Virtual Private Network (VPN)

 in Networking  tagged network / private / virtual / vpn by

Even before the Internet existed, remote connections were in use. To connect your computer to your office LAN, you used a telephone line, which might incur long distance charges. To connect your computer to a LAN you would use dial-up. Alternatively, if you needed to connect two LANs together you might choose to use expensive connections. The Internet is relatively inexpensive. You can use the Internet, but the problem is that the Internet is not secure. We have tools in TCP/IP that are able to encrypt traffic. If we use these we can create a VPN.

A computer connected using a VPN looks as though it is directly on the local network back at the office. However, it is much slower that connecting directly to the office LAN because it is not local at all.

An encrypted tunnel requires endpoints. Endpoints are the two ends of the tunnel where data is encrypted and decrypted. An important aspect of a VPN is that all computers must be on the same network, which means they must have the same network ID. How do you do this?

One of my favourite technical writers, Mike Myers, explains how this works starting on page 390 in his book called All-In-One CompTIA Network+ Exam Guide Sixth Edition published in 2015 by McGraw-Hill Education. He uses and example of a single client accessing a remote LAN.

Single Client Accessing a Remote LAN

Suppose Pam is trying to send Bernard a message. She is at the airport. He is at the office. Pam gets her IP address and network ID from the DHCP server at the airport. That’s how she gets connectivity to the Internet. Pam needs a VPN client program protocol that uses one of the many tunneling protocols available. Pam connects to the local LAN back at the office through the Internet and then queries the local LAN’s DHCP server for an IP address. This puts the remote computer on the same network as the local LAN. The remote computer now has two IP addresses:

  • Internet connection’s IP address (from the airport’s ISP)
  • VPN client creates a tunnel endpoint that acts like an NIC (virtual NIC)

This virtual NIC has an IP address that allows it to connect to the local (office) LAN.

Point to Point Protocol

PPP is able to query for an IP address. PPTP, developed by Microsoft is an advanced version of PPP. PPTP is Point to Point Tunneling Protocol. In Microsoft’s view, a VPN is intended for a client(s) to connect to a private network, so Microsoft places the endpoints on the client and one the server. The server endpoint is a special remote access server program, originally only available on Windows Server, called Routing and Remote Access Server (RRAS). On the client side you run Create a New Connection. This creates a virtual NIC, that like all other NICs, queries a DHCP server for an IP addrerss on the private network.

When Pam’s laptop computer connects to the RRAS server on the private network back a the ofice, PPTP creates a secure tunnel through the Internet back to the private LAN. Pam’s computer takes on an IP address of that local private network as if Pam is connected to the network back at the office. This even includes the default gateway. For example, if Pam opens up a web browser, her laptop will go across the Internet to the local LAN and use the LAN’s default gateway to get to the Internet, which will be slow.

All operating systems come with some type of VPN client software that supports PPTP.

Layer 2 Tunneling Protocol (L2TP)

The VPN protocol L2TP took all the good features of PPTP and a Cisco protocol called layer 2 Forwarding (L2F) and added support to run on almost any type of connection possible such as telephones,Ethernet and ultra high-speed optical connections. The end point on the local LAN went from a server program to a VPN-capable router called a VPN concentrator, such as the Cisco 2811 Integrated Services Router.

Site-to-Site VPN Connections

You can connect two remote LANs together. You can directly connect two Cisco concentrators to connect two separate LANs together. It’s not fast, but it works. Now you have two separate LANs functioning together as a single network, sharing files and services

You have three types of VPN connections: client to server, site to site and host to host.

L2TP differs from PPTP in that it has no authentication or encryption. L2TP generally uses IPSec for all security needs. An L2TP VPN could be called “L2TP/IPSec”.

There has been lots of crossover between Microsoft and Cisco. For example, Microsoft RRAS supports L2TP and Cisco routers support PPTP.