VPN

23K

Solutions

23

Articles & Videos

22K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Share tech news, updates, or what's on your mind.

Sign up to Post

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to only use certain services on your network?  Furthermore, what if you want to use the same OpenVPN server to allow yourself or employees full access to the network while giving your customers restricted access?  I’ve got a solution for you!

My example comes from the need to provide a group of customers with access to our MSSQL Database Server without exposing that server to the internet and potential attacks.  We also have a need for myself and other network administrators to be able to use a VPN to gain full access to this network.  My solution is the following OpenVPN configuration:

Assuming that OpenVPN installation is completed and working with defaults and using PAM authentication on an Ubuntu Server.

CREATE USER ACCOUNTS ON THE SERVER
From a terminal session add the users you will be granting VPN access to.  There is no need to assign groups or permissions, only the username and password are needed.

#sudo useradd username
#sudo passwd username

Easy enough, now let’s log on to the web interface for our OpenVPN Server

CONFIGURE OPENVPN SERVER

    VPN Settings
        Dynamic IP Address Network
            Create a network to be assigned to administrative users.*
            *Users or Groups marked as …
0
Simple, centralized multimedia control
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance.

A concise guide to the settings required on both devices
1
Let’s list some of the technologies that enable smooth teleworking. 
0
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
1
 
LVL 15

Author Comment

by:William Fulks
Comment Utility
Thanks! My first attempt was using Windows Update. I should make a quick edit to specify that. I went through all the usual measures and they all failed until I removed NetMotion. I wasted a whole afternoon on that machine!
0
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my methods over that time frame.
4
 
LVL 66

Expert Comment

by:Jim Horn
Comment Utility
Very well written chronology, and exactly the type of 'lessons learned from experienced experts' style of writing we need around here.  Voting Yes.
0
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP).

Here is the basic setup of DMVPN Phase 3. I'll not go into an in-depth discussion of DMVPN; rather, this article will focus more on the features that will enable a DMVPN with both hub and spokes having a dynamically assigned NBMA IP. The setup has been simulated using IOS version 15.4(2)T.
DMVPN-network-diagram.png
**************************************************************************************
(R1 configuration)
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
!
interface Ethernet0/0
 ip address 15.0.0.1 255.255.255.0
!
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 10.0.0.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 15.0.0.5
**************************************************************************************
(R2 configuration)
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip nhrp authentication NHRP_KEY
 ip nhrp map 10.0.0.1 15.0.0.1
 ip nhrp map multicast 15.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel 

Open in new window

1
 

Expert Comment

by:shahed Israr
Comment Utility
Dear learner,
If you don’t know anything about DMVPN configuration,
check out these links: <a href="http://gponsolution.com/dmvpn-configuration.html">DMVPN Configuration</a>
0
Secure VPN Connection terminated locally by the Client.
 Reason 442: Failed to enable Virtual Adapter.
If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry fix.

To fix:
1. Click Start and type regedit in the Search field and hit enter.
2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\CVirtA
3. Find the String Value called DisplayName
4. Right click and select Modify from the context menu.
5. In Value data, remove @oemX.inf,%CVirtA_Desc%; . The Value data should only contain Cisco Systems VPN Adapter for 64-bit Windows.
6. Click Ok.
7. Close Registry Editor.
8. Retry your Cisco VPN Client connection.

Before the changeAfter the change.Originally published on my Blog : www.supertekboy.com
As : http://supertekboy.com/2013/10/19/cisco-vpn-on-windows-8-1-reason-442-failed-to-enable-virtual-adapter/
0
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app.

First off you need to download the app from the App Store; just search for "SonicWALL" and you will see the SonicWALL Mobile Connect app.
 App Store
Once installed you need to setup your connection profile. Choose "Create a new connection" on the Connections Menu. You need to enter a few details including a name you want for this connection, the server IP or FQDN you want to connect too ( this is the public IP or URL for your device ) and your username and Password which are optional ( you will be prompted for them if you do not enter them here, there fields are also dependent on the settings of the VPN server ). The domain field will pre-populate based on the domains offered through the SSL VPN device.
 Connections Tab 1 Connections Tab 2
Once you enter the connections information the app will put you back to the main screen, select your newly created connection and press the green "Connect" button. You will be prompted for your username/password if not already stored and once connected the green "Connect" button will turn red and now become a "Disconnect" button. To disconnect the VPN just press this red "Disconnect" button.
 Disconnect
Once connected there are a few information menus for…
1
 
LVL 1

Expert Comment

by:sunnylowe
Comment Utility
for instance, is this setup like an L2TP, or a SSLVPN or what?  Any ideas?
0
 
LVL 8

Author Comment

by:amatson78
Comment Utility
I have not written one but here is a link to the official SonicWALL setup for Firmware 5.6+ depending on the device you are using. This client is only for SSL VPN, will not work with L2TP.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6461
0
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140.


What and Why of FIPS 140
Federal Information Processing Standard (FIPS) 140 is a US Federal Government standard for information systems security and protection. Vendors submit their products for testing and once they pass testing, the product is FIPS 140 certified. However, the FIPS 140 certification stipulates a specific configuration and operating system. If you are working on a governmental project or have data that requires US governmental classification, FIPS 140 is usually required.  Outside of required use, FIPS 140 can be used to provide advanced information security. Read more at http://en.wikipedia.org/wiki/FIPS_140.

Juniper has several models and versions  of ScreenOS that are FIPS compliant. See their web site  http://www.juniper.net/techpubs/hardware/netscreen-certifications.html for details.


Juniper Configuration Guide
If you are new to setting up Junipers using ScreenOS, I recommend getting the Concepts and Examples Guide for your ScreenOS version at http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html.
 
Chapter "Site-to-Site Virtual Private Networks" and section “Route-Based Site-to-Site VPN, AutoKey IKE”  covers the basic setup for site to site…
1
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I didn't quite grasp. After some tweaking, I believe I have succeeded.

As of now, I have my HTC incredible 2.2 and a Samsung Infuse successfully connecting. I have an Archos 101 that is giving me fits, but think it is issues with the device itself.

Before you start modifying your config, know that the ASA must have IOS version 8.4.1 and Android must have 2.1 according to Cisco's knowledgebase. The catch is some ASA's didn't ship with 512mb of memory needed to upgrade the IOS out of the box.

Also, if you have any port forwarding set on your main outside IP address, this will cause it to stop working. This is because of the no NAT statement for the VPN. You have two choices. You can remove the line:

nat (outside,outside) source dynamic [name your VPN LAN] interface

Which will cause VPN clients to not be able to access the Internet while VPN'd? Or, you can move your port forwarding objects to another IP.

We are using an ASA 5505.

Also, to do Active directory integration, which is highly recommended, you will need some sort of RADIUS server, we are using NPS which is included with Windows Server 2008. Setup of an NPS server is different subject, but fairly easy and intuitive.

In the config below, I have taken …
1
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Hello ZTrek7!

I have ASA 8.2.3 running and I managed to configure VPN on Android (Galaxy S3)

However, there is problem I can not solve

When I use TACACS+ server for authentication, I can successfully connect

If I use RADIUS, it fails to connect from Android, but successfully connects from any other Windows machine

I can see Phase 2 completed message in debugs, but the phone still shows Connecting status for a while, and then stops with Unsuccessful message

Have you got any ideas about that? Is it possible that Android does not support RADIUS?
0
 

Expert Comment

by:jonathan_schwartz
Comment Utility
Did not work
0
Is your NGFW recommended by NSS Labs?
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Overview

Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case, we must manually create persistent routes in order for the VPN clients to communicate with these servers or workstations over the VPN tunnel.

The following routes should be created on the clients and servers only if you do not have an additional router you can access to include the static routes. Often in small business situations the second router is ISP owned and there's no access to create rules of this nature. If you do have a router you can add a static route to the same basic principles apply.

Essentially, you must create a route from the VPN client subnet to the VPN router's internal interface address. IE: If "Company's" Exchange server is on the subnet 10.0.1.0 and uses the gateway 10.0.1.254 but the VPN appliance is 10.0.1.1 and the VPN clients are connecting on the 10.0.100.0 subnet you must create the following routes in order for the connected VPN clients to communicate with the Exchange Server:


Windows

This has been tested on Windows 2000 - Windows 2008 R2. The "-p" makes the route persistent so if it's not it included the route will disappear after the server is restarted.


Adding the Route
Open up an elevated command prompt and type:

route add 10.0.100.0 mask 255.255.255.0 10.0.1.1 -p

Open in new window


Deleting the Route
2
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wireless card to connect to the Internet and when he did he was not able to VPN into our network.  When I looked at this connection, it showed that the Virgin Broadband Wireless card connects via PPP.  This type of connection canceled out the PPTP protocol on his client, and since he was on Windows XP, there were only two types of protocols to choose from while using the Windows client.  Those two protocols are PPTP and L2TP IPsec.

This article will show the proper way in creating the L2TP IPsec protocol in Windows 2008 RRAS Server and a Windows 7 and/or Windows XP SP2 client.  

In the RRAS Server, right click on the name of your VPN server and go to properties.
Click on the Security tab and check “Allow custom IPsec policy for L2TP connection”. Create a Preshared Key, be sure to remember it, and then hit OK.  

Setting up the L2TP on the server end
Restart the RRAS server by right clicking on the name of the RRAS server again and clicking All Tasks and Restart.

Using Windows 7 VPN client, go to the properties and select the Security tab.  On Type of VPN, select Layer 2 Tunneling Protocol with IPsec and then select the Advanced Settings tab.  Check Use Preshared Key For Authentication and type in the password you set on the server side then hit OK.

Windows 7 L2TP settings
1
 

Expert Comment

by:danieldmu
Comment Utility
Excelent!!!! Works Perfectly. I had problem with PPTP because linksys devices blocked it. This solved my problem.
0
 

Expert Comment

by:Pawel_Kowalski
Comment Utility
Not only is PPTP a bad idea because of issues mentioned in the article a much bigger issue is that with PPTP you are basically using an unencrypted tunnel these days. This is not something that should be taken lightly, PPTP was cracked back in 1998 and today there are online tools that will crack it for you in minutes:

https://www.cloudcracker.com/

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

So please do not use PPTP unless you are okay with your traffic and passwords going over the internet in clear text.
0
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing certain servers, but the options given were not the ones I needed, such as adding group policies to folders and the like.

After excessive testing, I was able to find the solution.  Here are the steps you’ll need to take to restrict vpn users from accessing certain servers/resources.

In Active Directory create a group called “VPN Users” or whatever name you seem fit.  Create a VPN test user and add this user to the “VPN Users” group.  In the dial-in tab of the VPN test user, make sure “Control access through NPS Network Policy” is checked.

In the Windows 2008 RRAS server, right click on “Remote Access Logging & Policies” and select “Launch NPS”.  Right click on IP Filters and select “New”.  Select a Template name such as “VPN IP Restrict” and then select “Output Filters”.  Inside of the Output Filters tab, this is where you will add the IP addresses that you want the VPN users to access.  For instance, we wanted our VPN users to access our internal email so we added in the IP address 192.168.0.10.  Add the IP address you want in there, and you also have the option to only allow them to access specific ports on the IP address.  If you only want users to access …
4
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pages because you are using your workplace server to send pages to you.  

Here is the fix.  

Open your VPN Connection
Click on the Networking Tab
vpn1.jpg

Click on TCP/IP
Click on Advanced
vpn2.jpg

Uncheck Use Default Gateway on Remote Network.
vpn3.jpg
0
 
LVL 5

Expert Comment

by:piji
Comment Utility
I have got a client which every time he connects to VPN then sending email on pop3 account on his machine will stop.

The reason for that was the ISP of client was different from the server and obviously their mail server was different as well.

If you don't uncheck "Use default gateway on remote network", then client gateway will be the server ISP instead of his own. Thus, the client computer trying to send something through different mail server.
0
 
LVL 6

Author Comment

by:Ryan Smith
Comment Utility
edit c:\windows\system32\etc\hosts file and add the pop server info.
ipaddress mailservername.com  

try that.

0
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to configure Cisco and step by step to configure Windows 2008 server.  Meanwhile, what I also did (I prefer is to use command line interface on the Cisco ASA to configure it) was to use the main lines:

access-list 101 permit ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0
ip local pool ippool 10.1.1.1-10.1.1.80 mask 255.255.255.0
nat (inside) 0 access-list 101
aaa-server host protocol radius
aaa-server host (inside) host 172.16.10.1 Cisco12345 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication host
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

group-policy vpn3000 internal
group-policy vpn3000 attributes
 dns-server value 172.16.10.1
 default-domain value company.com
username vpn3000 password VPN2010 encrypted
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) host
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 

Open in new window

0
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below.

A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0).

Loopback0---10.0.0.2---R1<-.2-f0/0---192.168.1/24---f1/1-.1->SW1---10.0.10.1--- Loopback0

I can’t ping loopback interfaces of these routers, see below
 SW1#ping 10.0.0.2 source 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1
.....
Success rate is 0 percent (0/5) 

Open in new window

 R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5) 

Open in new window

The configuration is simple and straightforward, see below:
 R1#sh crypto map tag VPN
Crypto Map "VPN" 200 ipsec-isakmp
        Peer = 192.168.1.1
        Extended IP access list ACL
            access-list ACL permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
        Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                SET,
        }
        Interfaces using crypto map VPN:
                FastEthernet0/0

Open in new window


 SW1#sh crypto map tag VPN
Crypto Map "VPN" 100 ipsec-isakmp
        Peer = 192.168.1.2
        Extended IP access list ACL
            access-list ACL permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
        Current peer: 192.168.1.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                SET,
        }
        Interfaces using crypto map VPN:
                FastEthernet1/1

Open in new window


RIP is setup on both routers:
 #sh run | section router
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary

Open in new window

See crypto configurations:
 SW1#sh run | section crypto
crypto isakmp policy 20
 authentication pre-share
crypto isakmp key cisco address 192.168.1.2
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 100 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set SET
 match address ACL
 crypto map VPN

Open in new window

 R1#sh run | section crypto
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key  cisco address 192.168.1.1
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 200 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set SET
 match address ACL
 crypto map VPN

Open in new window

And interfaces:
 SW1#sh run int f1/1
Building configuration...
Current configuration : 102 bytes
!
interface FastEthernet1/1
 no switchport
 ip address 192.168.1.1 255.255.255.0
 crypto map VPN
end

Open in new window

 R1#sh run int f0/0
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN
end

Open in new window

From R1 routing seems to be correct:

 R1#sh ip route
     10.0.0.0/24 is subnetted, 2 subnets
R       10.0.10.0 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
C       10.0.0.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, FastEthernet0/0

Open in new window

 R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
IPv6 Crypto ISAKMP SA

Open in new window

I cannot ping SW1 loopback from R1 loopback:
 R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5) 

Open in new window


But Phase ‘I’ is not completed, see below:
 R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.2     MM_KEY_EXCH       1004    0 ACTIVE
IPv6 Crypto ISAKMP SA

Open in new window


Let's see debug of Phase I

Open in new window

0
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries.
To do so, you would configure the VPN connexion so that it becomes your "default gateway".
Nice.
It works great, you can connect to all the nodes in the remote LAN.
But now you need to print something on your local printer. It's a networked printer, on YOUR LAN.
Since all your traffic is routed to the remote LAN, you'll never reach anything on YOUR LAN.
This example uses a networked printer but it can be a network attached storage, a file server, a media server... Anything that is available on your LAN.
So what you usually do?
You disconnect the VPN, and voila.
But know, when you realize that you need to connect to your remote LAN again, you loose the connection to your own LAN.
Especially frustrating if you need to access some Intranet. You would have to make local copies (or print web pages to pdf...), disconnect, use the local copies. It can even become a security concern, because things that should not leave the Intranet are now on your LAN.

The problem is that with a VPN that uses the default gateway on the remote network, this forces the use of the remote gateway as the default gateway and this sets the route to this default gateway to use a metric of 1.

Fortunately, there is at least one solution:

Basically, what I do is …
1
 
LVL 4

Expert Comment

by:Sean_D76
Comment Utility
I see your point now.  Yes, if you have multiple subnets remotely and locally then you'll need more complicated routing entries than what PPTP gives you.  And to my knowledge there is no way to pass those routes to the client with PPTP/RRAS.  Many other VPN solutions do allow you to pass routes to the client though.  Cisco & Sonicwall are just a few I can think of.
0
 
LVL 16

Author Comment

by:vivigatt
Comment Utility
Yes, other VPN techniques allow other ways to solve this kind of issues.

However, the article is also a kind of tutorial for using routes, changing them in scripts and allow programmatic access to NIC configuration data under Windows.

Thanks for your comments they make the article clearer !
0
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible.

http://www.dd-wrt.com/site/support/router-database
http://www.dd-wrt.com/wiki/index.php/Supported_Devices

If your router isn’t compatible, or you don’t have an extra router at all, you can get a Linksys WRT54G for about $25 off eBay – almost every one of this model’s hardware revision versions are compatible with DD-WRT… just double-check before you hit the Buy It Now button.

Benefits of a VPN
If you don’t already know, a VPN will let a remote computer act like it is on your home or corporate network. You’ll be able to access network resources, get files off your desktop, remotely control computers, etc. It is also a nice way to share files with someone… just create a temporary username and password for them and let them connect to your VPN.

Just as a side note, I’d like to say that this tutorial is about adding a VPN router as an additional device in your network, not replacing your existing router. The device that your Internet Service Provider gave you (be it a modem or router) is staying put the way it is. Although it is a slightly more direct option to flash this device with DD-WRT instead of adding another router, this will often void warranties, support contracts, and in the case of Verizon FiOS users who also subscribe to FiOS TV/Phone, interfere with some of the available …
2
 
LVL 2

Expert Comment

by:brandongohwh
Comment Utility
Your article is not very clear, because there are no pictures for guidance. Take a look at this website: http://www.howtogeek.com/51772/how-to-setup-a-vpn-server-using-a-dd-wrt-router/ Hope this helps!
0
Preface
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

Prerequisites
This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.


Configuration
1
 
LVL 70

Author Comment

by:Qlemo
Comment Utility
I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)
0

VPN

23K

Solutions

23

Articles & Videos

22K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.