¶ PVYvpn - a session-less key driven VPN encryption over UDP
Traditional VPN’s lack since over 22 year real security and are with relative less effort easy to decipher. And the vulnerabity is part of the design and made the term “Man-in-the-Middle” useful and popular. If you are new to VPN’s in general, or you like to learn more about the “holes” by Design, we put a short reference below, to learn more about it.
PVYvpn is being utilized for all PVY.swiss Users by default. Because you obtained the right to protect your data, as other may more technical expierences users are capable as well. And it’s best, you will never notice the complications as known from other VPN’s. Its simply starts with your device and only encrypts and tunnel these kind of traffic, which belongs to your own PVYapp, automatically and everything else you do, goes unencrypted as ever.
It is by default integrated for:
- PVY@Home Appliance Users
- PVY@Office Appliance Users
- PVY@Cloud Users can opt-in for it.
¶ Why traditional VPNs are insecure
All traditinal VPN’s are designed commonly within the same design patterns, regardless if you are using OpenVPN, Wireguard or CiscoVPN. They are insecure and do not protect the users nor traffic sent over it from sniffing/or and obtaining data. Or in short: They are interceptable.
We all remember the Snowden Relevations and the so called “Krypto AG” revelation, where the NSA and CIA operated within the trustable Switzerland, a company with so called Hardware - Key based Encryption. Just with the fact, that they Key’s where not only known to its customers…
¶ More Information:
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://www.entrust.com/blog/2023/11/harvest-now-decrypt-later-fact-or-fiction/
¶ Why PVYvpn is different
We do our best to avoid to much technical terms to make it more understandable for a broader audience, and use as well some explanation Video for more clarification.
¶ The common VPN Design (OpenVPN, CiscoVPN)
{{Video-Placeholder}}
¶ The PVYvpn Design
In the below figure you see, we do not primarly need a so called central public reachable “Security-Gateway” where several ports has to be open to establish a mutual VPN Client connect.
¶ Peer to Peer VPN (From Device to Device, or Server or Edge Device)
{{Video-Placeholder}}
¶ The usage of Security Gateway on PVYvpn
PVYvpn has a headless Security Gateway, to allow for example following scenarios:
- As Entry Point on some rented Amazon, Google or Azure Servers. Or any vServer or Root Server you rent somewhere else.
- As Entry Point on a Edge Device or Home/Office Appliance, to reach multiple private IPs or range of IPs/Subnet at once from authorized Devices.
¶ The difference outlined
- Peer to Peer
- Encryption
- No-latency lag
- Trough-put up to 6.2 GB/s against 850 Mb/s on large scale Cisco VPN Networks, the higher the Bandwith, the higher the latency increasement. This does not apply on PVYvpn Technology, therefore it can be utiliszed to mirror or backup entire Sites using high encryption, even for real time traffic, with not significant latency increases.
Each IP packet that is sent and received has a different key for encryption, which is defined by a cryptographic algorithm. Due to the fact that the traffic goes point to point without a security gateway, it is not possible to intercept and decrypt the traffic.
If it is intercepted by a connection mirroring, each IP packet would have to be decrypted individually, which has not yet been possible.
¶ Getting Started
As mentioned on our general quickstart guide for PVY@Home Appliance, each of your Familiy Members or Office Workers shall download at least 3 Application to their Devices from the App Store, in this order:
- PVYvpn
- PVYmessenger
- PVYfiles
The first steps as Organisation Admin of your PVY@Cloud, PVY@Home, PVY@Office is to create our additional users, with not more than First Name, Last Name, and E-Mail Address. All other fields are optionally, but being available later also on your PVYgroupware Global Address book and for PVYmessenger, later with the freedom to chose a unique Nickname and allow or disallow Email & Phone Number Look-up to be found from outside Users/Friends. Learn more about that on PVYmessenger Section.
¶ Primary knowledge and order for any new user Deployment
As written on the “Getting started” Page after you Sign-up for PVY@Cloud or you registered your PVY@Home Appliance, the primary order to get ready your users, is as follow:
- Grant them Access for PVYgroupware, either over Web or native on the OS
- Let them Download the Apps, and register with their PVY-ID within the Desktop, or Mobile App of PVYmessenger, where they get prompted to save their Recovery Key on a secure place, either by Digits or as Key File.
Once each user has this two services native on their Device up and running, its time to enroll the VPN Client for their devices. You can download them from App Store or, if you use PVYmdm in conjunction with PVYdevices, you can deploy it there. As Organisation Admin, you log-in into PVYcentral, heading to the menu item «Applications» and chose «PVYvpn»
- Create a new Device and chose corresponding OS from Dropwdown Menu
- Allocate this new Device to an User.
- Click Save Button, followed by the active Enroll Button. You can add up to 5 Devices per User (Phone, Desktop, Notebook, iPad)
The now enrolled user receive an automatic generated email with the VPN Password, and from the PVYvpn Bot he receive an encrypted Message on his PVYmessenger Account, with the Key attached for his VPN Client.
User Action:
- Save Key to Download or Desktop Folder
- Open PVYvpn Client. It will ask for Encryption Key. Chose Encryption Key from you last saved location, confirm.
- A prompt for Password popups up. Copy and Paste the Password from your Email Inbox.
From this very moment onwards, the VPN Client is ready to use and it encrypts all traffic from and to your device(s) to all of your PVYapps, regardless if you use PVY@Home, PVY@Office or PVY@Cloud, automatically. It runs in the back ground and starts automatically with your Device on start-up.
That’s all folks!
- at least to be operative and productive. An average user enrollment for the PVYmessenger, PVYvpn and PVYgroupware takes fokused 12 Minutes.
¶ How this works?
Since our Security Management Console for the PVYvpn is headless and pure API driven, it will generate based on the OS Device you choose a unique encryption key and links this encryption key to an virtual network and unique user id.
By default, all of your enrolled clients can communicate straight out of the box over the given encrypted virtual network, which sits on Top of your network adapter (WiFi, Bluetooth, LAN), unlike emulated VPNs (all the rest).
All enrolled clients can communicate immediately peer-to-peer to each other without the need to establish a connection first to a so called VPN Security Entry/Endpoint. And of course also to all your PVYapps, which runs behind PVYvpn Security Gateway.
¶ PVYvpn Security Gateway
The Gateway allows to establis an encrypted P2P Tunnel from anywhere over any Network Adapter your enduser clients are running, and tunnels all the traffic related to your PVYapps behind automatically. Since its session-less driven over UDP only, No handshake is necessary and it will only respond and open the port, if the encryption key is known and node is in its node list. Every other knocking method is simply being ignored.
A big advantage of this techology is not only the security design, since a Man in the middle Attack is not possible, neither spoofing a connection, since the fingerprint within the key is not guessable, it also doesn’t need to operate within a fix IP Address or Subnet on the Uplink Modem, which is very convinient for private consumers or mobile connections on the go.
¶ PVYvpn Node List
PVYvpn Desktop App and the Mobile App also offers a button to see all your authorized Nodes/Devices. Each Device is listed with its Device Name and a virtual private IP address, starting with 7.0.0.0/24 or 8.0.0.0/24 or 11.0.0.0/24
¶ How to establish a Partner Network
A unique feature is the decentralized VPN Network Functionality of PVYvpn. A Organisation Sys Admin can request in collaboration with another PVY SysAdmin, a VPN Partner Network to each other. Where they can also specify very elegant, which of their nodes/devices can communicate straight Peer-to-Peer with each other. This gives them following Peer to Peer VPN Options:
- PVY@Home Appliance Family A can connect Peer-to-Peer with PVY@Home Appliance Family B
- PVY@Home Appliance Family B can connect to PVY@Office Appliance X
- PVY@Office Appliance X can connect to PVY@Cloud of Company AC
This feature adds an additional security layer for exchanging Files, Folder or Libraries but as well for Photos, Photo Album shared between differen PVY-ID User.
To make things easy, we built-in a feature to start such requests straight out of the PVYphotos App or PVYfiles. Since each IT Security Guy will confirm, such an VPN Encryption is in the benefit of all.
¶ Limitations on Partner Peer-to-Peer Connects
Non of the Parties can browse other devices, the connection is simply utilized when sharing files, folders, libraries, photos, movies, or albums given to another PVY-ID.
SysAdmins can disallow it in PVYcentral. But adding an additional security layer for information exchanges, on sensitive information such as your last Family Holiday with your Parents, simple useable technology makes truly sense.
¶ PVYvpn enabled Applications for P2P Partner Network sharing by default:
- PVYfiles
- PVYphotos
- PVYmessenger
- PVYremoteDesktop
- PVYserviceDesk
Additional nodes can be added on PVYcentral from the Organisation PVY Sys-Admin.
¶ Home Appliance Users
PVYvpn is a part of our Privacy Concept. You have more informations available on the Quick Start-Guide by unboxing your PVY@Home Appliance.
Learn here how to register your PVY@Home Appliance or visit https://pvy.swiss/register
¶ Office Appliance Users
PVYvpn is a part of our Privacy Concept. You have more informations available on the Quick Start-Guide by unboxing your PVY@Office Appliance.
Learn here how to register your PVY@Office Appliance or visit https://pvy.swiss/register
¶ PVY@Cloud Users
PVY@Cloud works unlike PVY@Home or PVY@Office with or without PVYvpn. Please visit our SaaS Offering on our main website https://pvy.swiss/cloud to learn about on which SaaS Package PVYvpn is included and where you can book it over the built-in PVYappstore.
¶ F.A.Q
Q: Can I do VoIP or Real Time Video?
A: Yes, but its already built-in on PVYmessenger, with AES 512bit Encryption and it works peer to peer over the PVYvpn.
Q: How the VPN traffic is identifiable?
A: We are glad you asked. It’s not that easy, we send it over the regulary SSL Port 443 like any other mutually secure Website Encryption.
Q: Does PVYvpn work for cross-border communication?
A: Yes, it works in call countries, you can even manage from Switzerland tons of robots in a chinese factory peer-to-peer.
Q: How about Nodes or Embedded System my organisation runs somewhere else?
A: You can embedd them into your PVYvpn P2P Network relatively easy. Learn more in the Admin Guide how to integrate:
- a Docker container somewhere else
- an embedded system, such as a CNC controler
- a bunch of cloud nodes for special application in the cloud such as AWS or Azure.
Q: Is there any port I need to open on my Provider Modem for PVYvpn?
A: Depends which Modem and Provider you use. If UPnP is activavted, on a AVM FritzBox its a standard, as well on a Swisscom Modem. In any case, you can find the port in your PVY@Home or PVYoffice Appliance Quickstart. The easist way is to allocate on your modem a permanant IP Address over your DHCP Table, often a checkbox to tick. Thats sufficient enough.
¶ Read the docs
Yes you can do more with PVYvpn. Learn more on the Admin Guide of PVYvpn