Networking Basics for VPN Users

Summary: A quick primer on IP addresses, public and private networks, subnet masks, CIDR notation, ports, and DNS — the concepts you need to follow the VPN tutorials in this series.

Key	Value
Server public IP	203.0.113.10
Client public IP	198.51.100.50
VPN subnet	10.0.0.0/24
Server VPN IP	10.0.0.1
Client VPN IP	10.0.0.2
Local LAN subnet	192.168.1.0/24
DNS server	1.1.1.1
WireGuard port	51820

0. Prerequisites

• No prior networking knowledge required
• A Linux machine to try the commands (Ubuntu 24.04 LTS recommended)
• dig is used in this tutorial for DNS lookups — install it with sudo apt install -y dnsutils if it is not already present

---

1. IP Addresses

Every device on a network has an IP address — a numeric label that identifies it so other devices can send data to it. IPv4 addresses are written as four numbers separated by dots:

192.168.1.50



Code language: CSS (css)

Each number ranges from 0 to 255. This gives roughly 4.3 billion possible addresses.

Check your machine’s IP addresses:

ip addr show

Look for lines containing inet — those are your IPv4 addresses.

---

2. Public vs Private Addresses

Not all IP addresses are equal. Some are public (routable on the internet) and some are private (only used inside local networks).

2.1 Private Ranges

Three ranges are reserved for private use. Devices on your home or office network use these:

Range	CIDR Notation	Typical Use
10.0.0.0 – 10.255.255.255	10.0.0.0/8	Large networks, VPN tunnels
172.16.0.0 – 172.31.255.255	172.16.0.0/12	Medium networks
192.168.0.0 – 192.168.255.255	192.168.0.0/16	Home networks

Your home router typically assigns addresses from 192.168.1.x or 192.168.0.x. These addresses only work inside your local network — they cannot be reached directly from the internet.

2.2 Public Addresses

Everything outside the private ranges is public. Your internet service provider (ISP) assigns your router a public IP. When you visit a website, the website sees this public IP — not your device’s private address.

In the VPN tutorials, 203.0.113.10 is the VPN server’s public IP and 198.51.100.50 is the client’s public IP.

Note: You can check your current public IP by running curl ifconfig.me.

2.3 Why This Matters for VPNs

A VPN creates a private tunnel between your device and a remote server. Your device gets a VPN IP address (like 10.0.0.2) from the VPN’s own private range. Traffic sent through the tunnel appears to come from the VPN server’s public IP, not yours.

---

3. Subnet Masks and CIDR Notation

An IP address alone does not tell you how large the network is. A subnet mask defines which part of the address identifies the network and which part identifies the individual device.

3.1 How It Works

Take the address 192.168.1.50 on a home network. The network portion might be 192.168.1 and the device portion is 50. The subnet mask 255.255.255.0 makes this split — every 255 locks that section to the network, and 0 leaves it free for devices.

3.2 CIDR Notation

Writing 255.255.255.0 is verbose. CIDR notation (Classless Inter-Domain Routing) uses a slash followed by the number of locked bits:

Subnet Mask	CIDR	Network Size	Meaning
255.255.255.255	/32	1 address	A single specific host
255.255.255.0	/24	256 addresses	A typical home or small office network
255.255.0.0	/16	65,536 addresses	A large private network
255.0.0.0	/8	16.7 million addresses	A very large network block
0.0.0.0	/0	All addresses	“Everything” — the entire internet

The / number counts how many of the 32 bits in an IPv4 address are fixed. The remaining bits are free for device addresses.

3.3 CIDR in the VPN Tutorials

You will see CIDR notation throughout the tutorials. Here is what each one means in context:

Notation	Meaning in VPN Context
10.0.0.2/32	Exactly one address — this specific VPN client
10.0.0.0/24	The VPN subnet — 256 addresses from 10.0.0.0 to 10.0.0.255
192.168.1.0/24	A home LAN — 256 addresses from 192.168.1.0 to 192.168.1.255
0.0.0.0/0	All addresses — used in VPN configs to mean “route everything through the tunnel”

Tip: Think of /32 as “just this one address” and /0 as “every address that exists.”

---

4. Gateways and Routing

When your device sends a packet to an IP address, it needs to know where to send it. The kernel consults a routing table — a list of rules that say “traffic for this range goes through this interface.”

Check your routing table:

ip route show

A typical output looks like:

default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.50



Code language: JavaScript (javascript)

• default via 192.168.1.1 — the default gateway. Any traffic that does not match a more specific rule goes here. This is usually your home router.
• 192.168.1.0/24 dev eth0 — traffic for your local subnet goes directly out the eth0 interface, no gateway needed.

4.1 How VPNs Change Routing

When a VPN is active, the routing table is modified so that internet traffic goes through the VPN tunnel interface (wg0) instead of your regular gateway. Local traffic (like accessing a NAS at 192.168.1.100) still uses the regular interface because the specific /24 route takes priority over the VPN’s /0 route.

Note: More specific routes always win. A /24 route beats a /0 route for any address within that /24 range.

---

5. Ports and Protocols

IP addresses identify which device to talk to. Ports identify which service on that device.

A port is a number from 0 to 65535. When your browser visits a website, it connects to the server’s IP address on port 443 (HTTPS). When WireGuard sends encrypted packets, it uses port 51820 by default.

Service	Port	Protocol
HTTP	80	TCP
HTTPS	443	TCP
DNS	53	UDP/TCP
SSH	22	TCP
WireGuard	51820	UDP

5.1 TCP vs UDP

• TCP (Transmission Control Protocol) — reliable, ordered delivery. If a packet is lost, it is retransmitted. Used for web browsing, SSH, and file transfers.
• UDP (User Datagram Protocol) — fast, no retransmission. If a packet is lost, it is gone. Used for VPNs, DNS, and video streaming.

WireGuard uses UDP because VPN tunnels need speed and low overhead. The applications inside the tunnel (like your web browser using TCP) handle their own reliability.

---

6. DNS

The Domain Name System translates human-readable names (like example.com) into IP addresses (like 93.184.215.14). Without DNS, you would need to memorize IP addresses for every website.

Test DNS resolution:

dig example.com +short



Code language: CSS (css)

When a VPN is active, DNS queries should go through the tunnel to prevent your ISP from seeing which domains you visit. The DNS = 1.1.1.1 line in a WireGuard config tells the system to use Cloudflare’s DNS resolver while the tunnel is active.

Warning: If DNS queries bypass the VPN, your ISP can see which websites you visit even though the rest of your traffic is encrypted. This is called a DNS leak. Setting the DNS field in your WireGuard config helps prevent this by directing queries through the tunnel. For full assurance, verify with an online DNS leak test after connecting — behavior can vary depending on your system’s resolver configuration.

---

Summary

The key concepts for the VPN tutorials:

• IP addresses identify devices on a network — four numbers separated by dots
• Private addresses (10.x.x.x, 172.16.x.x – 172.31.x.x, 192.168.x.x) are for local networks; public addresses are for the internet
• CIDR notation (/24, /32, /0) defines how many addresses a range covers — /32 is one host, /0 is everything
• Routing tables determine where traffic goes — more specific routes always win
• Ports identify services on a device — WireGuard uses UDP port 51820
• DNS translates domain names to IP addresses — VPN configs set a DNS server to prevent leaks

With these fundamentals in place, continue to Tutorial 01: WireGuard Client Setup to build your first VPN connection.