Part 1 of this briefing was devoted to VPN theory - the various technologies that underpin Virtual Private Networks. This part is devoted to VPN practice.
First though, a brief recap: virtual private networking is a means of creating a secure connection, over the public Internet, between your computer and a gateway or server located elsewhere, such as another office. A VPN connection is secure in two ways, firstly when establishing a connection you or your computer must be authenticated. Also, once the connection is established all traffic between your computer and the gateway/server is encrypted for privacy.
One common use for a VPN is to allow users access to a network from outside a firewall. If your office network has a firewall, a VPN server running inside it could permit you to connect to the network from outside - say, over a broadband cable connection from home - and access resources as if you were connected locally.
A VPN server is a piece of hardware or software that can act as a gateway into a whole network or a single computer. It is generally always-on and listening for VPN clients to connect to it.
The other side of the coin
Actual VPN server software is rather rare. But Windows Server level operating systems such as Windows 2000 Server, Windows Server 2003 and Small Business Server 2003 have VPN server software as standard, as does Windows XP.
However, VPN server software is not strictly essential, it's possible to throw up a tunnel directly between routers. So a VPN client can be hardware, too. A client initiates a call to the server and logs on. Then the client PC and server can communicate. They are on the same virtual network. Many broadband routers can pass one or more VPN sessions from your network to the web.
The VPN client connection
Here's how to create a Windows XP VPN connection to a server. Firstly open Control Panel and choose Network Connections, then start the New Connection Wizard. Select 'Connect to the network at my workplace' and click Next. Click on Virtual Private Network connection and click Next. Give the Connection a Name and click Next.
If prompted, select whether or not you have to dial to the Internet before establishing a VPN connection - you may need to if you have a USB broadband modem rather than a router. Next, enter in the IP address of the server you want to connect to. Finally, check whether you want to have an icon placed on the desktop and click on the Finish button. And that's it - I told you it wasn't hard!
Customising your connection
In the Network Connections window, right-click the new connection and select Properties. The General Tab lets you rename your connection. It also lets you specify a 'First connect', which means that Windows will hook up to the Internet before starting to attempt the VPN connection, useful if you're relying on dial-up.
The Options tab lets you change lots of settings. For example it gives you the ability to connect to a Windows Domain, if you select this check box then your VPN client will request Windows logon domain information while starting the VPN connection.
The Security Tab lets you specify basic security for the VPN client. This is where you would set any advanced IPSec configurations, other security protocols, as well as requiring encryption and credentials. The next tab is Networking. This is where you can select what networking items are used by this VPN connection. The final tab is Advanced and this is where you can set options for configuring a firewall and/or sharing.
The other side of the coin
You've now created a client connection. We now have to set up the PC at the other end to accept VPN connections, a server if you like. Once again, this is a comparatively simple procedure. Open the Control Panel and then Network Connections. Start the New Connection Wizard, click the Next button, select Set up advanced connection and click Next.
Click on Accept incoming connections and click Next. At the LPT1 page, skip it and just click on the Next button. Click on Allow virtual private connections and click Next. You now have to add the user accounts that you want to be able to connect to your Windows XP computer. Click on the Next button and select Internet Protocol (TCP/IP) and click on Properties.
Lastly, determine how you want the remote computers to get their IP address. You can either specify that they pick up an IP address automatically via DHCP or pull it from a pool of addresses you specify. Click Next and then Finish. Windows XP Professional can actually support multiple simultaneous VPN connections but the Home edition is limited to just one.
Connecting to the server
This is a doddle. If you don't have a shortcut on your desktop, open Network Connections and double-click the icon or right click and select Connect - this will initiate the connection to the VPN server. Enter your username and password and click Connect. To disconnect a VPN connection, right-click the icon for the connection, then click Disconnect.
VPN tips and tweaks
If the VPN server sits behind a router, port mapping will need to be done on the router. Typically a VPN will want to use port 1723 if you're using PPTP, while IPSec uses 50, 51 and 500. These ports will have to be forwarded to the VPN server's network adapter IP address.
You may also need to configure your router for PPTP pass-through otherwise it can block the unsolicited network traffic that is VPN.
VPN router support has come on in leaps and bounds. Take the venerable Netgear DG834G. Its latest firmware (v2.10.22) now permits you to set up a VPN tunnel from the router to a PC running Netgear's proprietary ProSafe VPN client software. Up to five PCs can simultaneously use the resulting secure connection. Or if you have a DG834G at both ends, they can set up a VPN tunnel between the two, in a so-called 'box-to-box' configuration thus avoiding any PC reconfiguration.
VPN functionality is very processor-intensive and most broadband routers have somewhat slow processors in them. Broadband router based VPN servers are often limited in throughput because of their microprocessors. Even if you have a fast broadband connection don't expect lightning fast throughputs – most have a maximum VPN throughput of around 600kbit/s, so a basic half-meg DSL connection isn't a major bottleneck.
You can make browsing a tad quicker by editing your HOSTS file, a precursor to the much more user-friendly DNS system. You'll find this in the C:\Windows\System32\drivers\etc directory for XP. Just add a line with the IP address of the server followed by its name.