Risks associated with virtual private networks (VPN)

A virtual private (self-contained) network (VPN) is an encrypted communication channel that allows a secure connection between two remote computers via the internet. In the past, VPNs of this kind were used mainly by companies, for example to network different company locations or to give employees remote access to the company network. This allows employees to work flexibly wherever they are. In the meantime, VPN is also used in the domestic sector, for example to protect against attacks in a public WLAN network. In addition, VPN networks are used to conceal your own IP address. If you connect to a VPN server, all internet access subsequently seems to come from this VPN server and no longer your own computer. This prevents local tracking and ensures that the actual IP address is not visible to the websites and services visited.

Commercial VPN providers

In order to meet this demand, there are now numerous VPN service providers which charge fees. The integrity and security of the VPN provider is of key significance here. It is worth checking whether your own risk profile is covered by the provider.

Offerings which are free of charge

But there are also a number of offerings which are free of charge. It should be borne in mind that these offerings also have to be financed, for example through advertising or the marketing of user profiles. To keep costs as low as possible, various providers of free VPN solutions are based on peer-to-peer (P2P) technology. P2P refers to the architecture of a network in which all devices have the same communication possibilities and each device can serve as both server and client. It is not a central infrastructure that is used as a VPN server here; instead, all participants consciously or unconsciously make their computer available as a VPN server. As a result, the user is no longer just a user but is also a co-operator of the network. Since these services can also be abused by criminals to hide their identity, it is possible for one's own infrastructure to be used for illegal activities.

The Onion Router (TOR) network

TOR is a network for enabling anonymous communication. The TOR network sends requests via any number of relays. This disguises the original IP address from the web page and the network nodes after the entry point. If users of the network want to be available not only as users but also as operators of an exit node for other users or to make their computers available as relays, they must, however, actively decide to do so and install appropriate software. TOR operators are thus aware that anonymous internet traffic can be sent through their connection.

It should be noted that the last relay connection, the so-called TOR exit node, is not encrypted. Since there is no control over who operates these nodes, there is a certain risk that unencrypted data traffic can be read at this point. To reduce this risk, the
use of exit nodes that enjoy a higher degree of trustworthiness can be selected.

Consequences and risks

Users of some VPN P2P networks run the risk of crimes being committed via their internet connection (and via their IP address).

In the case of dubious providers, there is the danger that data can be read and abused for any purpose.

Precautionary measures
  • The integrity and security of a VPN provider are of key significance
  • Find out in advance about the quality and reliability of a VPN provider, study the usage guidelines and pay attention to the place of jurisdiction of the operator
  • Select a VPN provider that meets your security needs
  • Before using VPN peer-to-peer software, it is recommended that you carefully evaluate all risks and minimise the risk of abuse of your IP address for crime
  • Limit the use of anonymization tools in a company network. You can also block known VPN services on gateways that protect access to resources with authentication. However, such restrictions are not suitable for publicly accessible services, as users of anonymization tools should usually not be excluded here.

Specialist staff
Last modification 23.07.2018

Top of page