DrayTek White Paper - VPN Overview

Virtual Private Networking (VPN) is an essential technology for using the inherrently insecure Internet to provide secure communication requirements. It provides the benefits of secure private point-to-point wide area networking (private networking), using the low cost and flexibility of the public Internet.

What makes the Internet 'inherrently insecure' ?

The original purpose of the Internet (Arpanet as it was) was to enable computer systems at different locations around the world to communicate with each other. Routers could determine how to reach the remote desination via multiple intermediate networks or routers. This provided both cost saving and resilience. The cost saving was because it replaced costly point-to-point links and resilience because in the event of one route failing, the desired destination could probably be reached via another route. The end result is that your data gets from Point-A to Point-Z, and it's all automatic and fast so that you don't need to worry that your data is actually travelling through points B,C,D,E,F,G etc. on the way.

When all Arpanet network members were owned by the American military, it was less of an issue that their data traffic might pass through other offices or networks as all offices were supposedly secure too. Since the evolution of the Internet, however, access is shared by millions of users and hundreds of thousands of ISPs, and your data could be passing through networks of anyone, and someone with sinister motives can capture, store and use that data.

The diagram on the right shows how the Internet works. Every device on the Internet, whether it's your own PC or a huge web service like Google has an IP address. The intermediate networks pass your data to the next 'hop' on the way to your destination. If you follow the red or green lines, you can see that your data is passing through several other public routers, and therefore through the hands of many unknown networks, any of whom could monitor and store your data without you ever knowing.

So, you can send data between your office and factory directly across the Internet, but you certainly wouldn't want to.

The Internet consists of hundreds of thousands of intermidiate routing points.

The Internet - How it routes

What does a VPN do?

A VPN, as the name suggests, uses the Internet to create a Virtual Private Network. Two remote sites, say your London and New York office can appear to have a private connection (route) between their two networks but actually, the data is passing over the Internet. Using a system called tunnelling, a device at each end packets up all data intended for the remote site, encrypts it and passes it to the remote site. Your computers all continue to operate within their private subnets which are behind your firewall. Those computers still cannot be reached from the outside world, except through the VPN tunnel, and that VPN tunnel has only two ends - one in your office, the other at your remote office.

Once you have a VPN, your network users can still access the Internet (surf the web) normally - all Internet traffic passes freely outside of the VPN tunnel. You can have multiple VPN tunnels, each one to a different remote location. The use of the word 'tunnel' is very helpful in understanding the concept; although the data is still passing over the public Internet, it's all inside the tunnel which cannot be decoded or intercepted by any of the intermediate Internet locations. Your data is secure.

How does one create a VPN?

A VPN endpoint is considered to be the end of each tunnel where the data is encrypted/decrypted by your VPN device inside your private network. DrayTek routers can create VPN tunnels, and endpoints at each site as required. The two remote networks must be within different private IP address ranges in order that the PCs and router at one site can determine that traffic is intended for the other site. For example, one network might be numbered in the IP subnet range 192.168.1.xxx and the other in 192.168.3.xxx.

Your VPN router is configured to know the network addresses of all remote networks and the VPN credentials (encryption keys, passwords, remote locations) so data can be passed through the right tunnel. There are several commonly used methods for encryption and encapsulation (tunnelling). The simplest is PPTP although that only has optional encryption, which isn't considered very secure. VPN tunnels use passwords for login, or a pre-shared key which is a secret phrase or sequesce of characters entered into the VPN device at each end. IPSec tunnelling, using 3DES or AES encryption is the most common method of tunnelling and encryption used today. These are highly secure encryption methods, with AES in particular considered 'military strength'. In addition to the encryption, methods of authentication (for example SHA1 or MD5) can be used during the setup stage (each time the tunnel is opened); this ensures the integrity of the key exchange.

DrayTek Example VPN Schematic

A VPN tunnel is instigated from one end (the 'dial-out') end, and the remote end (the 'dial-in' or end) accepts the connection. Regardless of which end initiates the connection, once the tunnel is created, it makes no difference and data can flow freely in either direction. The dial-in end should have either a fixed publicIP address, or some method to keep the other end updated of its current IP address (such as a Dynamic DNS updating service). To create a tunnel between our factory and head office, we simply need to decide on or find out the following information:

Location Factory Head Office

Dial-In or Dial-Out? Dial-Out (Instigates) Dial-In

Public IP Address of Router Dynamic 204.16.81.3

Private IP Subnet 192.168.1.0 192.168.3.0

Private Subnet Mask 255.255.255.0 255.255.255.0

Tunnelling Method IPSec

Encryption Method AES

Authentication MD5

Pre-Shared Key xf1YMWdu06VWbG3wPruNij4xjb76xV

Given the above information, the VPN device (e.g. DrayTek router!) at each end knows where it can send data, how to get there and the security credentials to use. Entering these details is very easy on each DrayTek router and your secure VPN tunnel is then set up by the router. The PCs (or servers/systems) at each end of the VPN link then jhave full access to each other, as required, whilst remaining fully firewalled from anyone else on the Internet.

For mobile users, you do not need to have another Vigor router to create a VPN tunnel into your office. You can use a software client (built into most operating systems) to create a teleworker VPN connection. This is ideal for mobile wireless hotspots for a single PC 'dialling in'. DrayTek routers support both LAN-to-LAN and teleworker VPN connections.

Using the VPN

Now that you have your remote networks or teleworkers connected through the encrypted tunnel, you can pass data between them. You can, for example access a remote resource like a shared network drive (example shown right). You can also access an SQL server or any other service running over TCP/IP.

Another common type of VPN traffic is Windows Terminal Services, Remote Desktop or other remote control facilities - i.e. replicating a remote PC's screen on your local computer.

Note : VPN is not limited to broadband users. Any Internet connection can carry a VPN, including ISDN and analogue dialup.

A Vigor router with VPN support can operate multiple VPN tunnels simultaneously - for example if you have five offices, you can have five VPN tunnels so that you can commuicate with all of them simultaneously. The DrayTek router will display the current VPN status so you can monitor traffic loads and activity, as shown below.

DrayTek VPN Status Screen

Summary of DrayTek VPN Features

Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.

No 'per user' licencing for VPN users
Compatible with standard O/S VPN software clients
Supports multiple tunnels simultaneously
Multiple VPN Protocol support:
- Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
- Protocol support for PPTP, L2TP, IPSec
- Authentication : MD-5 & SHA-1, PAP and CHAP
- Encryption : MPPE, DES/3DES & AES
- PFS (Perfect Forward Secrecy) - Adds additional key protection
- Dead-Peer-Detection (Detects dead links for peerless connections)
- Pre-shared/IKE keying & and PKI (X.509) certificate support
- IKE Phase 1 Agressive/Main Modes & Phase 2 Selectable lifetimes
Radius Support for dial-in teleworker profiles
Tunnels selectable as dial-on-demand or always-on and direction selectable
Compatible with other leading 3rd party vendor VPN devices
IP Filtering within VPN Tunnels - allow/block specific LAN IP Addresses
Facilities/Support depends on Vigor model; please check model specification

3rd Party Vendor Compatibility

The Vigor routers have also been tested with VPN devices from other manufacturers. This includes Cisco™, Nokia™, Sonicwall™, Checkpoint™, ZyWall™ and Watchguard™ products.

To find a DrayTek router with the right line interface and VPN capability, you can check the Router Comparison Chart.

©2009. Reproduction prohibited without written permission. Specification subject to change at any time without notice. E&OE. All sales are subject to standard terms. Trademarks are acknowledged of their respective owners. No specific endorsement is implied by the mention of any particular service provider.