Day 9: Wireless Networking & VPN
What You'll Learn Today
- Wi-Fi standards from 802.11a through 802.11ax (Wi-Fi 6)
- Wi-Fi security evolution from WEP to WPA3
- VPN concepts and how encrypted tunnels work
- VPN protocols: IPsec, OpenVPN, and WireGuard
- Site-to-site vs remote access VPN architectures
- Proxy servers and how they differ from VPNs
Wi-Fi Standards (IEEE 802.11)
Wi-Fi has evolved through several generations, each bringing faster speeds and better reliability.
| Standard |
Wi-Fi Generation |
Year |
Frequency |
Max Speed |
Key Innovation |
| 802.11a |
- |
1999 |
5 GHz |
54 Mbps |
First 5 GHz standard |
| 802.11b |
- |
1999 |
2.4 GHz |
11 Mbps |
Widely adopted, affordable |
| 802.11g |
- |
2003 |
2.4 GHz |
54 Mbps |
Backward compatible with b |
| 802.11n |
Wi-Fi 4 |
2009 |
2.4/5 GHz |
600 Mbps |
MIMO, dual-band |
| 802.11ac |
Wi-Fi 5 |
2013 |
5 GHz |
6.9 Gbps |
MU-MIMO, wider channels |
| 802.11ax |
Wi-Fi 6/6E |
2019 |
2.4/5/6 GHz |
9.6 Gbps |
OFDMA, better in crowded environments |
flowchart LR
subgraph Evolution["Wi-Fi Speed Evolution"]
B["802.11b\n11 Mbps"]
G["802.11g\n54 Mbps"]
N["802.11n\n600 Mbps"]
AC["802.11ac\n6.9 Gbps"]
AX["802.11ax\n9.6 Gbps"]
end
B --> G --> N --> AC --> AX
style B fill:#ef4444,color:#fff
style G fill:#f59e0b,color:#fff
style N fill:#3b82f6,color:#fff
style AC fill:#8b5cf6,color:#fff
style AX fill:#22c55e,color:#fff
Key Technologies
| Technology |
Introduced In |
Purpose |
| MIMO (Multiple Input, Multiple Output) |
802.11n |
Multiple antennas for simultaneous data streams |
| MU-MIMO (Multi-User MIMO) |
802.11ac |
Serve multiple devices simultaneously |
| OFDMA (Orthogonal Frequency-Division Multiple Access) |
802.11ax |
Divide channels into sub-channels for multiple users |
| Beamforming |
802.11ac |
Focus signal toward specific devices |
| BSS Coloring |
802.11ax |
Reduce interference from neighboring networks |
2.4 GHz vs 5 GHz vs 6 GHz
| Band |
Range |
Speed |
Interference |
Channels |
| 2.4 GHz |
Long (better wall penetration) |
Slower |
High (many devices, microwaves) |
3 non-overlapping |
| 5 GHz |
Medium |
Faster |
Lower |
25 non-overlapping |
| 6 GHz (Wi-Fi 6E) |
Short |
Fastest |
Very low (new spectrum) |
59 non-overlapping |
Wi-Fi Security
Wi-Fi security has evolved significantly as vulnerabilities were discovered in earlier protocols.
Security Protocol Evolution
flowchart LR
subgraph Security["Wi-Fi Security Evolution"]
WEP["WEP\n(Broken)"]
WPA["WPA\n(TKIP)"]
WPA2["WPA2\n(AES-CCMP)"]
WPA3["WPA3\n(SAE)"]
end
WEP --> WPA --> WPA2 --> WPA3
style WEP fill:#ef4444,color:#fff
style WPA fill:#f59e0b,color:#fff
style WPA2 fill:#3b82f6,color:#fff
style WPA3 fill:#22c55e,color:#fff
| Protocol |
Year |
Encryption |
Key Exchange |
Status |
| WEP |
1997 |
RC4 (40/104-bit) |
Static shared key |
Broken; crackable in minutes |
| WPA |
2003 |
TKIP (RC4-based) |
PSK or 802.1X |
Deprecated; TKIP has weaknesses |
| WPA2 |
2004 |
AES-CCMP |
PSK or 802.1X |
Secure with strong password; vulnerable to KRACK |
| WPA3 |
2018 |
AES-GCMP-256 |
SAE (Dragonfly) |
Current standard; resistant to offline dictionary attacks |
WPA2 Modes
| Mode |
Authentication |
Use Case |
| WPA2-Personal (PSK) |
Pre-shared key (password) |
Home, small office |
| WPA2-Enterprise (802.1X) |
RADIUS server + individual credentials |
Corporate networks |
WPA3 Improvements
| Feature |
WPA2 |
WPA3 |
| Key exchange |
4-way handshake (PSK) |
SAE (Dragonfly handshake) |
| Offline attacks |
Vulnerable to dictionary attack on captured handshake |
Resistant; each guess requires network interaction |
| Forward secrecy |
No |
Yes |
| Open networks |
No encryption |
OWE (Opportunistic Wireless Encryption) |
| Minimum encryption |
AES-128 |
AES-128 (Personal), AES-256 (Enterprise) |
VPN Concepts
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network, making it appear as if you are directly connected to a private network.
flowchart LR
subgraph NoVPN["Without VPN"]
C1["Client"] -->|"Visible traffic"| ISP1["ISP"] -->|"Visible traffic"| NET1["Internet"]
end
subgraph WithVPN["With VPN"]
C2["Client"] -->|"Encrypted tunnel"| VPN_S["VPN Server"] -->|"Decrypted"| NET2["Internet"]
end
style NoVPN fill:#ef4444,color:#fff
style WithVPN fill:#22c55e,color:#fff
What a VPN Provides
| Benefit |
Description |
| Encryption |
All traffic in the tunnel is encrypted; ISPs and attackers see only encrypted data |
| IP masking |
Your real IP address is hidden; the destination sees the VPN server's IP |
| Remote access |
Connect to a corporate LAN as if you were physically there |
| Bypass geo-restrictions |
Appear to be in a different country |
VPN Architectures
flowchart TB
subgraph S2S["Site-to-Site VPN"]
OFF1["Office A\n(LAN)"] <-->|"Encrypted tunnel\n(always on)"| OFF2["Office B\n(LAN)"]
end
subgraph RA["Remote Access VPN"]
USER["Remote User\n(laptop)"] -->|"Encrypted tunnel\n(on demand)"| CORP["Corporate Network"]
end
style S2S fill:#3b82f6,color:#fff
style RA fill:#8b5cf6,color:#fff
| Type |
Description |
Use Case |
| Site-to-Site |
Connects two networks permanently |
Branch offices connecting to headquarters |
| Remote Access |
Individual users connect to a network |
Employees working from home |
| Client-to-Client (Mesh) |
Peers connect directly to each other |
WireGuard mesh networks, Tailscale |
VPN Protocols
IPsec (Internet Protocol Security)
IPsec operates at Layer 3 and consists of two main protocols.
| Component |
Purpose |
| IKE (Internet Key Exchange) |
Negotiates security parameters, authenticates peers, establishes keys |
| ESP (Encapsulating Security Payload) |
Encrypts and authenticates the actual data packets |
| AH (Authentication Header) |
Authenticates packets without encryption (rarely used alone) |
IPsec has two modes:
| Mode |
Description |
Use Case |
| Transport Mode |
Encrypts only the payload; original IP header unchanged |
Host-to-host communication |
| Tunnel Mode |
Encrypts the entire original packet; new IP header added |
Site-to-site VPN, remote access |
OpenVPN
OpenVPN is an open-source VPN solution that runs over SSL/TLS (typically on UDP port 1194 or TCP port 443).
| Feature |
Detail |
| Protocol |
Custom protocol over TLS |
| Transport |
UDP (preferred) or TCP |
| Encryption |
OpenSSL library (AES-256-GCM typical) |
| Authentication |
Certificates, username/password, or both |
| Platform |
Windows, macOS, Linux, iOS, Android |
| Firewall traversal |
Can run on TCP 443 to bypass restrictive firewalls |
WireGuard
WireGuard is a modern VPN protocol designed for simplicity and performance.
| Feature |
Detail |
| Protocol |
Custom UDP-based |
| Encryption |
ChaCha20, Poly1305, Curve25519, BLAKE2s |
| Codebase |
~4,000 lines (vs ~100,000 for OpenVPN) |
| Performance |
Near wire speed; integrated into Linux kernel |
| Configuration |
Simple public/private key pairs |
Protocol Comparison
| Feature |
IPsec |
OpenVPN |
WireGuard |
| OSI Layer |
L3 |
L4 (TLS) |
L3 |
| Speed |
Fast (hardware acceleration) |
Moderate |
Very fast |
| Complexity |
High (IKE phases, many options) |
Moderate |
Low |
| Codebase |
Large |
~100,000 lines |
~4,000 lines |
| NAT traversal |
Needs NAT-T |
Built-in |
Built-in |
| Firewall bypass |
Difficult (ESP protocol) |
Easy (TCP 443) |
Moderate (UDP only) |
| Best for |
Site-to-site, enterprise |
General purpose |
Modern deployments |
flowchart TB
subgraph Comparison["VPN Protocol Comparison"]
IPSEC["IPsec\nEnterprise standard\nComplex configuration"]
OVPN["OpenVPN\nFlexible, proven\nModerate performance"]
WG["WireGuard\nSimple, fast\nModern cryptography"]
end
style IPSEC fill:#f59e0b,color:#fff
style OVPN fill:#3b82f6,color:#fff
style WG fill:#22c55e,color:#fff
WireGuard Configuration Example
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Proxy Servers
A proxy server acts as an intermediary between a client and a destination server. Unlike a VPN, a proxy typically works at the application layer and does not encrypt all traffic.
Proxy Types
| Type |
Direction |
Purpose |
| Forward Proxy |
Client β Proxy β Internet |
Hide client IP, content filtering, caching |
| Reverse Proxy |
Internet β Proxy β Server |
Load balancing, SSL termination, caching |
| SOCKS Proxy |
Client β Proxy β Internet |
Protocol-agnostic (not just HTTP) |
| Transparent Proxy |
Client β Proxy β Internet |
Client unaware; network-level interception |
flowchart LR
subgraph Forward["Forward Proxy"]
FC["Client"] --> FP["Proxy"] --> FS["Internet"]
end
subgraph Reverse["Reverse Proxy"]
RC["Internet"] --> RP["Proxy\n(Nginx, Cloudflare)"] --> RS["Server"]
end
style Forward fill:#3b82f6,color:#fff
style Reverse fill:#8b5cf6,color:#fff
VPN vs Proxy
| Feature |
VPN |
Proxy |
| Encryption |
All traffic encrypted |
Usually no encryption (except HTTPS proxy) |
| Scope |
All system traffic |
Per-application |
| Layer |
L3 (network level) |
L7 (application level) |
| IP masking |
Yes |
Yes |
| Speed impact |
Moderate (encryption overhead) |
Minimal |
| Use case |
Security, privacy, remote access |
Caching, content filtering, load balancing |
Summary
| Concept |
Description |
| Wi-Fi Standards |
802.11a/b/g/n/ac/ax with increasing speed and efficiency |
| 2.4 GHz vs 5 GHz |
Range vs speed trade-off; 6 GHz adds more channels |
| WEP |
Broken encryption; should never be used |
| WPA2 |
Current baseline; uses AES-CCMP |
| WPA3 |
Latest standard; SAE handshake prevents offline attacks |
| VPN |
Encrypted tunnel over public networks |
| Site-to-Site VPN |
Connects two networks permanently |
| Remote Access VPN |
Individual users connect to a corporate network |
| IPsec |
Enterprise VPN protocol operating at Layer 3 |
| OpenVPN |
Flexible TLS-based VPN; works on TCP or UDP |
| WireGuard |
Modern, fast, simple VPN with ~4,000 lines of code |
| Forward Proxy |
Client-side intermediary for outbound traffic |
| Reverse Proxy |
Server-side intermediary for inbound traffic |
Key Takeaways
- Wi-Fi 6 (802.11ax) improves performance in dense environments with OFDMA and BSS coloring
- Always use WPA2 or WPA3 with a strong password; WEP and WPA are broken
- VPNs provide encryption and privacy but add latency; choose the right protocol for your needs
- WireGuard is the modern choice for VPN due to simplicity, speed, and strong cryptography
- Proxies and VPNs serve different purposes: proxies work per-application, VPNs encrypt all traffic
Practice Problems
Beginner
You are setting up a home Wi-Fi network with a new router that supports Wi-Fi 6 (802.11ax). Describe the security settings you would configure: which security protocol, password requirements, and any additional settings (like disabling WPS). Explain why you chose each setting.
Intermediate
A company with 200 employees needs a VPN solution for remote workers. Compare IPsec, OpenVPN, and WireGuard for this use case. Consider: ease of deployment, client support across Windows/macOS/Linux/mobile, performance, and security. Recommend one solution and explain your reasoning.
Advanced
Design a network architecture for a company with three offices (New York, London, Tokyo) and 50 remote workers. Requirements: (1) all offices must communicate securely, (2) remote workers need access to resources in any office, (3) internet traffic from offices should be filtered, (4) guest Wi-Fi must be isolated from the corporate network. Specify: VPN protocol and topology, Wi-Fi configuration (SSIDs, VLANs, security), proxy/firewall placement, and draw a network diagram.
References
Next up: In Day 10, we'll wrap up with "Network Troubleshooting & Tools." You'll learn a systematic approach to diagnosing network issues layer by layer, master essential tools like ping, traceroute, tcpdump, and Wireshark, and explore cloud networking concepts!