Virtual Private Networks

Setting up a VPN, a step by step guide

This guide will explain some of the uses, and show you how to set up your computer to connect to a VPN.

What is a VPN, and why would I want one?

Good question! A VPN is is a way of getting the benefits of a private network (i.e. privacy), without the expense. It lets you connect one computer to a network using the public internet, and yet still retains the security required for use in business critical or privacy critical applications.

Many companies are now equipping their networks with a VPN capability to allow their staff to "dial in" to the company network when either at home or on the road.

Important VPN security information

One thing to appreciate about a VPN, is that when your computer joins one, it is, as the name suggests, networked to it. With this comes all the security implications that you get when you join any network, not only for your computer, but for the network as well! The VPN by its very nature tunnels through many traditional security layers like firewalls. So be on your guard, and make sure adequate protection from viruses and other "malware" is in place before you make the VPN connection.

Types of VPN

A VPN can be a simple as one computer connecting to another. More commonly it will be one computer connecting to a network, say back at the office. It could also be one network being joined to another, say for example a branch office connecting to head office. This document will describe the common situation of a single computer connecting to an office network.

All VPNs are based on encryption. It is the encryption that ensures the information passed over the public internet remains private, even if someone were to be snooping on it along the way. Encryption also allows secure authentication, i.e. making sure the people accessing your network are the ones who are allowed to.

Several encryption technologies exist for VPN use. Alphabet soup like PPTP, L2TP, and IPSEC are banded around. Here we will use the Point to Point Tunnelling Protocol (PPTP), but the principles will remain much the same for any of the technologies.

Creating A VPN

We are going to focus on the creation of the "Client" side of the connection. We will leave the setting up of the server side to the network administrators for the moment!

First locate the My Network places icon on your desktop, right click on it and choose "Properties".

This will display the list of network connections on your computer.

Click the "Add new connection" Icon or link to start creating your VPN

The first useful screen you see should look a bit like this.

(The options may be in a different order depending on which OS you are using)

Select the option for a VPN and click next.

Step though each dialog in sequence answering the questions.

Here we choose a VPN connection.

 

Here you can name the VPN connection you are creating. Call it something that will tell you who or what remote system you will be talking to.

 

If you are on broadband, then you wont want to dial a connection first.

If you are still using dial-up, then you can choose to have the VPN connection automatically make a dial-up connection to the internet first. If you don't do this then you will need to remember to make a connection to the internet first before you can connect to the VPN.

This is the final step, we will now move on to the use of your new connection.

The first time you use your connection you will need to specify the user name and password that were given to you by your network administrator (or whoever runs the VPN!)

Click connect, and you should now get connected to your remote network.

Depending on what has been setup, you may be able to access files and printers, read your office email!

When I connect to my office VPN, I can't access the internet. Why?

Because the VPN capability in Windows is based on dial-up networking, it is very easy to use. Not only does it take care of making the connection for you in the first place, it also gets on with the messy job of sorting out all the routing issues that are required to make sure that information that should be sent to the VPN actually gets there.

However, there is a weakness in this. The default assumption is that once you have made a connection, you will want all internet traffic sent by your computer to be sent to this connection. For an internet connection this is typically a good assumption, however for a VPN this may mean that you lose connection to the rest of the internet all the time the VPN is in place, or alternatively you still get internet access, but now all you internet traffic is being passed through the system you are connected to via the VPN. This is often not what you want.

To fix this we need to make some configuration changes.

We need to learn a bit about what routing changes dial up networking makes for us, so that we can pick and choose which ones are right for us.

If you open your network and dial-up connections folder (see first step above), you should see the entry for your VPN:

Right click on this and select properties.

You should see a dialogue like this.

 

Click on the entry for "TCP/IP" in the list, and then click the "Properties" button.

 

Click on the "Advanced" button shown in the TCP/IP properties window and you should see this.

Now click on the "use default gateway on remote computer" to untick this option.

Click OK on each of the dialogs, and the change should now be made.

 

OK, so I can see the internet, but now my VPN does not work! What went wrong?

Now depending on how the administrator of the VPN server has configured it you may in fact have fully working access. However, if they have set it up so that the IP address that the VPN connection hands out does not match the rest of their network, there may be a bit more work to do - so keep reading!

In fact your new VPN connection should still connect just fine even with the gateway option turned off. However, by turning off the option to use the VPN as a remote gateway, we have also told Windows that we will look after setting up the routing to use our new connection without its help.

Routing and the secret life of a VPN

To see what is going on here, it is worthwhile opening up a command prompt (Start | Programs | Accessories | Command prompt). There is a command called "route" that can tell us plenty about routing:

Example Session Notes

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 20 ed 89 9a 4f ...... NVIDIA nForce MCP Networking Controller - Packet
Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 20
192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 20
224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 20
255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1
Default Gateway: 192.168.1.1
===========================================================================

The "route print" command will list all of the network interfaces the computer currently has (two are shown here) and also all the routes that are set up on the computer.

If you connect up to a VPN, but allow Windows to handle the creation of the routing (i.e. you leave the "use default gateway on remote computer" option ticked), you will see that a bunch of new entries are made in the routing table:

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 20 Ed 89 9a 4f ...... NVIDIA nForce MCP Networking Controller - Packet
Scheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.16.172 172.16.16.172 1
172.16.16.172 255.255.255.255 127.0.0.1 127.0.0.1 50
172.16.255.255 255.255.255.255 172.16.16.172 172.16.16.172 50
192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 20
192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 20
192.168.10.0 255.255.255.0 172.16.16.172 172.16.16.172 1
224.0.0.0 240.0.0.0 172.16.16.172 172.16.16.172 50
224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 20
255.255.255.255 255.255.255.255 172.16.16.172 172.16.16.172 1
255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1
Default Gateway: 192.168.1.1
===========================================================================

Woha! You can now see a new network interface has been added (the "WAN (PPP/SLIP) Interface)", and a several new entries have been made in the table to direct traffic to the new interface. You can also see that the "Metric" for the existing routes has been raised. This will mean that the original routes now get superseded by the new ones because they have a lower metric.

That all looks horribly complicated, what now?

Don't panic, most of the entries that are made for us by Windows are there for completeness. We are unlikely to need all of them. In fact for most applications we only need one.

Before we can go adding new bits to routing tables, we need to work out what to add. If we make sure our VPN is connected, and issue the "ipconfig" command we should get most of the information we need

C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.50 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 PPP adapter Office: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 172.16.16.172 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : C:\>

We need one more bit of information! The address of the network we are trying to talk to. The IP address of the PPP adaptor may give this away, however this is not always the case. You may need to consult the systems administrator for the network in question.

That tells us our own address, and also the address of the VPN interface. Alas it does not always tell us the address of the computer network on the other end of the VPN. The network administrator for the VPN may need to tell you this! Just to add some extra interest, we are going to assume that the network we are connecting to has an address in 192.168.10.0 range and is not part of the 172.16.16.0 range the PPP address above might imply.

From the above we can see the address of the PPP interface that is connected to the VPN is 172.16.16.172. Hence we need to add a route to the table such that any traffic that is intended for the 192.168.10.0 address space gets sent to that interface rather than the default gateway and thence the internet (192.168.1.1).

Adding Routes

Now we have the address of the computer network we are VPNing to, and the address of the local interface that is connected to it, we can add our route with the "route add" command.

C:\>route add 192.168.10.0 mask 255.255.255.0 172.16.16.172 C:\>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 20 Ed 89 9a 4f ...... NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport 0x40004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
=========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 20 192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 20 224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 20 255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1 192.168.10.0 255.255.255.0 172.16.16.172 172.16.16.172 1
Default Gateway: 192.168.1.1 ===========================================================================

The route command says "all traffic that matches the 192.168.10.0 network, please send via the 172.16.16.172 interface"

Sorted! That will now mean that when we try to talk to a computer on the 192.168.10.0 subnet (say for example 192.168.10.23), it gets routed via the VPN interface.

Making the route persistent

One slight glitch with the above if you use the VPN connection often, is that when you disconnect from the VPN Windows will delete the interface. In true Bagpus tradition, when the interface gets deleted, all its friends get deleted too! Hence next time you want to use the VPN you would need to add the route again. The solution to this is to make the route "persistent". Simple enough with the addition of the "-p" switch on the route command:

C:\>route add -p 192.168.10.0 mask 255.255.255.0 172.16.16.172 C:\>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 20 Ed 89 9a 4f ...... NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport 0x40004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
=========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 20 192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 20 224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 20 255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1 Default Gateway: 192.168.1.1 =========================================================================== Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.10.0 255.255.255.0 172.16.16.172 1

Note the "-p" for a persistent or permanent route.

Windows will remember that route now (even after being turned off) until you delete it with the "route delete" command. One gottcha, you can only add a persistent route like this when the VPN is connected, because otherwise the route add command will give you an error because the interface you are specifying as a target does not currently exist!

Houston we have a problem. I am on the same subnet!

Oops. We have assumed thus far that the network we are connecting to is on a different subnet to our own (i.e. we are on 192.168.1.0 and the remote one on 192.168.10.0). That makes it nice and easy since we can direct any traffic for any computer on the remote subnet to the VPN interface.

Given the popularity of the 192.168.1.0 address range for setting up small networks however, there is a fair chance you will be sitting in an internet cafe on the end of a WiFi link trying to VPN back to your office, only to find you are both using the same subnet addresses. Given that requests to reconfigure the complete network (at either end) are unlikely to be met with great favour. We need a work around!

The solution is that we need to be more precise in our specification of the the remote network address. We can no longer use the blanket address for the whole network, but must instead specify the individual computer we want to talk to with out route command. If we want to access more than one computer on the remote network we will need a route for each.

Say we wanted to talk to a remote computer with the address 192.168.1.25, our route command would now look like:

route add 192.168.1.25 mask 255.255.255.255 172.16.16.172

Note the mask parameter also has the extra 255 on the end in place of the 0 used in previous examples. This is because we are now specifying an actual computers individual IP address rather than specifying the block address of the whole network it is connected to.

The only way that won't work is if the computer you are trying talk to has the same address as you! If that is the case try doing a "ipconfig /release", followed by "ipconfig /renew". That may prompt the local LAN to give you a different address. If that still does not fix it then add a secondary IP address to your computer!

What about a worked example?

OK here goes... you have made your VPN connection, no errors have been reported, what can you do with it? The answer is "it varies!". A little will depend on how the server end is setup as to what information is exported to your end of the link. However, sharing files, drives, and printers is a good start.

So lets say we have connected to a remote subnet on 192.168.10.0, where you know there is a computer on 192.168.10.20 that is sharing a printer, its CD ROM drive, and a hard drive folder.

We can find out the name of the available file shares with a "net view" command, and attach to a service with the "net use" command. We can also browse the shared resources using Windows explorer just as if they were local by using the "start" command.

C:\>net view \\192.168.10.20
Shared resources at \\192.168.10.20 Share name Type Used as Comment ------------------------------------------------------------------------------- hpoffice Print hp officejet 7100 series OfficeDocs Disk CDROM Disk The command completed successfully.

C:\>net use m: \\192.168.10.20\OfficeDocs The command completed successfully.

C:\>start \\192.168.10.20\CDROM

C:\>

 

 

 

This is a list of the public shares.

This will mount the network drive as drive M locally.

The "Start" command will launch a Windows explorer browse window for the folder, you can then use the usual point and click tools for accessing the share.

Type "net use /?" to get help on the various other uses of the command such as specifying user names and passwords.

to Previous Page

  Home | Contact | Services | Info | Shop