The concept of a VPN is very simple. It is a protected communication channel over an unprotected public thoroughfare. It is analogous to an armored vehicle traveling over public roads. At the top-level, a VPN consists of a small number of components, illustrated below:
In this diagram, there are two private Intranets connected via the VPN. The VPN is created by the two VPN Gateways over the public Internet.
A VPN works by encapsulating data for one network inside of an ordinary IP packet and transporting that packet to another network. When the packet arrives at the destination network, it is unwrapped and delivered to the appropriate host on the destination network. By encapsulating the data using cryptographic techniques, the data is protected from tampering and snooping while it is transported over the public network.
Unfortunately, this same protection against tampering makes it difficult to set up a VPN when the security perimeter is protected by an address translation firewall such as IPCop. The solution is to implement the VPN on the firewall and allow it to straddle both sides so that it can capture packets from the GREEN network and pass them, encapsulated, over the Internet without being tampered with by the address translation part of the firewall.