mentioned that you have a job that involves databases. It may be that even with a VPN these are not accessible for security reasons. Or maybe they don't actually have a VPN for most people, maybe most people just work from email and Office365 in which case they can work from home but you cannot because of your systems.
posted by McNulty at 11:09 PM on March 16, 2020 [1 favorite]

Yeah there might be technical and licensing reasons why this is *slightly inconvenient*.

During this unprecedented event where your safety depends on *not* going out as much as possible...fuck those guys. Their cost/risk is lower than yours. This infuriates me.

I don't see how this is any more OK than letting an employee work in a room full of asbestos. There's statistical uncertainty in both cases.

I don't know what to do about it. Cough a lot at work? I hope an employment attorney speaks up.

I'm sorry it's happening to you.
posted by j_curiouser at 4:18 AM on March 17, 2020

Yes, a company's VPN can choke when more people than expected are on it.

That said, it's a poor excuse in this situation. For an example of what a humane response to this situation looks like - my Fortune 100 company moved quickly to mandate WFH for all Seattle employees (our second biggest office) - this was a couple weeks ago. A couple days later they announced optional WFH for all employees. Meanwhile they were working furiously behind the scenes to beef up the VPN and more than double the capacity. By yesterday they had moved to mandatory WFH for all US and Canada employees and the VPN was singing along merrily. I don't know what they had to do to get it all online so smoothly but they did it.
posted by peacheater at 5:25 AM on March 17, 2020

Response by poster: Is this fixable? Absolutely. How fixable? Depends on the technical resources available to the company. Sounds like a cop out to me.

My office is perpetually broke and clueless, and I would reasonably assume on top of that that we have limited access to any kind of technical assistance at this time.

Thanks, y'all. Now I'll know by the time I die :p
posted by jenfullmoon at 7:25 AM on March 17, 2020

I do see lots of nontechnical attempts at explanation here, with various levels of accuracy.

Here's my stab, because as a nerd it's impossible for me to let this go. The short answer, though, is that there are a couple places that become chokepoints, and some nontrivial reasons why this isn't super simple to fix quickly.

So, what's a VPN?

1. In your office, at your desk, your computer can talk to your internal resources -- your Sharepoint, your share drives, your internal applications like SAP or whatever -- using an INTERNAL network that is (probably) safe from outsiders snooping.

2. From OUTSIDE your office, though, you'd need to connect to those things by using the public Internet to connect to your office FIRST, and then talk to those things.

3. This is bad, because traffic on the public Internet isn't (by and large) encrypted or secure in any way. It's trivial to eavesdrop on these connections if you know how.

4. Enter the VPN, which stands for Virtual Private Network. Typically, this is some piece of hardware in your office plus a piece of software on your computer. The software on your computer connects to the VPN hardware in your office and establishes a secure, encrypted connection (we sometimes call this a "tunnel").

Your computer then sends its network traffic through that "tunnel", so it's all safe and sound and secure until it gets inside your office, where it's safe there on account of being inside your office. Yay! In a real sense, a person using the VPN from Starbuck's is, in nearly every way that matters, INSIDE your network.

5. This creates the first chokepoint, though. Typically, not everyone in an office uses the VPN. The stereotypical case is that only traveling consultants, say, and executive management (who also travel) ever really use it.

People who usually or always work in the office don't use it, and so they aren't part of the arithmetic when IT figures out how to set things up. If you have 50 people in your office, but only 10 folks usually use the VPN, it'd be reasonable to set things up so you could support 15 or even 20 -- so you have some growing room. Allowing for all 50 isn't something you'd do, because there are hardware costs and software costs that need to be justified.

It's not just names on a list or dollars for licenses; the hardware part needs to be robust enough to handle the expected volume plus a buffer, but a sudden shift to "everyone works at home" will create load well in excess of any reasonable buffer margin envisioned at purchase.

6. Remember, above, when I said a VPN user is basically inside your network? This is literally true. In the typical case, once the VPN is enabled literally ALL the network traffic from that computer goes FIRST to your VPN device at your office, and then to its final destination. This is fine and dandy if the traffic is for your SharePoint site or other internal tool, but it's a waste when you're just trying to read CNN or whatever. This means the VPN has to evaluate a lot of non-internal traffic in order to protect the internal traffic.

The good news is that this is NOT how all VPNs are configured, but it IS how VPNs tend to be configured by default when they are not heavily used -- ie, in organizations that are having trouble now transitioning to a dispersed workforce.

The alternative is to set up something called "split routing" where the only traffic that goes over the VPN connection is stuff that NEEDS to go that way -- ie, your internal traffic. Visits to MeFi or CNN.com or whatever go straight there from your laptop, just as though the VPN wasn't set up. This is a MUCH smarter way to arrange things unless you have a specific need to trap & secure ALL the traffic.

Companies that use split routing are having a much easier time here, as you might imagine. But it's HELLA easy to overwhelm a traditionally routed VPN with too many users, and that's what's happening in lots of places (my wife's office, a law firm, is having this problem).

7. Finally, let me also note that your office's internet connection itself is also a factor regardless of VPN options. If your network isn't set up to support a ton of external users of internal tools, then THIS will become a problem even if the VPN itself is able to handle it.
posted by uberchet at 11:25 AM on March 17, 2020 [1 favorite]

My employer has long been anti-work from home except in limited circumstances, to the point where we begged for limited work from home. We have offices in China, and were able to expand capability to allow hundreds of the employees there to work from home. We were in the midst of negotiating upgrades of VPN licensing and purchasing new hardware when the shutdowns hit here in the US.

My point here is that most companies that have been around a few decades have an old-fashioned expectation that people need to be in the office to work well together, and don’t tend to invest money in infrastructure that won’t often be used. Why would you spend money on something you don’t expect to use? That doesn’t make a company bad, it makes them look good to their investors.

And when the time comes to invest in the infrastructure, it takes time to acquire hardware and software, to increase bandwidth, to purchase licenses. (Fortunately virtually all of our employees use laptops.)

Things are working well for us so far, to the point where we hope when all this is over we will have new policies that will allow more flexibility for working from home.
posted by lhauser at 9:17 PM on March 17, 2020

Response by poster: My town got "shelter in place" today, so they HAD to let us work from home now. I took my computer home. We'll see how the dreaded VPN works tomorrow.
posted by jenfullmoon at 9:45 PM on March 17, 2020 [1 favorite]

BTW, it may not be the case that everything you need to do requires the VPN. I have our VPN enabled on my computer but I can turn it on and off (disconnect from it). When I disconnect, some applications and systems aren't available to me; but many others are. If you find things crawling, it may be that you could do exactly what you need to do without being "on the VPN" and can turn it off.
posted by marylynn at 9:47 PM on March 18, 2020

« Older Can I eat this? Dog vs. caterpillar edition   |   what is the oldest painting depicting surviving... Newer »
This thread is closed to new comments.