Documents  
An Introduction to VPN   
This TechSoup article demystifies how Virtual Private Networks (VPN) can provide remote access to a network for users at home or on the road and also explains how VPN can be used to link networks for organizations in two physical sites.
Author:
Zachary Mutrux
Date Posted:
3/17/06
@Copyright 2004, TechSoup, a project of CompuMentor

Virtual Private Networking, or VPN, is a technology that lets people access their office's computer network over the Internet while at home or traveling. Accessing a network in this way is referred to as remote access. (For comparison, another common form of remote access is dialing in to the office network over a telephone line.)

But VPN is useful for more than just remote access. It can also be used to link two separate offices over a distance. This is sometimes called a "persistent VPN tunnel", or a wide-area network (WAN) link.

VPN for Remote Access

So why would you want to use VPN for remote access? Let's say you want users to be able to work from home. Or maybe someone needs to retrieve a file while traveling. Without VPN, in order to make resources on the office network available to users, the network administrator would have to weaken the security of your network by opening holes in your firewall -- which isn't usually a good idea. Or the remote user would have to dial in over a phone line, sometimes incurring long-distance charges.

With VPN, the integrity of your office network remains intact, but you can allow remote users to act as part of the office network. After connecting over VPN, remote users can access files, print to printers, and generally do anything with their computers that they would be able to do in the office.

Still, using VPN is not the same as being in the office. Most office networks are pretty fast. Most Internet connections are not. Even the fastest DSL and cable connections are around one-tenth the speed of your average office LAN. This means that accessing resources on the LAN will be much slower over VPN. So if you want to work on files on the file server at the office, you would most likely need to copy them to your computer over the VPN connection. When you are done working with them you would copy them back to the file server. (It's easy to do this in Windows 2000/XP with the "Offline Files" feature.)

How It Works

In a small office network, VPN is most frequently implemented through a router. Just about every small office that shares an Internet connection with more than one computer already has a router of some kind, but most of them don't include VPN.

For example the small office/home office (SOHO) routers by Linksys are a popular choice, offering DHCP, NAT, and basic security features in the form of a bright blue plug-and-play box, but they don't include VPN support.

An example of a product for the SOHO environment that does include VPN support is the Cable/DSL ProSafe VPN Firewall with 8-port switch from Netgear.

Once the VPN router is in place, individual computers can be set up to connect to it from ouside the network. Depending on the router and the computers involved, you might need to install software on the computers that will use VPN. Sometimes computers have the ability to connect built-in. Either way, once the hardware and software has been set up, the remote user can initiate a VPN connection.

How a VPN session is initiated depends on how the computer is connected to the Internet. Usually it works something like this: the user double-clicks on a shortcut and the VPN connection window appears. The user enters a username and password and hits "connect." If the computer has an always-on connection like DSL or cable, the VPN connection is immediately established. If the computer dials in to an ISP in order to access the Internet, that connection is established first and then the VPN connection is established on top of that. Once users are connected to the office network over VPN, they can access files and other resources.

When users are done working, they simply disconnect the VPN connection.

VPN As a Persistent Tunnel

VPN technology can also be used to link two separate networks over the Internet so they operate as a single network. This is useful for organizations that have two physical sites. Rather than set up VPN connections on every person's computer, the connection between the two sites can be handled by routers, one at each location. Once configured, the routers maintain a constant tunnel between them that links the two sites. In this scenario, users don't have to do anything to initiate the VPN session because it is always on. An example of an inexpensive router that is capable of a persistent VPN tunnel is the Linksys BEFVP41.

Security and Encryption

There are mainly two kinds of VPN: Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Both can link a remote computer to a network, but only L2TP offers strong security. If you must transmit sensitive information, do not use PPTP. Remember that when you set up VPN, you're offering a way into your office network. To minimize the risk of unauthorized parties poking around your network, choose and enforce a strong password policy.

If you allow home users to connect to the office network via VPN, you have to consider viruses or other security threats that could come from the user's home. One way to address this risk is by giving home users a computer that is owned and maintained by the organization, so is certified as up-to-date and virus-free.

Implementing VPN

Before you implement VPN, evaluate the benefits to your organization and weigh it against the costs of equipment, installation time, and staff training. Maybe you're considering VPN because your executive director wants to be able to access files on the server while traveling. Maybe VPN would be a good solution. Or perhaps it would work just as well for your executive director to call the office and ask the receptionist to e-mail the file.

Once you have decided to implement VPN, determine whether you need help or not. If someone on your staff understands TCP/IP networking well and can set up the new router, you might be set. If not, consider finding a trusted consultant to help set it up.

In order to use VPN, your Internet connection will need to have a static IP address. Most types of Internet connections -- dial-up, DSL, and cable -- provide you with a numerical address on the Internet that changes from time to time. This is called a dynamic IP address. In order to provide VPN access to remote users you will need to be able to give them an address that doesn't change, a static IP.

To obtain a static IP address for your Internet connection, talk to your Internet service provider. It may require an additional monthly fee of a few dollars. If you have a friendly ISP, sometimes you can talk it into just giving you a static IP. Occasionally, an ISP will try to sell you much more expensive DSL service, possibly bundled with equipment, when you ask about a static IP. The company might call it a "business class" of service. Don't buy it. You don't have to have a faster Internet connection or much more expensive service in order to have a static IP address. Even dial-up Internet connections can be provided through a static IP, although not all ISPs will do this. So if you run into trouble with sales representatives, ask to talk to their supervisor.

Additional Resources

TechSoup's Connecting to the Internet message board
Although this forum isn't specifically geared to networking questions, this is the best place to get them answered at TechSoup

VPN article from PCWorld

VPN Audio Primer from NetworkWorldFusion

Windows Resources

How to set up a VPN connection on Windows XP Professional

Virtual Private Networks for Windows Server 2003

Mac Resources

Mac OS X IPSec (L2TP) VPN Utility

PPTP Client built-in to Mac OS 10.2

Visit TechSoup for technology information, access to donated and discounted products, and support from nonprofit experts and your peers.


Contribute to this topic
Do you have an article, presentation, or other content to share on this topic?
You can post it on this topic page. Find out more about submitting documents in the Member Center.
Ratings You must be signed in to rate this item
Average (0 Votes)
Comments