DrayTek White Paper - VPN Overview
Virtual Private Networking (VPN) is an essential technology for using the inherrently insecure Internet to provide secure communication requirements. It provides the benefits of secure private point-to-point wide area networking (private networking), using the low cost and flexibility of the public Internet.
What makes the Internet 'inherrently insecure' ?
The original purpose of the Internet (Arpanet as it was) was to enable computer systems at different locations around the world to communicate with each other. Routers could determine how to reach the remote desination via multiple intermediate networks or routers. This provided both cost saving and resilience. The cost saving was because it replaced costly point-to-point links and resilience because in the event of one route failing, the desired destination could probably be reached via another route. The end result is that your data gets from Point-A to Point-Z, and it's all automatic and fast so that you don't need to worry that your data is actually travelling through points B,C,D,E,F,G etc. on the way.
What does a VPN do?
A VPN, as the name suggests, uses the Internet to create a Virtual Private Network. Two remote sites, say your London and New York office can appear to have a private connection (route) between their two networks but actually, the data is passing over the Internet. Using a system called tunnelling, a device at each end packets up all data intended for the remote site, encrypts it and passes it to the remote site. Your computers all continue to operate within their private subnets which are behind your firewall. Those computers still cannot be reached from the outside world, except through the VPN tunnel, and that VPN tunnel has only two ends - one in your office, the other at your remote office.
Once you have a VPN, your network users can still access the Internet (surf the web) normally - all Internet traffic passes freely outside of the VPN tunnel. You can have multiple VPN tunnels, each one to a different remote location. The use of the word 'tunnel' is very helpful in understanding the concept; although the data is still passing over the public Internet, it's all inside the tunnel which cannot be decoded or intercepted by any of the intermediate Internet locations. Your data is secure.
How does one create a VPN?
A VPN endpoint is considered to be the end of each tunnel where the data is encrypted/decrypted by your VPN device inside your private network. DrayTek routers can create VPN tunnels, and endpoints at each site as required. The two remote networks must be within different private IP address ranges in order that the PCs and router at one site can determine that traffic is intended for the other site. For example, one network might be numbered in the IP subnet range 192.168.1.xxx and the other in 192.168.3.xxx.
Your VPN router is configured to know the network addresses of all remote networks and the VPN credentials (encryption keys, passwords, remote locations) so data can be passed through the right tunnel. There are several commonly used methods for encryption and encapsulation (tunnelling). The simplest is PPTP although that only has optional encryption, which isn't considered very secure. VPN tunnels use passwords for login, or a pre-shared key which is a secret phrase or sequesce of characters entered into the VPN device at each end. IPSec tunnelling, using 3DES or AES encryption is the most common method of tunnelling and encryption used today. These are highly secure encryption methods, with AES in particular considered 'military strength'. In addition to the encryption, methods of authentication (for example SHA1 or MD5) can be used during the setup stage (each time the tunnel is opened); this ensures the integrity of the key exchange.
A VPN tunnel is instigated from one end (the 'dial-out') end, and the remote end (the 'dial-in' or end) accepts the connection. Regardless of which end initiates the connection, once the tunnel is created, it makes no difference and data can flow freely in either direction. The dial-in end should have either a fixed publicIP address, or some method to keep the other end updated of its current IP address (such as a Dynamic DNS updating service). To create a tunnel between our factory and head office, we simply need to decide on or find out the following information:
Given the above information, the VPN device (e.g. DrayTek router!) at each end knows where it can send data, how to get there and the security credentials to use. Entering these details is very easy on each DrayTek router and your secure VPN tunnel is then set up by the router. The PCs (or servers/systems) at each end of the VPN link then jhave full access to each other, as required, whilst remaining fully firewalled from anyone else on the Internet.
For mobile users, you do not need to have another Vigor router to create a VPN tunnel into your office. You can use a software client (built into most operating systems) to create a teleworker VPN connection. This is ideal for mobile wireless hotspots for a single PC 'dialling in'. DrayTek routers support both LAN-to-LAN and teleworker VPN connections.
Summary of DrayTek VPN Features (varies by model)
Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.
3rd Party Vendor Compatibility
The Vigor routers have also been tested with VPN devices from other manufacturers. This includes Cisco™, Barracuda™, Sonicwall™, Checkpoint™, Fortinet™, ZyWall™ Watchguard™ and most other major vendors.
To find a DrayTek router with the right line interface and VPN capability, you can check the Router Comparison Chart.
©2013. Reproduction prohibited without written permission. Specification subject to change at any time without notice. E&OE. All sales are subject to standard terms. Trademarks are acknowledged of their respective owners. No specific endorsement is implied by the mention of any particular service provider.