Setting up a VPN server network

I've been asked to advise on how to set up a VPN (virtual private network)
to allow someone to access his computer at work over the internet from his
laptop at home or elsewhere away from his office network. What he'd like to
do is access shared drives on the desktop PC at work, though if this is not
possible, remote desktop *might* be an acceptible substitute.

What is involved in doing this? I presume he needs a router which supports
VPN server endpoints and suitable software on the desktop PC at work and on
the laptop. The work PC is running XP Pro and the laptop is running either
XP Home or Pro (I forget which).

Does the ISP need to do anything to enable VPNs, or is it simply a router
and software issue? Does the Linksys WAG54G support VPN server (as opposed
to VPN client, as the remote laptop end of the VPN)?

On Fri, 24 Mar 2006 Martin Underwood wrote:

>I've been asked to advise on how to set up a VPN (virtual private network)
>to allow someone to access his computer at work over the internet from his
>laptop at home or elsewhere away from his office network. What he'd like to
>do is access shared drives on the desktop PC at work, though if this is not
>possible, remote desktop *might* be an acceptible substitute.

I wanted to set up a VPN to my network at home from France but it seemed
rather too complicated. Microsoft's VPN allows you to access the drives
only on the computer to which you are connecting.

Someone suggested I try Remote Desktop. It was simple to set up and
works a dream. I can even access drives on all the computers in the
network from remote. Just make sure you poke a hole through the firewall
at port 3389.

David

--
David Rance (E-Mail Removed) http://www.mesnil.demon.co.uk
Fido Address: 2:252/110 writing from Caversham, Reading, UK

(E-Mail Removed) declared for all the world to hear...
> I've been asked to advise on how to set up a VPN (virtual private network)
> to allow someone to access his computer at work over the internet from his
> laptop at home or elsewhere away from his office network. What he'd like to
> do is access shared drives on the desktop PC at work, though if this is not
> possible, remote desktop *might* be an acceptible substitute.
>
> What is involved in doing this? I presume he needs a router which supports
> VPN server endpoints and suitable software on the desktop PC at work and on
> the laptop. The work PC is running XP Pro and the laptop is running either
> XP Home or Pro (I forget which).
>
> Does the ISP need to do anything to enable VPNs, or is it simply a router
> and software issue? Does the Linksys WAG54G support VPN server (as opposed
> to VPN client, as the remote laptop end of the VPN)?

XP Pro can terminate an incoming VPN connection, if there's only one PC
in the office then there's no actual need for a router, although it
would make things easier.

XP Pro also has a built-in VPN "dialler" to make outgoing connections,
so again there's no need for a router with VPN endpoint support, just
VPN passthrough which most do.

He will also need access to and control over the network hardware in the
office, this will probably be the sticking point.
--
Regards
Jon

Jon wrote in
(E-Mail Removed):

> (E-Mail Removed) declared for all the world to hear...

> XP Pro can terminate an incoming VPN connection, if there's only one
> PC in the office then there's no actual need for a router, although it
> would make things easier.
>
> XP Pro also has a built-in VPN "dialler" to make outgoing connections,
> so again there's no need for a router with VPN endpoint support, just
> VPN passthrough which most do.
>
> He will also need access to and control over the network hardware in
> the office, this will probably be the sticking point.

He currently has two PCs: a desktop that stays in the office and a laptop
that he sometimes uses inthe office and sometimes uses on the road (he's
thinking of getting a Vodafone card) or at home. So he needs a router in
order for both PCs to access the internet and also to act as a hub for a
network-connected printer.

He only needs to access the shared files on that desktop PC.

Given that he needs a router rather than just a simple ADSL modem, what
feature should I be looking for in the router's spec? Is it called "VPN
server"?

Is the configuration of XP Pro's VPN documented anywhere - is there a good
introductory guide anywhere on the web?

Would a PC that was being accessed by VPN need to be given a static IP as if
it was a server, or can it be given one by DHCP from the router? Will I be
setting up a static route in the router so traffic on a specific port is
routed to a specific IP?

I've warned him that any time he wants to use the PC from outside the
office, it will need to be switched on.

(E-Mail Removed) declared for all the world to hear...
> Given that he needs a router rather than just a simple ADSL modem, what
> feature should I be looking for in the router's spec? Is it called "VPN
> server"?

Yes. I use a Draytek Vigor 2600VG which can act as a VPN server and can
also initiate outgoing (lan-lan) connections. It's very configurable and
rock solid. Costs a bit more than a bog standard router but well worth
it. It also has a built-in USB port and print server but I've not yet
tried to make this work so I don't know how good it is.

> Is the configuration of XP Pro's VPN documented anywhere - is there a good
> introductory guide anywhere on the web?

http://www.microsoft.com/windowsxp/u...pert/vpns.mspx

> Would a PC that was being accessed by VPN need to be given a static IP as if
> it was a server, or can it be given one by DHCP from the router?

You could do either, as long as the router is capable of "fixing", I.e.
assigning the same IP to each PC whenever it connects (most routers can
do this or do this automatically). That would be the tidiest solution I
think. No harm in switching off DHCP on the router and assigning a
static IP though.

> Will I be
> setting up a static route in the router so traffic on a specific port is
> routed to a specific IP?

If you use the router as your incoming VPN server then there's nothing
else to configure AFAIK. If you were to use the actual PC to terminate
the incoming VPN connection then you would need to forward ports to that
PC (not sure which ports though, the service would be called PTPP which
I think stands for point to point protocol).

If using XPSP2 the windows firewall will automatically be configured to
allow the incoming connections, but if you have anything else in the way
(other firewall, router) then you'll need to tweak those to allow the
traffic through.
--
Regards
Jon

Jon wrote in message
(E-Mail Removed):

> (E-Mail Removed) declared for all the world to hear...
>> Given that he needs a router rather than just a simple ADSL modem,
>> what feature should I be looking for in the router's spec? Is it
>> called "VPN server"?
>
> Yes. I use a Draytek Vigor 2600VG which can act as a VPN server and
> can also initiate outgoing (lan-lan) connections. It's very
> configurable and rock solid. Costs a bit more than a bog standard
> router but well worth it. It also has a built-in USB port and print
> server but I've not yet tried to make this work so I don't know how
> good it is.
>
>> Is the configuration of XP Pro's VPN documented anywhere - is there
>> a good introductory guide anywhere on the web?
>
> http://www.microsoft.com/windowsxp/u...pert/vpns.mspx
>
>> Would a PC that was being accessed by VPN need to be given a static
>> IP as if it was a server, or can it be given one by DHCP from the
>> router?
>
> You could do either, as long as the router is capable of "fixing",
> I.e. assigning the same IP to each PC whenever it connects (most
> routers can do this or do this automatically). That would be the
> tidiest solution I think. No harm in switching off DHCP on the router
> and assigning a static IP though.
>
>> Will I be
>> setting up a static route in the router so traffic on a specific
>> port is routed to a specific IP?
>
> If you use the router as your incoming VPN server then there's nothing
> else to configure AFAIK. If you were to use the actual PC to terminate
> the incoming VPN connection then you would need to forward ports to
> that PC (not sure which ports though, the service would be called
> PTPP which I think stands for point to point protocol).
>
> If using XPSP2 the windows firewall will automatically be configured
> to allow the incoming connections, but if you have anything else in
> the way (other firewall, router) then you'll need to tweak those to
> allow the traffic through.

This looks easier than I thought. I think I'd probably define the router,
rather than the PC at work, as the VPN endpoint.

Let me check that I've understood the process correctly:

1. I need a router that is capable of VPN server such as the Draytek Vigor
2600VG (obselete model) or 2800VG (current model).

2. Am I right in thinking that the ISP needs to assign a static IP to the
router's public WAN connection, rather than the more normal dynamic IP? Do
most ISPs offer this option - the customer's is Wanadoo.

3. At the router, I presumably set up a username and password for the VPN
endpoint.

4. At the client PC (eg the laptop out in the field), I define the VPN
client connection as described in
http://www.microsoft.com/windowsxp/u...pert/vpns.mspx, giving
the router's public IP (Step 2) and the VPN username/password (Step 3).

5. Once connected, does the PC effectively become part of the LAN at work,
including being assigned a suitable IP on the work LAN, with access to
shared resources on the LAN (PCs, printers) exactly the same as if it was in
the office and connected by Ethernet or wireless?

6. Would there be a problem if the client PC is on a LAN (eg at home) which
has IPs in the same subnet range as the private LAN at work? For example, if
the home LAN uses IPs in the 192.168.0.x range, with its router as
192.168.0.1, and the work LAN also uses 192.168.0.x as its private LAN range
(obviously the WAN IP will be whatever the ISP allocates - it's the private
LAN address I'm talking about).

I think both work and laptop PCs use just the Microsoft SP2 firewall, but
for any other software firewall such as Norton or for the fireall in a
router at home, is it the PPTP port that needs to be opened up to
bi-directional traffic?

> 1. I need a router that is capable of VPN server such as the Draytek Vigor
> 2600VG (obselete model) or 2800VG (current model).

http://www.3com.com/prod/en_UK_EMEA/...&sku=3CR860-95
I use a 3com one but with a cable modem, this model would need a
seperate ADSL modem for wanado but they might make a combined one.
>

> 2. Am I right in thinking that the ISP needs to assign a static IP to the
> router's public WAN connection, rather than the more normal dynamic IP? Do
> most ISPs offer this option - the customer's is Wanadoo.
Not always. Some rounters support dynamic DNS services (my 3com one
does) . With these you sign up for a free account and enter the details
into the router and it automatically assigns your current ip address to
a hostname such as myhomerouter.dyndns.org and this would be the
address you would use for the VPN connection. have a look ay
ww.dyndns.org for details although there are others.

> 3. At the router, I presumably set up a username and password for the VPN
> endpoint.
You can normally set up more than one account as well....

> 5. Once connected, does the PC effectively become part of the LAN at work,
> including being assigned a suitable IP on the work LAN, with access to
> shared resources on the LAN (PCs, printers) exactly the same as if it was in
> the office and connected by Ethernet or wireless?
>
Yes

a@b declared for all the world to hear...
> 1. I need a router that is capable of VPN server such as the Draytek Vigor
> 2600VG (obselete model) or 2800VG (current model).

Yes.

> 2. Am I right in thinking that the ISP needs to assign a static IP to the
> router's public WAN connection, rather than the more normal dynamic IP? Do
> most ISPs offer this option - the customer's is Wanadoo.

Static IP is very helpful although not absolutely essential (google for
"dynamic DNS" if you can't get static IP. WIth a router solution you're
likely to leave that on 24/7 anyway. I don't know if wanadoo give static
IPs.

> 3. At the router, I presumably set up a username and password for the VPN
> endpoint.

Yes. The draytek has many profiles possible so you can configure more
than one. You can also choose weather the router uses DHCP to dish out
IPs to incoming VPNs or you can use manual assignment. You can also
specify the IP range for incoming VPN clients.

> 4. At the client PC (eg the laptop out in the field), I define the VPN
> client connection as described in
> http://www.microsoft.com/windowsxp/u...pert/vpns.mspx, giving
> the router's public IP (Step 2) and the VPN username/password (Step 3).

Yep.

> 5. Once connected, does the PC effectively become part of the LAN at work,
> including being assigned a suitable IP on the work LAN, with access to
> shared resources on the LAN (PCs, printers) exactly the same as if it was in
> the office and connected by Ethernet or wireless?

Yep. That's been my experience so far anyway.

> 6. Would there be a problem if the client PC is on a LAN (eg at home) which
> has IPs in the same subnet range as the private LAN at work? For example, if
> the home LAN uses IPs in the 192.168.0.x range, with its router as
> 192.168.0.1, and the work LAN also uses 192.168.0.x as its private LAN range
> (obviously the WAN IP will be whatever the ISP allocates - it's the private
> LAN address I'm talking about).

No, the router will take care of that in any case.

> I think both work and laptop PCs use just the Microsoft SP2 firewall, but
> for any other software firewall such as Norton or for the fireall in a
> router at home, is it the PPTP port that needs to be opened up to
> bi-directional traffic?

Only incoming. replied-to traffic is usually allowed through.
--
Regards
Jon

In message <(E-Mail Removed) >, Jon
<(E-Mail Removed)> writes
>(E-Mail Removed) declared for all the world to hear...
>> Given that he needs a router rather than just a simple ADSL modem, what
>> feature should I be looking for in the router's spec? Is it called "VPN
>> server"?
>
>Yes. I use a Draytek Vigor 2600VG which can act as a VPN server and can
>also initiate outgoing (lan-lan) connections.
Not really true, you just need a router that can pass VPN packets (not
all can) and is capable of forwarding a port to the PC/Server that's
acting as the VPN server.

Your major problem is going to be security if the user is going to be
connecting from variable IP addresses. You're effectively going to have
to expose the VPN server to the internet as you can't predict what
address is going to legitimately access it so make sure the passwords
and user name combo is strong if you don't use a certificate based VPN.
--
Clint Sharp

Clint Sharp wrote in message
F+(E-Mail Removed):

> In message <(E-Mail Removed) >, Jon
> <(E-Mail Removed)> writes
>> (E-Mail Removed) declared for all the world to hear...
>>> Given that he needs a router rather than just a simple ADSL modem,
>>> what feature should I be looking for in the router's spec? Is it
>>> called "VPN server"?
>>
>> Yes. I use a Draytek Vigor 2600VG which can act as a VPN server and
>> can also initiate outgoing (lan-lan) connections.

> Not really true, you just need a router that can pass VPN packets (not
> all can) and is capable of forwarding a port to the PC/Server that's
> acting as the VPN server.
>
> Your major problem is going to be security if the user is going to be
> connecting from variable IP addresses. You're effectively going to
> have to expose the VPN server to the internet as you can't predict
> what address is going to legitimately access it so make sure the
> passwords and user name combo is strong if you don't use a
> certificate based VPN.

I presume what you're saying here applies to the case where a PC on the
company LAN acts as the endpoint of the VPN, rather than using the router as
the VPN endpoint. I realise that the latter case requires a router that
supports VPN Server, such as the Draytek.

And, yes, given the power of a VPN, I'd make the VPN username/password very
strong - in the same way that I make WPA wireless encryption keys strong.