Virtual Private Networks, Part 2: Setting up

In the last column we looked at what a Virtual Private Network (VPN) is and does. Now, we look at how you can set one up. As you know, a VPN is simply two or more gateway machines that talk to each other over some distance, making the connection between the gateways act as though they were part of a larger network. For our purposes, we’ll define a VPN as a network of virtual circuits that carry private traffic. The connection between gateway machines can be any kind of network including dedicated and dial-up lines, but the most common form of VPN uses the Internet for the connection. The virtual circuits are the connections from the gateways to the Internet. The handling of traffic so it is private and away from snooping eyes on the Internet is the important part of the VPN.

The choice of an Internet VPN is simple and easy. It is the most cost effective way to provide a VPN. All you need is an ISP for each gateway machine, and then you can let the ISP worry about routing the traffic between your gateways. Are there downsides to using the Internet? Of course. There is always the chance of a hacker getting their hands on your encrypted data and breaking it (even though this is very unlikely it is something to bear in mind). Also, you are at the mercy of the Internet’s (and your ISP’s) throughput problems: when the ISP or Internet gets slow, so does your VPN. This isn’t really a problem for most VPNs, but if you are going to be funneling huge amounts of data each second through the Internet, you might want to consider a dedicated line instead.

Since you can choose the type of connection you have to an ISP (and hence the Internet) you can tailor the budget to the throughput you need. If you need to connect from hotel rooms to your business network, standard analog connections may be all you need. If you are connecting two big LANs together through the Internet, you may want T1 or ISDN connections at each gateway. You can suit the connection type to your needs pretty well with an Internet-based VPN.

How do you set up a VPN? Let’s work with a Windows-based network first, because it is so simple. Windows NT especially is ideal for handling gateways to VPNs. There are many times where you don’t need to buy additional VPN software, especially if the VPN is to be lightly used. However, there are several commercial products that provide VPN software and hardware specifically to enhance the security and throughput of VPN traffic, and we’ll look at those packages in another column. For now, we will stick with the basic Windows software package for VPNs.

Windows NT and Windows 98 support a VPN software protocol called PPTP or Point-to-Point Tunneling Protocol. PPTP is an offshoot of PPP, widely used to connect to the Internet through an ISP. PPTP adds some encryption features to PPP as well as other factors that provide for VPN support. PPTP is not restricted to TCP/IP: it works with NetBEUI and IPX as well, but for our purposes we’ll concentrate on TCP/IP.

Windows NT Server and Workstation provide PPTP as part of the protocol suite. If it is not installed automatically when you installed networking on the NT machine, you can add it by using the Network applet’s Protocol page tabe and selecting Add, then Microsoft, and then PPTP. Once PPTP is installed, configure it by selecting the protocol name in the Protocols tab of the Network applet and then clicking on Properties (or double clicking on PPTP). The PPTP properties window is quite simple. The window asks for the number of VPNs allowed at any one time, how many VPNs should be reserved just for dial-outs and dial-ins, and how many VPNs to reserve for routing purposes. The defaults usually set five as the number of VPNs to support and zero for all the reserved lines. If you are only planning to use one or two connections to another gateway then the defaults are fine. If you plan on having a lot of traffic or many users on the connections, bump the number up by double or more. Balancing the number of VPNs to actual need is more a matter of experimentation than anything else.

To finish the setup of the VPN you need to configure Dial-Up Networking (DUN) or some other connection to an ISP. To use a VPN you need to have two entries: one for the connection to the ISP and one for connection to the VPN gateway you want to connect to. The ISP connection may not have a dedicated IP address, but the VPN gateway will have that machine’s IP address in its Properties window. To use VPN, the connection to the ISP is established first, then the connection to the VPN gateway machine is launched. If the other end has PPTP established too, then a virtual network has been created.

Windows 98 is not left out. It can act as a PPTP client but not a server. The latest version of DUN (1.2 or greater) is necessary, and it is configured as a protocol in the Network applet. The Microsoft VPN adapter must be chosen when setting up the DUN connection as the modem type, followed by the IP address of the VPN gateway you are connecting to.

There’s little else that has to be done to set up a Windows-only VPN. There are lots of complications you can throw in to add different features, but we’ll look at those in a later column.