The basic concept is pretty simple. A VPN works by making a "virtual"
link between two machines or sites which are using private IP addresses. It
achieves this by sending the private packets across the public Internet as
the payload of normal public addressed packets. In other words, the private
packets are inside a public IP wrapper.
The VPN server has two interfaces, one in the private LAN and one in the
public Internet. Traffic which is destined for another private addressed
site or a remote VPN client arrives at the server's private interface. The
server encrypts the packet, encapsulates it in a wrapper which has the
remote site/client public IP on the outside and sends it off through its
public interface. An of course does the reverse with encapsulated traffic it
receives.
A VPN server can operate with only one interface if it is on a private
LAN which connects to the Internet through a router/firewall. The firewall
can take the place of the server's public interface. The remote client
connects to the firewall's public IP, and the VPN traffic can be forwarded
through the LAN to the VPN server. Traffic going from the VPN server is
encrypted and encapsulated as above, then is sent to the firewall for
delivery through the Internet.
