DrayTek

Virtual Private Networking (VPN) is an essential technology for using the inherrently insecure Internet to provide secure communication requirements. It provides the benefits of secure private point-to-point wide area networking (private networking), using the low cost and flexibility of the public Internet.

What makes the Internet 'inherrently insecure' ?

The original purpose of the Internet (Arpanet as it was) was to enable computer systems at different locations around the world to communicate with each other. Routers could determine how to reach the remote desination via multiple intermediate networks or routers. This provided both cost saving and resilience. The cost saving was because it replaced costly point-to-point links and resilience because in the event of one route failing, the desired destination could probably be reached via another route. The end result is that your data gets from Point-A to Point-Z, and it's all automatic and fast so that you don't need to worry that your data is actually travelling through points B,C,D,E,F,G etc. on the way.

The Internet consists of hundreds of thousands of intermidiate routing points.
The Internet - How it routes

When all Arpanet network members were owned by the American military, it was less of an issue that their data traffic might pass through other offices or networks as all offices were supposedly secure too. Since the evolution of the Internet, however, access is shared by millions of users and hundreds of thousands of ISPs, and your data could be passing through networks of anyone, and someone with sinister motives can capture, store and use that data.

The diagram on the right shows how the Internet works. Every device on the Internet, whether it's your own PC or a huge web service like Google has an IP address. The intermediate networks pass your data to the next 'hop' on the way to your destination. If you follow the red or green lines, you can see that your data is passing through several other public routers, and therefore through the hands of many unknown networks, any of whom could monitor and store your data without you ever knowing.

So, you can send data between your office and factory directly across the Internet, but you certainly wouldn't want to.

What does a VPN do?

A VPN, as the name suggests, uses the Internet to create a Virtual Private Network. Two remote sites, say your London and New York office can appear to have a private connection (route) between their two networks but actually, the data is passing over the Internet. Using a system called tunnelling, a device at each end packets up all data intended for the remote site, encrypts it and passes it to the remote site. Your computers all continue to operate within their private subnets which are behind your firewall. Those computers still cannot be reached from the outside world, except through the VPN tunnel, and that VPN tunnel has only two ends - one in your office, the other at your remote office.

Once you have a VPN, your network users can still access the Internet (surf the web) normally - all Internet traffic passes freely outside of the VPN tunnel. You can have multiple VPN tunnels, each one to a different remote location. The use of the word 'tunnel' is very helpful in understanding the concept; although the data is still passing over the public Internet, it's all inside the tunnel which cannot be decoded or intercepted by any of the intermediate Internet locations. Your data is secure.

Using Insecure Guest/Public Internet connections

For example, if you go to a coffee shop or hotel or any other place with public or guest Internet access, any computers using that same access have access to all of your sent and received data because they are on the same network.  Any user can 'sniff' and capture your data, including emails and web site data.  Even if the network is using wireless encryption, anyone else can still see your data because they too know the encryption key.  Some web sites and mail servers will use encryption (e.g. TLS/HTTPS) which reduces the risk - your data is encrypted, though sniffers can still see which IP addresses you visit.

A common use of VPNs, therefore, is to provide security to all of your traffic when using these public Internet facilities. You can force all of your Internet data down the encrypted VPN tunnel and then make use of your HQ's Internet connectivity for onward communication.

Creating a VPN

A VPN endpoint is considered to be the end of each tunnel where the data is encrypted/decrypted by your VPN device inside your private network. DrayTek routers can create VPN tunnels, and endpoints at each site as required. The two remote networks must be within different private IP address ranges in order that the PCs and router at one site can determine that traffic is intended for the other site. For example, one network might be numbered in the IP subnet range 192.168.1.xxx and the other in 192.168.3.xxx.

Your VPN router is configured to know the network addresses of all remote networks and the VPN credentials (encryption keys, passwords, remote locations) so data can be passed through the right tunnel. There are several commonly used methods for encryption and encapsulation (tunnelling). The simplest is PPTP although that only has optional encryption, which isn't considered very secure. VPN tunnels use passwords for login, or a pre-shared key which is a secret phrase or sequesce of characters entered into the VPN device at each end. IPSec tunnelling, using AES encryption is the most common method of tunnelling and encryption used today. These are highly secure encryption methods, with AES in particular considered 'military strength'.

DrayTek Example VPN Schematic

A VPN tunnel is instigated from one end (the 'dial-out') end, and the remote end (the 'dial-in' or end) accepts the connection. Regardless of which end initiates the connection, once the tunnel is created, it makes no difference and data can flow freely in either direction. The dial-in end should have either a fixed publicIP address, or some method to keep the other end updated of its current IP address (such as a Dynamic DNS updating service). To create a tunnel between our factory and head office, we simply need to decide on or find out the following information:

Location FactoryHead Office
Dial-In or Dial-Out? Dial-Out (Instigates) Dial-In
Public IP Address of Router Dynamic 204.16.81.3
Private IP Subnet 192.168.1.0 192.168.3.0
Private Subnet Mask 255.255.255.0 255.255.255.0
Tunnelling Method IPSec
Encryption Method AES
Authentication MD5
Pre-Shared Key xf1YMWdu06VWbruNij4xjb76xV

Given the above information, the VPN device (e.g. DrayTek router!) at each end knows where it can send data, how to get there and the security credentials to use. Entering these details is very easy on each DrayTek router and your secure VPN tunnel is then set up by the router. The PCs (or servers/systems) at each end of the VPN link then jhave full access to each other, as required, whilst remaining fully firewalled from anyone else on the Internet.

Teleworker VPNs

For mobile users - a person using a single laptop or other device remotely, you do not need to have another Vigor router to create a VPN tunnel into your office. You can use a software VPN client which is built into all modern operating systems.) to create a teleworker VPN connection.

Using the VPN

VPN Remote Folder

Now that you have your remote networks or teleworkers connected through the encrypted tunnel, you can pass data between them. You can, for example access a remote resource like a shared network drive (example shown right) though the efficiency of that will depend on your connection speed - moving large files takes a lot longer than if you're local on the Ethernet LAN. You can also access an SQL server, mail server or any other service running over TCP/IP.

However, the most common type of VPN traffic is remote access - Windows Terminal Services, Remote Desktop or other remote control facilities - i.e. replicating a remote PC's screen on your local computer.

A DrayTek router with VPN support can operate multiple VPN tunnels simultaneously - for example if you have five offices, you can have five VPN tunnels so that you can commuicate with all of them simultaneously. The DrayTek router will display the current VPN status so you can monitor traffic loads and activity, as shown below.

DrayTek VPN Status Screen

Summary of DrayTek VPN Features

Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.

  • No 'per user' licencing for VPN users
  • Compatible with standard O/S VPN software clients
  • Supports multiple tunnels simultaneously
  • VPN Trunking & VPN Backup
  • Multiple VPN Protocol support:
    • Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
    • Protocol support for PPTP, L2TP, IPSec
    • Authentication : MD-5 & SHA-1, PAP and CHAP
    • Encryption : MPPE, DES/3DES & AES
    • PFS (Perfect Forward Secrecy) - Adds additional key protection
    • Dead-Peer-Detection (Detects dead links for peerless connections)
    • Pre-shared/IKE keying & and PKI (X.509) certificate support
    • IKE Phase 1 Agressive/Main Modes & Phase 2 Selectable lifetimes
  • Radius Support for dial-in teleworker profiles
  • Tunnels selectable as dial-on-demand or always-on and direction selectable
  • Compatible with other leading 3rd party vendor VPN devices
  • IP Filtering within VPN Tunnels - allow/block specific LAN IP Addresses
  • Facilities/Support depends on Vigor model; please check model specification

3rd Party Vendor Compatibility

The Vigor routers' VPN facilities are also compatible with VPN  facilities on all other manufacturer's devices. have also been tested with VPN devices so you can have products from different vendors at each end.


To find a DrayTek router with the right line interface and VPN capability, you can check the Router Comparison Chart.