VPN Fundamentals for the Power User
Do you want to lock down your Internet connection when you’re on the road? If so, the best approach is, of course, to use a VPN. You’re set if you work for a company that can provide you with a VPN. But if you run your own small business or home office, you also have options.
You can find several, inexpensive ways to get a VPN of your own. Besides paying $15 to $20 a month to a VPN subscription service, you might be able to install a VPN server into your router using open-source, alternative router firmware such as DD-WRT and OpenWRT. This firmware will allow you to use many, but not all, Wi-Fi routers and access points as VPN endpoints.
VPN on Your Router
Before flashing your Wi-Fi hardware with any alternative firmware, make sure that it's supported. The last thing you want to do is to "brick" your wireless device--rendering it useless--just to set up a small VPN. Be sure to consult the DD-WRT supported-device list or the OpenWRT supported-device list. As these lists are all works in progress, check back often if you buy a brand-new router or access point.
If you'd rather not take your hardware's life into your own hands, some routers, such as Buffalo Technology's WZR-HP-G300NH AirStation Nfiniti Wireless-N High Power Router, come with DD-WRT already installed.
VPN Server Software
Some desktop operating systems, including Windows (from XP to Windows 7) and Mac OS X, include VPN server software. Granted, these are very simple VPNs, but they may be all you need. Of course, the Windows Server family comes with more-sophisticated VPN setups. If you're running all Windows 7 clients and Windows Server 2008 R2, you may also want to consider using DirectAccess, an advanced IPSec VPN that runs over IPv6 on ordinary IPv4-based LANs and the Internet.
If you don't choose to use DirectAccess but opt for Microsoft's older VPN technologies, Windows Server 2008 R2 has a helpful new feature: VPN Reconnect. Just as the name suggests, it will try to connect VPN sessions automatically if they're interrupted by a break in Internet connectivity. This function can be handy for users with spotty Wi-Fi connectivity, since they won't need to manually reconnect with the VPN after they reestablish a network connection.
Another way to add a VPN to your small network is to install VPN server software yourself. The best known of these is OpenVPN, which is open-source. It's available in versions for almost all popular desktop operating systems, including Linux, Mac OS X, and Windows.
If setting up native OpenVPN sounds a little too technical for you or your staff, you can run it as a VMware or Windows Virtual Hard Disk OpenVPN virtual appliance. With this arrangement, you'll have a basic VPN up and running in minutes.
But OpenVPN is far from the only VPN software out there. Other programs worth considering are NeoRouter and Tinc. If you want more than just VPN services and do-it-all network-services software packages, I highly recommend the open-source Vyatta, Core 6.1. Vyatta includes OpenVPN.
If you plan on having more than a dozen or so users on the VPN at one time, though, you'll want to use an inexpensive VPN hardware appliance such as the Juniper Networks SA700 SSL VPN Appliance, the SonicWall Secure Remote Access Series, or the Vyatta 514.
No matter which VPN you use, you'll need to set your firewall to allow VPN traffic. On many routers and firewalls, this task can be as simple as setting VPN passthrough to allow VPN traffic. Typically, your choices will be PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), or SSL (Secure Sockets Layer). Allow only those VPN protocols that you'll be using--after all, when in doubt with firewalls, it's safer to forbid than to permit.
Check your VPN’s documentation to see which ports you’ll need to open. As for SSL VPNs, they typically use port 443, the usual port for SSL-protected Web servers, so that port should already be open.
Naturally, no matter what VPN you're running and regardless of your network setup, a VPN in a small business is likely to limit its users’ speeds. For example, in my own home office, my Charter cable Internet connection gives me a 25-megabits-per-second downlink and a 3-mbps uplink. This means that no matter how fast my remote network connection is when I connect to my OpenVPN server, my maximum throughput will be limited to 3 mbps.
I've often seen small businesses flummoxed by slow VPN connections. That usually happens because neither the users nor the in-house IT staffers (often one and the same) realize that the math of Internet connections means that the slowest link along the VPN route will determine the VPN's top speed. If you want a really fast VPN, you'll need to bite the bullet and get a high-end Internet connection from your ISP.
Next page: VPN needs for the IT department, and VPN Protocols 101