Jump to content
RESET Forums (homeservershow.com)
kylejwx2

The inner workings of a VPN

Recommended Posts

kylejwx2
My understanding of the workings of a Virtual Private Network is that it connects two or more physical networks that may be geographically separated, but can be connect by tunneling the two networks together though the Internet.  In theory, any devices connected to the VPN would operate as if they were directly attached to a regular physical network.

 

My main question is, how closely do VPNs actually function the same as physical network?  My goal is to get a matching pair of VPN routers and put one at my house and one at my parent's house in order to put all our devices on the same network.  Possible use cases would be:

 

1. It just sounds cool and I might learn something in the process.

2. Allowing me to use RDP to fix my parents computer. (I currently use TeamViewer, this is just another option.)

3. Allowing my parents to back up to my Drobo.

4. Allowing me to use System Link on Xbox 360 to play Halo 1 and 2 with my brothers. (This is clearly the most important.)

 

Also I am wondering is someone could comment on how traffic would be routed under this set up.  If one computer tries to access the resources on a computer at another house, obviously that would have to go through the VPN.  However, If my computer tries to access the Drobo that is in my house will that have to go through the VPN and will that reduce performance in any way?  Will Internet traffic be routed through the VPN and will that have any effect on speeds?

 

 

One of the devices I am considering is the ZyXel USG20, which I have seen on sale for closer to $115. http://www.newegg.com/Product/Product.aspx?Item=33-181-144&Tpk=ZyXEL%20ZyWALL%20ZWUSG20.  Any pros or cons on this device?  I would prefer to have an 8 port VPN router, but I haven't found one in this price range.

 

I know that is a lot of questions, but thanks for any responses or insights you can provide.

 

Share this post


Link to post
Share on other sites
Drashna Jaelre

It depends on where the VPN is running. 

 

Also, big considerations are the upstream and downstream connections of BOTH networks. And it's not going to be seemless. There will defintiely be a slowdown. And for streaming/system link, you will want 10+mbps for both up and down.

 

 

And in theory, you could accomplish this with a couple of DD-WRT flash routers (or pfsense), both of which support OpenVPN. 

Share this post


Link to post
Share on other sites
Jason

Wish there was a good guide on setting up a DD-WRT router as a client to a pfsense OpenVPN server. Or even tomato. Wouldn't need directaccess at that point.

Share this post


Link to post
Share on other sites
jmwills

Very simple to do with a DD-WRT router.  Forward the Port needed open to the IP Address of the client.  I have the new Asus routers and the interface makes it very easy to use.

 

One thing to remember that a VPN puts an overhead of about 40% on the traffic for encryption.

 

To answer the question about the network side of this, when you "dial into" in the VPN, the machine you are on receives an IP Address that is on a different subnet that the other machines at the destination but thru the black magic, the machines can access one another resources.  I can sit here in Kandahar and map drives all day long back to my home server in Huntsville.  The connection is slower than using the web connect feature of WHS so I don't use it for moving files.

 

It does allow my to connect to a printer back home, banking programs, etc and feel totally secure about the connection.  One advantage for me is I can stream NetFlix to Afghanistan as NetFlix sees the connection as a US IP Address.

 

If you were going to play video games, you had better have one fast connection or the experience is really going to suffer.

Share this post


Link to post
Share on other sites
jem101

The most important thing to realise when setting up a VPN (and the one that trips up far more people than it really should) is that the IP range or subnet ABSOLUTELY HAS (and I make no apologies for shouting) be different on either side of the VPN tunner. It's this difference which lets you connect to devices on the other side while making sure that traffic which can just stay on your side of the VPN does stay there.

 

I can explain this a bit more clearly if we consider a model of how it would work for the OP. Let's image that the situation is set up like this.

 

kylejwx2 has a home network running on 192.168.1.1 to 192.168.1.254 with a subnet mask of 255.255.255.0 (which is pretty standard), your router is on 192.168.1.1, your Drobo is on .10 and you have a PC on 192.168.1.100. Your network address is 192.168.1.0

 

Your parent's network is on 192.168.2.1 to 192.168.2.254 (same subnet mask) and they have a single PC on 192.168.2.100 - their network address is 192.168.2.0.

 

You set up a VPN connection between the two routers.

 

Now at home you save a file to your Drobo, inside the guts of the PC, it looks up the address of the Drobo, (192.168.1.10) compares it with the address of the PC (192.168.1.100), determines that you are on the same subnet and so sends the message directly to it. No traffic leaves your network across the VPN.

 

Later on you try to connect to your parent's PC, and this time your PC realises that target is not on the same network as your PC so it sends the data to the default gateway address (192.168.1.1). At this point your router knows that all traffic destined for any address starting 192,168.2.x lies on the other side of the VPN tunnel so it encrypts and encapulates the data packets (hence the 40% or so drop in effective bandwidth) and sends them across to your parent's router. Your parent's router knows what to do with the incoming traffic and forwards it accordingly.

 

Both routers have tables inside them which determine what to do with traffic depending on the destination address - which is why the network addresses on both sides have to be different, if not then the routers simply assume that the target is on your side and don't pass it across. Any traffic destined for general internet sites isn't sent over the VPN (as long as you set it up properly), that just gets forwarded out as usual.

 

This setup (and the one as described in the OP) is referred to as a site-to-site VPN, which is permanent as long as both endpoints (routers) are running and connected. The version described by jmwills is more like a dial-up VPN which isn't connected permanently but is a temporary connection between a single PC and a VPN endpoint device.

Share this post


Link to post
Share on other sites
jmwills

Dial up is a bad term, accurate but bad.  I can keep it connected all the time however,.

 

The client I connect to from the outside actually gets an IP address between 192.168.100.1-5 while the home network is on a scheme of 192.168.1.100-254.  The ASUS router makes this very easy to configure.

Share this post


Link to post
Share on other sites
schoondoggy

I have the ZyXEL ZyWALL20. Very nice firewall and the VPN is functional, but I don't think I would want to move a lot of data over it.

Share this post


Link to post
Share on other sites
Jason

Great explanations. Currently I have DirectAccess running on my WSE12R1 server with a single Win8Ent client always connected. A software VPN solution. This works well since the remote client side only consists of a single machine (the Win8Ent PC). However if there were other clients I'd certainly consider a hardware router on the client side. Most likely an ASUS router. Currently I have a pfsense router at home with the WSE12R1 server behind it.

Share this post


Link to post
Share on other sites
kylejwx2

hey thanks for all the useful information. I sure learn a lot in these forums.  big thanks to jem101 for clearing up all the subnet and ip questions.  makes a lot of sense now.  

 

has anyone done gaming in this type of setup?

 

also, i hear a lot about openvpn, but every time visit their site i get the idea that it requires a monthly subscription. is that the case?

Share this post


Link to post
Share on other sites
ikon

jem101, I can see where that setup would work fine, but I have set up VPNs in the past with both ends using 192.168.1.x as the local subnet. The difference with my setups was that the tunnel itself had a different subnet. Each end of the tunnel had 2 IPs; one on the local subnet, and one just for the tunnel. Devices on the far end of the tunnel appeared on the local subnet as having the IP of the far end of the tunnel. Traffic destined for the far end got routed correctly because the local gateway saw an address that wasn't on its own subnet.

 

For example:

 

192.168.1.33----------192.168.1.1----172.16.1.1-------------------- // --------------------------172.16.1.2----192.168.1.1------------192.168.1.15

computer                 gateway          VPN near                                                            VPN far         gateway                   computer

 

In the example, computer 192.168.1.33 sees computer 192.168.1.15 as having IP 172.16.1.2. The VPN takes care of routing the packets to 192.168.1.15 (much like a NAT router).

 

I really hope I'm remembering all this correctly; it's been a long time..... and i'm old ;)

 

 

I agree with everyone about performance. If you really want to use a VPN, you really need good bandwidth up and down, not just down.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...