VPN - how does it work

Posted on 2006-03-30
Last Modified: 2012-05-05

I understand what VPN is and have been trialling with RRAS and doing some reading, internally i have set up a RRAS server and can connect to it just fine with an xp machines inbuilt VPN connection.

I also understand that at my office i would have to enable port mapping on a router to point to my VPN server - 1723 for PPTP

The concept i do struggle with however is, If i am sitting at home with a normal DSL connection through a standard ISP, how do i authenticate with my VPN connection, to my RRAS server which sites behind a firewall in a private IP managed network, or scrapping the private IP managed side of things, a standard network that sits behind a router with a different ISP on the other side of my country!

for example my home network in New South Wales sits quite contentedly with a 192.168.X.X IP scheme which is doled about by DHCP on my router. Now my imaginary office in Western Aus sits on a standard network that also sits on a 192.168.X.X IP scheme that is once again doled about by my standard ADSL router.

how does this work - i know it does but i would like to understand how it is done. How do Site to Site full time VPN tunnels configured through RRAS stay up sot hat DC's can replicate! this is a mystery to me! just want to know how in the world my home laptop knows where to go with the millions of ADSL routers out there dolling out 192.168.X.X Ip schemes for home LANS! i know it pulls on the WAN address but i still dont understand it!

Thanks for your expertise!
i dont need links on how to set them up as i have plenty of them and have handed them out to people with questions in the past - i get how to set them up to a point. what i want to know is How this works!!

if this is to much of a broad question let me know and ill narrow it down if i can
Question by:Jay_Jay70
    LVL 3

    Expert Comment

    The VPN server at your office would have a few ports passed from your firewall at the office to the VPN server.  This would allow external clients world-wide to request a vpn connection on your public interface and the request would be passed through your firewall to the VPN server.  The server would then authenticate you, and if allowed, would pass your requests for DHCP through to it's internal network (or assign you one as configured).

    From then on, the VPN server acts as an internal router, passing traffic from your computer (at home or wherever) onto the internal network.  The firewall just forwards the packets to the VPN server and the VPN server figures it out from there.

    When you talk about authentication, I will take a stab at what I think you are asking, but you may need to clarify your question for me.  You can confiure your server to accept a number of different authentication types to ensure that clients accessing your remote network are trusted individuals.  The most common means of authentication is a simple domain username/password combination that is encrypted using a technology such as MS-CHAP or something like that.  Nowadays, we use a technology called PEAP (protected extensible authentication protocol) to authenticate you to your VPN server.  You could also use something like a certificate to prove your identity, but that would require you maintaining your own private key infrastructure (PKI) and ensuring certificates are always up-to-date and revoked when necessary.  The benefit to these technologies is that they can be jointly used with other technologies needing authenticaiton (like a corporate wirless LAN), whcih means you may be able to kill two birds with one stone when implementing something like this.

    Please let me know if this helps answer your question or if you are looking for something different.
    LVL 12

    Expert Comment

    Virtual Private Network - Network scheme in which portions of a network are connected via Internet, but information sent across the Internet is encrypted. The result is a "virtual network" which is also part of a larger network entity. This allows users to privately share private information over a public infrastructure.

    LVL 48

    Author Comment

    Thanks both for your comments

    however, as i mentioned i know what a VPN itself is, i know how to set it up and have played with it quite a bit. I have a Big setup currently using Checkpoint VPN which sits down in melbourne - im just trying to understand RRAS

    i know what needs to be done to allow the connection from the remote side to be passed through the router etc I also wook heavily with Active Directory and know all about the aunthentication and secuity side of things

    say i have RRAS installed on a LAN with the address for example. I have enabled port forwarding on my router to say allow passthrough to All good all makes sense.

    now from home im sitting on a address on my laptop with a standard DSL connection. I run my wizard to create VPN connection.....

    from here i am confused. Do io need to know my WAN IP of my router at the remote side? is that what i would enter here   eg. my routers internal LAN IP would be Is it the WAN side that i enter in to my wizard???? what happens in a scenario where a company has just a standard DSL connection and dont have a static IP on the WAN side? ie, sometimes my home connection drops out and when i reestablish a connection i get a different WAN IP

    i just need to know how from my laptop, the connections knows WHERE to look.

    LVL 12

    Assisted Solution

    normally we do need a static ip at the VPN server side, if you use a DSL which the ISP can't give you static IP, from time to time the connection will disconnected as you mentioned.

    unless use a domain name so everytime you connect is a pointer which will point back to your router.
    LVL 77

    Accepted Solution

    Jay_Jay70, to add a little to the above,  I think the confusion may be with the fact that there are different types of VPN's, ignoring the fact that there are also different types of authentication and or encryption as mentioned above.
    1)You can of course make use of RRAS, where Windows becomes the VPN server. If so the client initiates an out going connection (no port forwarding required) to your public IP. Depending on the chosen encryption/encapsulation method, PPTP, L2TP, and/or IPSec, it will use a standard set of ports. When it reaches your router by using it's public IP, it would simply be dropped unless you have set up rules on your router as to what to do with those packets. In the case of a standard Windows PPTP, you would create a rule (port forwarding) that all traffic on port 1723 gets forwarded to the VPN server. The VPN server then deals with it, sends a reply to the client and communications begins. At the client end, as with any outgoing request, http or otherwise, the "door" is kept open and traffic redirected to the originating source using NAT (Network Address Translation. Two things to remember with setting these up. The subnet at either end of a VPN tunnel needs to be different and you need to allow the encapsulation protocol you are using, to pass-through the router. Make sure the router supports VPN pass-though, not all do.
    2)You can also ignore all of the above, except requiring the subnets to be different, and use a client to hardware or hardware to hardware VPN. You mentioned you have a CheckPoint VPN/firewall. Forget RRAS altogether!!! CheckPoint uses IPSec, where the basic RRAS VPN uses PPTP. IPSec is far more secure. You can set up L2TP with IPSec using RRAS but I'm sure you have far better things to do with your time. It's not fun. Next, if you use the CheckPoint VPN, or any hardware VPN, you don't need to open any ports, another big security advantage. The Checkpoint VPN will effectively act as a simple router once connected, allowing all traffic from one subnet to another. (Depending on how the client is configured, it may only allow the client on the remote end.) In this case, the router is configured to accept VPN connections, with rules such as; only allow from one IP. When the client or other router connects to the public IP of the router, it has internal rules that say; any traffic of type 'x', IPSec in this case, is allowed to pass to the local subnet, under the specified conditions, is un-encrypted and passed through and seen by the local subnet as a local IP due to NAT.

    With either VPN your connection is seamless, you use local IP's and all routing from your subnet to the other is controlled by the VPN, and as you mentioned that address may be changed/routed numerous times while on route. Keep in mind this is the true security risk of a VPN. if it is branch-to-branch, you have effectively put all remote computers in the middle of your corporate office. Unless rules are set up browsing the remote LAN is as easy as any local network. If on the remote network you have someone working at home, and little Johnny is downloading Viruses and hacking every IP he can see, you can be at risk. The CheckPoint unit will allow you to tighten that down considerably, far more than RRAS.

    In my opinion, always go the hardware route, unless you want to use ISA, but that is another topic.
    LVL 48

    Author Comment

    Thanks Robwill,

    pretty much nailed what i needed to know.... i am guessing the key part that have been missing is the fact that that i do need to know the WAN IP of the router that i am trying to get too... pretty basic huh!

    >>>>The subnet at either end of a VPN tunnel needs to be different

    now im slightly confused in regards to the subnet side of things     say home LAN has 192.168.1.X/24     with an external IP of 203.208.X.X /24     and office has internal LAN of 192.168.1.X/24     with an external IP of 202.204.X.X/23  
    is this a no go? why so?

    i set up my RRAS server, its all very pretty and seems to be happily humming along and configured. If i go home run my  VPN wizard, put in the WAN IP of the remote router (202.204.X.1) it humms along, finds my router on the other side of the state, forwards the packet on to the RRAS server, Authenticates and wallah i have a connection yes?? i will now have an IP that matched my remote office subnet, thus giving me access toall my remote resources

    i would agree with you on the checkpoint side of things, its been flawaless so far, i just wasnt around at the time that it was set up so didnt get to see how it was all done and managed! This RRAS setup is just more for my understanding on how business can use inbuilt VPN features! I've read articles but it doesnt quite explain the nitty gritties like you have above.

    Thankyou for answering! hopefully you can clarify the above for me

    LVL 77

    Expert Comment

    by:Rob Williams
    >>"need to know the WAN IP of the router that i am trying to get too"
    Or set up a DDNS service, using Dynamic or Static. I have all my sites set up with or similar.

    ""home LAN has 192.168.1.X/24     with an external IP of 203.208.X.X /24     and office has internal LAN of 192.168.1.X/24     "
    Won't work. Think of it a simple connection, LAN and WAN sides of a router. When you want to connect to a device from home. How does the router know whether to connect to the Local Or the Remote network, when both are the same subnet. Routers and VPN's route packets from one subnet to another. To avoid this problem, I always choose something non standard for the business network because you know one of these days some airport or other location will choose the default. Common ones, to avoid, are 192.168.0.x, 192.168.2.x, 192.168.100.x, 10.0.0.x   I usually choose the 3 digits from the customers address, where possible, for the 3rd octet. That way I might remember if I have to. For example 192.168.223.x

    You mention using RRAS. RRAS creates a Virtual Adapter for the remote client. That adapter will be assigned an IP in the same subnet as the office network. For whatever reason that usually works. I stress USUALLY. Best bet is to keep the remote and office networks different.

    RRAS works great, but I would go with Checkpoint if you can. Very good to have knowledge of RRAS, as you often need to create temporary access somewhere. If you are ever stuck Hamachi is another good alternative. It doesn't require any ports to be forwarded on the router.  However, CheckPoint is much better. I have a colleague who swears by CheckPoint. It is as simple as a user name and password to set up, but has the granularity of Cisco if you need to set up filtering. Recently had to set up a Safenet client for him (Netgear, Watchguard and Sonicwall use SafeNet) said he would never consider it again, as it was a pain to set up.

    Have a bottle of wine waiting for me. B' happy to respond to furtherrrr questions tomorrow, butthe efffectss are starting to tace over allllready.  <G>

    ps- Isn't it Saturday already there? Go to the beach, enjoy your self !!!!!

    LVL 48

    Author Comment


    thankyou for clarifying for me, i think i understand more the WAN side of things a little bit more now and the subnets make sense, good to know for sure as i had no idea previously, i think the key point that was missing silly enough was the need to know those WAN side IP's. from there it is all farly logical :)

    i will be sticking with checkpoint at work as it has been great for us so far, RRAS was just another aspect of networking that i was wanting to understand :)

    thankyou to everyone who posted and thanks to Rob expecially for nailing any questions i had

    ---==== too cold to be at the beach yesterday and today is not better, im off to go and warm myself up with a nice friendly drink of Mr Daniels! hope your head survived your wine adventure. Thanks mate ======-----

    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks Jay_Jay70. Say hi to Jack D. <G>

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now