Virtual Private Networks
Setting up a VPN, a step by step guide
This guide will explain some of the uses, and show you how to set up your computer to connect to a VPN.
What is a VPN, and why would I want one?
Good question! A VPN is is a way of getting the benefits of a private network (i.e. privacy), without the expense. It lets you connect one computer to a network using the public internet, and yet still retains the security required for use in business critical or privacy critical applications.
Many companies are now equipping their networks with a VPN capability to allow their staff to "dial in" to the company network when either at home or on the road.
Important VPN security information
One thing to appreciate about a VPN, is that when your computer joins one, it is, as the name suggests, networked to it. With this comes all the security implications that you get when you join any network, not only for your computer, but for the network as well! The VPN by its very nature tunnels through many traditional security layers like firewalls. So be on your guard, and make sure adequate protection from viruses and other "malware" is in place before you make the VPN connection.
Types of VPN
A VPN can be a simple as one computer connecting to another. More commonly it will be one computer connecting to a network, say back at the office. It could also be one network being joined to another, say for example a branch office connecting to head office. This document will describe the common situation of a single computer connecting to an office network.
All VPNs are based on encryption. It is the encryption that ensures the information passed over the public internet remains private, even if someone were to be snooping on it along the way. Encryption also allows secure authentication, i.e. making sure the people accessing your network are the ones who are allowed to.
Several encryption technologies exist for VPN use. Alphabet soup like PPTP, L2TP, and IPSEC are banded around. Here we will use the Point to Point Tunnelling Protocol (PPTP), but the principles will remain much the same for any of the technologies.
Creating A VPN
We are going to focus on the creation of the "Client" side of the connection. We will leave the setting up of the server side to the network administrators for the moment!
When I connect to my office VPN, I can't access the internet. Why?
Because the VPN capability in Windows is based on dial-up networking, it is very easy to use. Not only does it take care of making the connection for you in the first place, it also gets on with the messy job of sorting out all the routing issues that are required to make sure that information that should be sent to the VPN actually gets there.
However, there is a weakness in this. The default assumption is that once you have made a connection, you will want all internet traffic sent by your computer to be sent to this connection. For an internet connection this is typically a good assumption, however for a VPN this may mean that you lose connection to the rest of the internet all the time the VPN is in place, or alternatively you still get internet access, but now all you internet traffic is being passed through the system you are connected to via the VPN. This is often not what you want.
OK, so I can see the internet, but now my VPN does not work! What went wrong?
Now depending on how the administrator of the VPN server has configured it you may in fact have fully working access. However, if they have set it up so that the IP address that the VPN connection hands out does not match the rest of their network, there may be a bit more work to do - so keep reading!
In fact your new VPN connection should still connect just fine even with the gateway option turned off. However, by turning off the option to use the VPN as a remote gateway, we have also told Windows that we will look after setting up the routing to use our new connection without its help.
Routing and the secret life of a VPN
To see what is going on here, it is worthwhile opening up a command prompt (Start | Programs | Accessories | Command prompt). There is a command called "route" that can tell us plenty about routing:
If you connect up to a VPN, but allow Windows to handle the creation of the routing (i.e. you leave the "use default gateway on remote computer" option ticked), you will see that a bunch of new entries are made in the routing table:
That all looks horribly complicated, what now?
Don't panic, most of the entries that are made for us by Windows are there for completeness. We are unlikely to need all of them. In fact for most applications we only need one.
Before we can go adding new bits to routing tables, we need to work out what to add. If we make sure our VPN is connected, and issue the "ipconfig" command we should get most of the information we need
That tells us our own address, and also the address of the VPN interface. Alas it does not always tell us the address of the computer network on the other end of the VPN. The network administrator for the VPN may need to tell you this! Just to add some extra interest, we are going to assume that the network we are connecting to has an address in 192.168.10.0 range and is not part of the 172.16.16.0 range the PPP address above might imply.
From the above we can see the address of the PPP interface that is connected to the VPN is 172.16.16.172. Hence we need to add a route to the table such that any traffic that is intended for the 192.168.10.0 address space gets sent to that interface rather than the default gateway and thence the internet (192.168.1.1).
Now we have the address of the computer network we are VPNing to, and the address of the local interface that is connected to it, we can add our route with the "route add" command.
Sorted! That will now mean that when we try to talk to a computer on the 192.168.10.0 subnet (say for example 192.168.10.23), it gets routed via the VPN interface.
Making the route persistent
One slight glitch with the above if you use the VPN connection often, is that when you disconnect from the VPN Windows will delete the interface. In true Bagpus tradition, when the interface gets deleted, all its friends get deleted too! Hence next time you want to use the VPN you would need to add the route again. The solution to this is to make the route "persistent". Simple enough with the addition of the "-p" switch on the route command:
Windows will remember that route now (even after being turned off) until you delete it with the "route delete" command. One gottcha, you can only add a persistent route like this when the VPN is connected, because otherwise the route add command will give you an error because the interface you are specifying as a target does not currently exist!
Houston we have a problem. I am on the same subnet!
Oops. We have assumed thus far that the network we are connecting to is on a different subnet to our own (i.e. we are on 192.168.1.0 and the remote one on 192.168.10.0). That makes it nice and easy since we can direct any traffic for any computer on the remote subnet to the VPN interface.
Given the popularity of the 192.168.1.0 address range for setting up small networks however, there is a fair chance you will be sitting in an internet cafe on the end of a WiFi link trying to VPN back to your office, only to find you are both using the same subnet addresses. Given that requests to reconfigure the complete network (at either end) are unlikely to be met with great favour. We need a work around!
The solution is that we need to be more precise in our specification of the the remote network address. We can no longer use the blanket address for the whole network, but must instead specify the individual computer we want to talk to with out route command. If we want to access more than one computer on the remote network we will need a route for each.
Say we wanted to talk to a remote computer with the address 192.168.1.25, our route command would now look like:
route add 192.168.1.25 mask 255.255.255.255 172.16.16.172
Note the mask parameter also has the extra 255 on the end in place of the 0 used in previous examples. This is because we are now specifying an actual computers individual IP address rather than specifying the block address of the whole network it is connected to.
The only way that won't work is if the computer you are trying talk to has the same address as you! If that is the case try doing a "ipconfig /release", followed by "ipconfig /renew". That may prompt the local LAN to give you a different address. If that still does not fix it then add a secondary IP address to your computer!
What about a worked example?
OK here goes... you have made your VPN connection, no errors have been reported, what can you do with it? The answer is "it varies!". A little will depend on how the server end is setup as to what information is exported to your end of the link. However, sharing files, drives, and printers is a good start.
So lets say we have connected to a remote subnet on 192.168.10.0, where you know there is a computer on 192.168.10.20 that is sharing a printer, its CD ROM drive, and a hard drive folder.
We can find out the name of the available file shares with a "net view" command, and attach to a service with the "net use" command. We can also browse the shared resources using Windows explorer just as if they were local by using the "start" command.
Type "net use /?" to get help on the various other uses of the command such as specifying user names and passwords.
|Home | Contact | Services | Info | Shop|
Copyright © 2021 Internode Ltd All Rights Reserved