HomeNetwork Security in 5 DaysDay 3
Day 3 of 5
⏱ ~60 minutes
Network Security in 5 Days — Day 3

VPN, Zero Trust & Secure Access

Traditional perimeter security assumes everything inside the network is trusted. Zero Trust flips this: verify every user and device, every time, regardless of location. Today covers VPN architecture, Zero Trust principles, and modern secure access.

VPN Technologies: IPSec and OpenVPN

IPSec operates at Layer 3 and is used for site-to-site VPNs between offices and for remote access. OpenVPN is SSL/TLS-based, runs on port 443 (bypasses most firewalls), and is highly configurable. WireGuard is the modern choice — it has 4,000 lines of code vs. OpenVPN's 70,000, performs faster, and is easier to audit. All three encrypt traffic between endpoints.

Zero Trust Architecture

Zero Trust principles: never trust, always verify; assume breach; least privilege access. Implementation requires: identity verification (MFA), device posture checking (is the laptop patched?), micro-segmentation (workstations can't talk to databases directly), and continuous session monitoring. Google's BeyondCorp and Cloudflare Access are real-world implementations.

Certificate-Based Authentication

Passwords are the weakest authentication method. Certificate-based auth uses asymmetric cryptography: the server trusts your CA-signed certificate instead of a password. Deploy an internal PKI with an offline root CA, issuing CA, and client certificates. This is the standard for enterprise VPN and 802.1X network access control.

bash
# WireGuard server setup
wg genkey | tee server_private.key | wg pubkey > server_public.key
wg genkey | tee client_private.key | wg pubkey > client_public.key

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [server_private_key]

[Peer]
PublicKey = [client_public_key]
AllowedIPs = 10.0.0.2/32

# Start WireGuard
wg-quick up wg0
wg show

# OpenVPN quick certificate generation
easy-rsa init-pki
easy-rsa build-ca
easy-rsa gen-req server nopass
easy-rsa sign-req server server
💡
For new deployments, choose WireGuard over OpenVPN or IPSec. Its smaller codebase means fewer vulnerabilities, and performance is 3-4x better than OpenVPN on the same hardware.
📝 Day 3 Exercise
Set Up a WireGuard VPN
  1. Install WireGuard on two Linux VMs: sudo apt install wireguard
  2. Generate server and client key pairs using wg genkey/wg pubkey
  3. Configure /etc/wireguard/wg0.conf on the server with client peer entry
  4. Configure the client conf with the server's public key and endpoint
  5. Bring up the tunnel and verify traffic routes through it with curl ifconfig.me

Day 3 Summary

  • WireGuard is the modern VPN choice: faster, smaller, and easier to audit
  • Zero Trust assumes breach and verifies every access request explicitly
  • Certificate-based auth eliminates password weaknesses for VPN and network access
  • Micro-segmentation limits lateral movement even after a breach
  • Internal PKI with an offline root CA is the enterprise standard
Challenge

Design a Zero Trust network architecture for a 50-person company with remote workers. Draw the diagram showing identity provider, device posture check, micro-segmented zones, and monitoring.

← Previous
Day 2: IDS/IPS and Network Monitoring
Next →
Day 4: Network Traffic Analysis & Threat Hunting
Finished this lesson?