Virtual Private Networks (VPNs) Suppress Usage of GNU/Linux and Have Historically Cemented Microsoft's Monopoly (Windows) for No Real Security Gains
Is a bunch of bloat (or 'hacks') in the networking stack the best one can do?
THE awkward subject of VPNs was explored here and even extensively covered at one point in the Sirius series, which isn't over by the way (it is connected to another ongoing series). VPNs are a 'hack', not true security, and any time I installed a VPN at the server side, not just the client side, I was left wondering what the true motivation was. Like firewalling, it makes false assumptions and it does not deal with the real issues, such as back doors or a lack of encrypted (properly, end-to-end) connections.
Proprietary VPNs are the worst; over the years I've encountered or had to deal with nearly a dozen VPNs, with some officially lacking GNU/Linux support or just spewing out some outdated binary file that does not work or barely works. In the Free/libre fold we have bloated hack like OpenVPN or something more elegant such as Wireguard. Some have rightly "earned" their share of condemnation. This complicates upgrades of routers, operating systems, and kernels.
I myself have seen institutions rejecting BSD and GNU/Linux users just by the mere choice of some proprietary VPN. Who made the choice? Who made this decision? And what for? It's easy to 'punish' or massively inconvenience people who choose operating systems without back doors. Later you get people saying stuff like, "I still need to dual boot (or use virtual machines) because.... something VPN..."
Suffice to say, such a requirement for a VPN necessarily means you impose back doors on people, i.e. the very opposite of security.
As one associate noted the other day, VPNs are "bullshit", especially proprietary ones. They are used as not just an additional cost sink but also as a further means to block access (by not supporting) non-Microsoft systems.
20+ years ago I worked at Manchester Computing where I helped university staff, mostly lecturers, gain access to VPNs, sometimes over dial-up. Some of them needed online access to the library from home, bypassing weird paywalls that could instead be replaced by authentication, not IP-based restrictions. What a bizarre and arcane setup, even by standards of that time...
The harder part was helping staff that used GNU/Linux (many technically-proficient professors already did back then) and we were instructed that, if someone used BSD, then they probably already know what they're doing and thus in no need of assistance. So the level of support for non-Windows users was appalling by design. Why even use such VPNs in the first place? They protected nothing. It was expensive snake-oil and it's unclear who brought it into the university (maybe some kickbacks involved).
As an associate of ours explained, any security-conscious network administrator would avoid money-wasting boondoggles like Cisco and use Wireguard or OpenVPN instead. However, that would allow equal access from the GNU/Linux and even the BSDs, in addition to saving money and work. However, the empire builders send money to the vendors instead since the vendors depend on the empire builder for the continued cash flow. Whereas employees might dare to push back on various matters.
Back in the 1990s, VPNs were not used because they were a waste of effort and there was already a better, zero-trust solution built around the kerberization of online services.
"I suspect," the associate noted, "that once Microsoft killed Kerberos and made its integration with Windows impossible, people (aka Microsoft drones) had no choice but to roll out VPNs. Again intentionally choosing bad VPNs had the desirable side effect of blocking non-windows systems."
LDAP/OpenLDAP was used in conjunction with Kerberos, we're told, as combined or used in conjunction they could obviate the need for anything like a VPN. Not only were they another way to undo the "necessity" of VPNs as access walls, they worked across platforms and did not introduce the bloat (which inevitably brings bugs and severe holes with it).
The other day I recalled that clients of Sirius complained about access policies. One person in particular noted that, even when former staff was removed from VPN, the unix user accounts remained on their systems. That was in 2011.
Sirius conflated VPNs with access control. It was not about security or privacy; heck, channeling one's traffic through a company server was a corridor to mass surveillance, even in one's own home. This rendered VPNs a tool or instrument for oppressive surveillance, exactly the opposite of what VPNs are nowadays marketed for.
In short, VPNs are usually not necessary. Those who promote them typically don't know what they're doing. VPNs are 'patchworks'.
If someone is trying to shoehorn some proprietary VPN into your company/employer, be sure to check if there are kickbacks (bribes) involved or some profound conflict of interest. █