Link to home
Start Free TrialLog in
Avatar of Reece
ReeceFlag for Australia

asked on

VPN 101 - how and which protocol?

I've never really had the need to use a VPN (or set one up for someone else) because "Australia".  We have really bad internet here and I've always been pretty blahzay about security and privacy because I avoid exposing sensitive data to the internet and I don't like P2P.
But... the time has come where my place of work wishes to interconnect remote offices and the data shared is absolutely of a sensitive nature.

Being Win 2008 R2 or newer servers, I've usually just set up an SSTP VPN using RRAS and a free SSL certificate.  Clients connecting have always been via the standard Win7 VPN wizard and "Use default gateway on remote network" has been unchecked in TCP/IPv4.

But I've found that due to slow internet connections, applications using the VPN to securely transfer the data are suffering even more.  So I'm considering deploying a decent RDS/RDS-Gateway configuration in the head office.

Anyway... I just want to know a bit more about VPN's and which security protocol is better for what use.
Call me lazy, but I'd prefer not to have to read lengthy whitepapers on the topic, and most reputable blog posts are too subjective for my liking.  Plus they tend to leave out the one thing I can't wrap my head around...

If one were to use a VPN for doing all web traffic (browsing, torrenting and everything else that goes between), how does the internet traffic go through the VPN rather than the normal internet connection the VPN requires to actually connect?

Ie.  An ADSL2+ connection to the internet at home using a standard network configuration creates a LAN of say 192.168.0.0/24 with gateway and DNS being the DSL modem/router.  Bob sets up a VPN using the standard Windows tool (or even a client like OpenVPN) and connects to a gateway in Amsterdam with an IP 123.40.50.60.  Even with the "Use default gateway on remote network" checked in TCP/IPv4, what determines that the internet traffic (ALL OF IT) use the gateway from that VPN rather than the DSL modem/router gateway through the local ISP?  
Is it that an active VPN blocks or overrides the LAN gateway?  If so, how?  Can some traffic still go through LAN despite this?

I mean, I understand how some region unblockers work when they use DNS-over-VPN and 'Smart DNS' (like GetFlix for example)  But a full VPN... how does ALL traffic go through it (especially when it's usually slower and the path of least resistance is the LAN gateway)?
I'm an IT tech and well experienced in almost all facets of IT (except software dev), yet my brain seems to be taking the day off.

As far as the protocols go, in order of decreasing speed, but increasing security does it go PPTP>L2TP/IPsec>SSTP>SSH?  Can you opt for the PPTP choice and bolster security or anonymity?

I've got a few other questions about inexpensive yet effective ways of how one could secure internet data for a number of users at the same time rather than concurrent SSTP connections, but I'll wait on some explanations before asking them in comments or creating a new question.

I understand these might be noob questions for a network engineer or someone well practiced in VPN use, but I've got to start somewhere right?

Cheers
Avatar of Joseph Milestone
Joseph Milestone

You can get a help in this like..

http://www.softether.org/

I used softether vpn beforetimes and I think it is one of good VPNs.
Avatar of Joseph Hornsey
Reece,

Generally speaking, if you want to put a permanent VPN solution in place, you'll configure the VPN tunnel on the firewall at each site.

You can use pretty much whatever firewall will support the tunnel, and everyone is going to a different opinion as to which brand is best.

Personally, I'm a Cisco fan.  Others will recommend Sonicwall, Sophos or whatever they happen to like.

Regardless, the concepts are the same.

Most LAN-to-LAN (L2L) VPN tunnels use IPSec and there's no compelling reason to use anything different.

Generally, you will only want to tunnel the traffic that needs to go to the other site, but have everything else operate as normal.  In other words, traffic to the internet goes to the internet and traffic to the other office goes to the other office.  This is called "split tunneling".

To set this up, you'll create definitions on each firewall such as:

- Local Network
- Remote Network
- Tunnel Settings (encryption, pre-shared key, etc.)

Then, you tell each firewall:  "Send anything addressed to the remote network through the VPN tunnel to that firewall over there".

That's pretty much it in a nutshell.

Regarding multiple users, a remote-access VPN is still going to be the way to go.  Most vendors have an SSL VPN client, so SSL is the tunneling protocol.

Does that help answer your question?
I use Juniper and Cisco VPN routers and IPsec VPN. I do VPN in hardware as that seems most efficient.

VPN is mostly slow. It uses the slow side of the link all the time.

All of the above units have site to site VPN and I use that.

When I want to access from a remote location, I use NCP Secure Entry (www.ncp-e.com). This is bombproof software and does double NAT just fine.

Let us know if you have questions.
Avatar of Reece

ASKER

Thanks for the comments and suggestions on VPN or firewall devices.  I understand how a site-to-site works, because most computers connected to a site-to-site don't actually even know the VPN is there... all of the routing is done between the VPN devices/systems.
I'm not really after explanation on those though - more of an explanation on how all web traffic is forced to go through the VPN rather than the local WAN in a client/server config.
ASKER CERTIFIED SOLUTION
Avatar of akahan
akahan
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
more of an explanation on how all web traffic is forced to go through the VPN rather than the local WAN  <-- Just use split tunneling.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Reece

ASKER

Thanks Akahan, this is the sort of explanation I'm after.

To John and Joseph - I already understand that you can specifically direct certain traffic to a destination using firewall rules, port routing and split tunnelling, but I was unaware how in the most basic computer-internet environment (say a vanilla windows 7 install with a DSL modem/router), adding a simple VPN using either the Windows client or something like OpenVPN (or SoftEther or whatever) can effectively redirect ALL internet traffic through its connection when it becomes active.  

I was obviously giving a VPN client equal weight as an network adapter (assuming it was just another type), but in actuality, it is more of an add-on to the an adapter it is applied to.  Much like a detour would be to a highway (which can also be selective using "split tunnelling").  Apologies for the bad analogy.