Introduction to DrayTek VPN Overview
ExpiredVirtual Private Networking (VPN) is an essential technology for using the inherently insecure Internet to provide secured communication links. It provides the benefits of secure private point-to-point wide area networking (private networking), using the low cost and flexibility of the public Internet.
What makes the Internet 'inherently insecure'?
The original purpose of the Internet (Arpanet as it was) was to enable computer systems, at different locations around the world, to communicate with each other. Routers could determine how to reach the remote destination via multiple routers and intermediate networks. This provided both cost saving and resilience.
The cost saving was because it replaced costly point-to-point links and resilience because in the event of one route failing, the desired destination, could probably be reached via another route. The end result is that your data gets from Point-A to Point-Z, and it's all automatic and fast, so that you don't need to worry that your data is actually travelling, through points B,C,D,E,F,G etc. on the way.
The Internet - How It Routes
When all Arpanet network members were owned by the American military, it was less of an issue that their data traffic, might pass through other offices or networks, as all offices were supposedly secure too. Since the evolution of the Internet, however, access is shared by millions of users and hundreds of thousands of ISPs, and your data could be passing through networks of anyone, and someone with sinister motives can capture, store and use that data.
The diagram above shows how the Internet works. Every device on the Internet, whether it's your own PC, or a huge web service like Google, has an IP address. The intermediate networks pass your data to the next 'hop' on the way to your destination. If you follow the red or green lines, you can see that your data is passing through several other public routers, and therefore through the hands of many unknown networks, any of whom could monitor and store your data without you ever knowing.
So, you can send data between your office and factory directly across the Internet, but you certainly wouldn't want to.
What does a VPN do?
A VPN, as the name suggests, uses the Internet to create a Virtual Private Network. Two remote sites, say your London and New York office can appear to have a private connection (route) between their two networks but actually, the data is passing over the Internet. Using a system called tunnelling, a device at each end packets up all data intended for the remote site, encrypts it and passes it to the remote site. Your computers all continue to operate within their private subnets, which are behind your firewall. Those computers still cannot be reached from the outside world, except through the VPN tunnel, and that VPN tunnel has only two ends - one in your office, the other at your remote office.
Once you have a VPN, your network users can still access the Internet (surf the web) normally - all Internet traffic passes freely outside of the VPN tunnel. You can have multiple VPN tunnels, each one to a different remote location. The use of the word 'tunnel' is very helpful in understanding the concept; although the data is still passing over the public Internet, it's all inside the tunnel which cannot be decoded, or intercepted by any of the intermediate Internet locations. Your data is secure.
Using Insecure Guest/Public Internet connections
For example, if you go to a coffee shop or hotel or any other place with public or guest Internet access, any computers using that same access have access to all of your sent and received data because they are on the same network. Any user can 'sniff' and capture your data, including emails and web site data. Even if the network is using wireless encryption, anyone else can still see your data because they too know the encryption key. Many web sites and mail servers will now use encryption (e.g. TLS/HTTPS) which reduces the risk - your data is encrypted, though sniffers can still see which IP addresses you visit.
A common use of VPNs, therefore, is to provide security to all of your traffic when using these public Internet facilities. You can force all of your Internet data down the encrypted VPN tunnel, then make use of your HQ's Internet connectivity for onward communication.
Creating a VPN
A VPN endpoint is considered to be the end of each tunnel where the data is encrypted/decrypted by your VPN device inside your private network. DrayTek routers can create VPN tunnels, and endpoints at each site as required. The two remote networks must be within different private IP address ranges in order that the PCs and router at one site can determine that traffic is intended for the other site. For example, one network might be numbered in the IP subnet range 192.168.1.xxx and the other in 192.168.3.xxx.
Where there might be a conflict between two networks with the same IP subnet range, DrayTek routers do offer an IP address translation system, allowing for minimal disruption to existing systems. This allows for instance, two networks with 192.168.1.xxx to communicate, by translating to 192.168.2.xxx and back again, seamlessly allowing each site to communicate.
Your VPN router is configured to know the network addresses of all remote networks and the VPN credentials (encryption keys, passwords, remote locations) so data can be passed through the right tunnel. There are several commonly used methods for encryption and encapsulation (tunnelling). The simplest and now deprecated standard, is PPTP although that only has optional encryption, which isn't considered very secure.
VPN tunnels use passwords for login, or a pre-shared key which is a secret phrase or sequence of characters entered into the VPN device at each end. IPSec tunnelling, using AES encryption is the most common method of tunnelling and encryption used today. These are highly secure encryption methods, with AES in particular considered 'military strength'.
A VPN tunnel is instigated from one end (the 'dial-out') end, and the remote end (the 'dial-in' or end) accepts the connection. Regardless of which end initiates the connection, once the tunnel is created, it makes no difference and data can flow freely in either direction. The dial-in end should have either a fixed public IP address, or some method to keep the other end updated of its current IP address (such as a Dynamic DNS updating service). To create a tunnel between our factory and head office, we simply need to decide on or find out the following information:
Location | Factory | Head Office |
---|---|---|
Dial-In or Dial-Out? | Dial-Out (Instigates) | Dial-In |
Public IP Address of Router | Dynamic | 203.0.113.3 |
Private IP Subnet | 192.168.1.0 | 192.168.3.0 |
Private Subnet Mask | 255.255.255.0 | 255.255.255.0 |
Tunnelling Method | IPSec IKEv2 | |
Encryption Method | AES-256 | |
Authentication | SHA-256 | |
Pre-Shared Key | xf1YMWdu06VWbruNij4xjb76xV |
Given the above information, the VPN device (e.g. DrayTek router!) at each end knows where it can send data, how to get there and the security credentials to use. Entering these details is very easy on each DrayTek router and your secure VPN tunnel is then set up by the router. The PCs (or servers/systems) at each end of the VPN link then have full access to each other, as required, whilst remaining fully firewalled from anyone else on the Internet.
Teleworker VPNs
For mobile users - a person using a single laptop or other device remotely, you do not need to have another Vigor router to create a VPN tunnel into your office. You can use a software VPN client which is built into all modern operating systems.) to create a teleworker VPN connection.
To connect services like DrayTek’s SSL VPN, the SmartVPN Client is free and available for most platforms from here.
Using the VPN
Now that you have your remote networks or teleworkers connected through the encrypted tunnel, you can pass data between them. You can, for example access a remote resource like a shared network drive (example shown right) though the efficiency of that will depend on your connection speed - moving large files can take a lot longer than if you're local on the Ethernet LAN. Though with faster broadband and faster VPN routers, that can often be less of an issue. You can also access an SQL server, mail server or any other service running over TCP/IP.
However, the most common type of VPN traffic is remote access - Windows Terminal Services, Remote Desktop or other remote-control facilities - i.e. replicating a remote PC's screen on your local computer.
A DrayTek router with VPN support can operate multiple VPN tunnels simultaneously - for example if you have five offices, you can have five VPN tunnels so that you can communicate with all of them simultaneously. The DrayTek router will display the current VPN status so you can monitor traffic loads and activity, as shown below.
Summary of DrayTek VPN Features
Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.
- No 'per user' licencing for VPN users
- Compatible with standard O/S VPN software clients
- Supports multiple tunnels simultaneously
- VPN Trunking & VPN Backup
- Multiple VPN Protocol support:
- Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
- Protocol support for IPSec: IKEv1, IKEv2, IKEv2 EAP
- IPsec Diffie-Hellman Groups: Up to DH Group 21 (512-bit Elliptic Curve)
- Other VPN Protocols: OpenVPN, SSL VPN, L2TP with IPsec & PPTP (for legacy applications)
- Authentication: SHA-256, SHA-1, PAP and CHAP
- Encryption: AES256, AES192, AES128, 3DES & DES
- PFS (Perfect Forward Secrecy) - Adds additional key protection
- Dead-Peer-Detection (Detects dead links for peerless connections)
- Pre-shared/IKE keying & and PKI (X.509) certificate support
- IKE Phase 1 Aggressive/Main Modes & Phase 2 Selectable lifetimes
- Active Directory / LDAP, RADIUS & TACACS+ Support for dial-in teleworker authentication
- Tunnels selectable as dial-on-demand or always-on and direction selectable
- Compatible with other leading 3rd party vendor VPN devices
- IP Filtering within VPN Tunnels - allow/block specific LAN IP Addresses
- Facilities/Support depends on Vigor model; please check model specification
3rd Party Vendor Compatibility
The Vigor routers' VPN facilities are also compatible with VPN facilities on all other manufacturer's devices. have also been tested with VPN devices so you can have products from different vendors at each end.
To find a DrayTek router with the right line interface and VPN capability, you can check the Router Comparison Chart.