Hi everyone. Darren from DrayTek Australia
and New Zealand. With the current effort to slow the spread
of the 2019 coronavirus, also known as COVID-19, now more than ever
many businesses are looking at how they can operate by having
employees work from home. Accessing company resources, even PBX phone
systems, is all possible over the Internet using a secure VPN (Virtual Private Network). We'll start by looking at what a VPN is
and the types of VPNs available that can be used to access the company network and resources
from another location. The level of security may be a concern as well, and will determine your choice of VPN protocol to use, and we'll discuss the advantages or disadvantages each offers. Then we'll look at how to choose the most suitable router for the task. So, let us start by looking at what a VPN is. A Virtual Private Network, otherwise known
as VPN, provides a secure and low-cost method for computers in different locations
to communicate with each other across the Internet much the same as if they were on the same local area network.
There is no need for a dedicated link between
two sites such as a cable or a Wi-Fi link to allow the secure exchange of data. Computers can instead communicate across public
networks, or a wide area network, in a manner that emulates the properties of
a point-to-point private link. So a VPN is basically an extension of a private
network using links spread across shared or public networks such as the Internet. I'll include a link below to a video with
a basic explanation of VPNs and how easy it is to create an SSL VPN using the free DrayTek
Smart VPN application on an IOS device. The term VPN tunnel is used to describe the connection between your computer and the VPN server or the connection between VPN servers. It is essentially a communication channel
(or a tunnel) which protects data being transmitted within it from being accessed by anyone else. An analogy is a road tunnel for cars, where the concrete tunnel itself protects
the cars driving through it from the water or earth above from crashing down. As you're probably aware, a lot of businesses
choose to adopt virtual private networks to share their resources with employees and partners who are not based in the office atall times.
I'm one of those myself. I'm based in
Brisbane and I have access to shared drives in the Sydney office, and I even have an IP phone connected to the
Sydney switch board so we can transfer calls to and from each other or I can talk to staff internally at their extensions. If you're in Brisbane, don't forget we can arrange for you to pick some orders up from here and I'm always available by phone
or email if I can help out with anything. Organisations have also begun using VPNs to
outsource their work, enabling them to lower internal staff costs
while maintaining data security.
At the moment with coronavirus it means companies can minimise the possible impact of the virus spreading by having selected staff work from home, or the business can continue operating if
it is put under quarantine or if we go to higher level restrictions. It's important to emphasise that VPNs need
to be secure. Data breaches not only lead to compensation
and regulatory fines, but can leave lasting reputational damage. We will now look at the types of VPN tunnels. There are two main types of VPN tunnels available
in DrayTek routers: 1. LAN to LAN VPN Tunnel, and 2. Remote Dial-in VPN LAN to LAN VPN tunnels are used to connect
two whole LANs to each other. For example a branch office or home office, or someone working from home with multiple devices, connected to the head office for sharing resources. Through one VPN tunnel many users or many
devices can be connected to the same network over the Internet. The users at the branch office can access
servers and printers for example, as if they were on the head office local network.
In this mode, only one VPN connection is created and all staff at the branch office can access head office services through it. At the same time, head office staff can access
branch office services. One requirement to be aware of is that the
two networks should NOT have the same subnet as shown in the example here: Router A (the Headquarters on the left) is
configured as the VPN Server and has LAN IP subnets of 192.168.1.0
and 192.168.3.0. While Router B (the remote Branch Office)
is configured as the VPN Client and has LAN IP subnet of 192.168.2.0 which is different from the router A subnets.
Once connected to the head office network
you'll then be able to access anything the head office network is connected to as well. One example of that given here is if the head office
is connected to a cloud server then once the branch office
connects to head office via VPN it will also be able to access that cloud server. The second type of VPN is a remote dial-in
VPN tunnel, also known as Host to Gateway
or Host to LAN VPN. Here a single user uses a VPN client (that's
software) running on the computer to set up a VPN tunnel for secure communication
with the head office network. The VPN client will use an IP address in the
local subnet at the remote network. Note that each Remote dial-in VPN tunnel
created counts towards the total number of VPN tunnels supported in the router. For example, the Vigor2862 series routers
support a maximum of 32 VPN tunnels. These can be 32 remote dial-in connections
or a combination of dial-in connections and LAN to LAN VPN connections.
Most VPN clients will work for remote dial-in
to a DrayTek router. The most common are the default VPN client
built into Windows or DrayTek's Smart VPN client which is available as a free download. We will now look at VPN protocols and how
VPN tunnelling works. This diagram shows a basic representation
of how VPN tunnelling works. In Step 1, the Data payload is sent from a
PC to the destination network. In Step 2, the sending Router appends a tunnelling
header to the data packet. This encapsulated payload is sent across the
Internet to the destination router in step 3. And finally, the tunnelling header is removed
by the destination router and the data payload is sent to its final destination in step 4. Some tunnelling protocols not only encapsulate
the data but can also encrypt it to further protect
the confidentiality and integrity of the information.
As shown in this diagram, the routers at each
end of the VPN tunnel encrypt and decrypt the data as it is sent and received. Draytek routers include the most common VPN
tunnelling protocols listed here with no additional licensing requirements. Down the bottom there OpenVPN was added from
firmware version 3.9.0 in DrayOS routers. Security features for some of those VPN protocols
are shown in this table. At the top we have GRE
(Generic Routing Encapsulation) which is a basic protocol that offers no encryption
or peer authentication. We use GRE where IP tunnelling without privacy
is required. It's simpler and thus faster. It's also used inside an IPSec VPN tunnel
in DrayTek's VPN Load Balancing feature. I'll include a link to a video below about VPN
Load Balance if you'd like more information.
PPTP adds a bit more security requiring a
username and password to authenticate, but it can also be encrypted as well. L2TP (Layer 2 Tunnelling Protocol) can offer
a higher level of security than PPTP if we combine it with an IPSec policy pre-shared
key to authenticate. IPSec is the king of VPN security and is generally
the way to go for business networks. It uses a pre-shared key with varying levels
of encryption to authenticate.
It generally requires a static (fixed) IP
address at both ends but this can be worked around using DrayTek's "Aggressive Mode" IPSec VPN which uses Peer ID to authenticate the connection. I'll explain a bit more about IPSec in a moment. SSL or Secure Sockets Layer VPN uses the same
HTTPS protocol used by secure websites. This means as long as the router allows HTTPS
traffic through it, an SSL VPN should get through it as well. It's a great one for remote dial-in users
using ISP supplied Gateways they have no idea how to configure, or the ISP may even have locked the interface. There's fewer restrictions for the data
encrypted through SSL when compared with a traditional VPN. DrayTek's Smart VPN Client has an SSL option
and it's supported by Windows PCs, Android and Apple Mac devices.
You can even initiate an SSL VPN using just
a web browser but DrayTek's Smart VPN Client
is the preferred way to go. Here's some recommendations for different
operating systems. For Windows we recommend an
L2TP over IPSec VPN. Most others go for an IPSec variation. Or alternatively SSL or OpenVPN for remote
dial-in users. DrayTek's Smart VPN client has options to create both Open VPN and SSL VPNs. This diagram shows the different stages in
setting up an IPsec VPN tunnel. We have the call initiation ("Interesting Traffic" there in Step 1 is just the term for traffic that is to be encrypted over the VPN connection) handshaking, IKE Phase 1 and IKE Phase 2 in
steps 2 and 3, then tunnel establishment. That's a fairly basic idea of what happens
but understanding the different stages involved will help to troubleshoot IPsec VPN connectivity
issues. There are plenty of knowledgebase articles
and guides & YouTube videos that describe how IPSec works so check out our knowledge base or the knowledge
base at draytek.com, or even just Google around.
Once you've done one they're really not
that hard. Creating VPN tunnels is quite easy in Draytek
routers. There's two ways to go about it. The first one is the wizard which you'll
find up the top of the left hand menu in the router's web user interface. There's a VPN Client Wizard
and a VPN Server wizard. For the VPN Client Wizard you'll be connecting
the router to another router which makes it a LAN to LAN VPN. You just select the next blank index from
the pull down menu beside where it says "Please choose a LAN-to-LAN Profile" and follow your nose from there. The VPN server means you're configuring
the router to accept inbound VPN connections from authorised users. That can be done either as a LAN to LAN VPN
for another router to connect in, or to allow remote dial-in users to connect. Alternatively you can create VPNs manually
by going to the VPN and Remote access section in the web user interface.
For LAN to LAN VPNs, select that option from
the menu then click on the next available index. In this case they're all blank so we'd
select No 1. The settings you need to enter in the index
to create the LAN to LAN profile are basically entering what sort of VPN you want to use
(for example PPTP or IPSec), where you need to connect to or from (that
is whether this router is the VPN server or the client), and deciding what authentication and encryption
methods you'd like to use. If you'd like more information about those
settings please check out the knowledge bases on draytek.com.au and draytek.com. To configure remote dial-in accounts is much
the same. Go to VPN and Remote Access and select Remote
Dial-in User. (Note down the bottom here there's links
to download the free DrayTek Smart VPN client).
Then select the next available index. So here we're creating a profile that is
allowed to VPN into the router from another location, and after enabling it, we need to establish
what type of VPN this person is allowed to use. They're all allowed by default (notice there's
an SSL option there too) so you can untick any you don't want to
be used, and then select an authentication method on the right. You might also notice an option on the bottom
left there where you can specify a particular LAN subnet you want this user to be able to
access. To dial in from a PC you'll need a VPN client
Here's the Window 10 version. You'll see it's basically a case of telling
it where to connect to, what type of VPN to use and how it needs to authenticate. That will obviously need to match the details
we entered for this person's profile in the router, in the previous slide. Here's DrayTek's Smart VPN app. It's available as a free download from draytek.com
or draytek.com.au, as well as the App Store and Google Play. Pictured here is what it looks like installed
on iOS 9.x This is the PC version. Again it's just a case of telling it where
to connect to, what type of VPN to use and how it needs to authenticate. If we select IPSec, we see all the security
and authentication methods we can use. As I mentioned, there's a lot of application
notes in the knowledge base at draytek.com for both LAN to LAN and dial-in VPNs. To find them click on the knowledge base link under "Support" at the top of the page at draytek.com.
You should see the VPN category at the top of the right hand column. Otherwise just search for "VPN". There's also quite a few videos
on our YouTube channel including a playlist
with all of our VPN related videos in it. Just scroll down the home page until you see
the "VPN using DrayTek router" playlist. I'll also include a link to it in the description
below. We will now look at how to choose the right
router. Two main factors decide which router will
best suit your needs – What type of Internet connection you have
and how many simultaneous VPNs you require. This table shows the number of supported VPN tunnels in models featuring an ADSL or VDSL2 modem. These suit people with ADSL or NBN FTTN or
FTTB connections, but they also have gigabit Ethernet WAN ports so they can also be used for Internet connections requiring one of those, or they can be connected to 3G or 4G internet
using a compatible USB modem. The Vigor2762 series is a great one for a
small branch or single remote user to create a LAN to LAN VPN to the main office.
The Vigor2862 series is the better way to
go for a larger office. This table shows the number of supported VPN tunnels in models featuring one or more Ethernet WAN ports, which are suitable for Cable Internet and
NBN FTTP, FTTC, HFC, Fixed Wireless and Sky Muster satellite connections, or you can plug in a VDSL modem like the Vigor130
in bridging mode into one of their Ethernet WAN ports. You might do that where you need the features
of a router like the Vigor3910 in the right hand column but you have a VDSL connection.
Most models also feature at least one USB port to connect a compatible 3G or 4G USB modem. The bottom two rows show the number of simultaneous
VPNs supported which will give you an idea of the size of office they're designed in mind for. And this table shows DrayTek products featuring
a built-in LTE modem which just needs a SIM to connect to 4G. One handy feature in the Vigor LTE200n and 2620 LTE series is that they can be configured in bridge mode to allow them to be connected into the Ethernet
WAN ports of more advanced routers like the Vigor3910 shown in the previous table. I'll include a link in the description below
to a video on that topic explaining how to do it. And speaking of LTE you might find that some
ISPs only assign private IP addresses which are not suitable for VPNs.
This makes it kind of difficult to establish
LAN to LAN VPN tunnels. DrayTek's VPN matcher is a solution developed
by DrayTek which works around this problem by providing an authentication server known
as the DrayTek VPN Matcher Server. This feature is currently available on the
higher end routers such as the Vigor2862 and Vigor2926 series, and the Vigor3910 running
the latest firmware. How it works is first of all the routers at both ends need to register with the VPN Matcher server.
The VPN Matcher server then exchanges external
IP addresses and port numbers to both routers that want to communicate. When the client router initiates a connection
to the server router, the VPN Matcher server will instruct both
routers to open the required ports and allow the VPN to be established. Be aware that VPN Matcher only receives information
about IP addresses and Port numbers.
It has no access to the VPN Traffic itself. There is an application note in the draytek.com
knowledge base with more information about VPN Matcher and how to configure routers to use it. If you go to draytek.com, mouse over "Solutions"
at the top of the page then click on the VPN Matcher link. That page will provide some background information
as well as a link to the application note. VPN Matcher can also be used for dial-in VPNs,
otherwise known as a host to LAN VPN. There's a config example for that which
you can get to by changing the number at the end of the previous URL from 6124 to 6125 or just search for "VPN Matcher" on the
draytek.com knowledge base.
So, in summary, we introduced the concept
of Virtual Private Networks and discussed the types of VPN tunnels and protocols supported on DrayTek routers, and then we looked at how to choose the right router for both the main office and for remote workers which at the moment is attracting a lot of
interest in the face of social distancing and other restrictions that businesses are
currently having to deal with. At the moment we're still going strong here
at DrayTek Australia. We have lots of stock in our Sydney warehouse
as well as up here in Queensland, and we've taken steps to make sure we can
keep trading and shipping. For more information about DrayTek products
please check out our website at www.draytek.com.au or send us an email to firstname.lastname@example.org. or give us a call on 02 9838 8899 Don't forget to like and subscribe below, and give the bell a click if you'd like
a notification of new videos as they go up.
Thanks and Bye for now. :).