Broadband Tech > Security > Security > VPNs... general questions before setup

VPNs... general questions before setup

1. Its not good or bad, simply put, it provides a means of securing a connection from an outsider being able to attack what ever data is passing through the VPN tunnel.

2. I can't really comment on the free VPNs. The only VPNs, I've got limited experience with are Cisco VPNs which are (at least in my setup) utilizing a pair of Cisco PIX firewalls (one at each end of the tunnel.)

I would recommend looking at Cisco's Technical Assistance Center, for more information. They provide very good and easy to understand explainations of the limitations of VPN technology
--
Ben WeeksNetwork AdminNovell CNA NW3.2/4.x/5.xNetwork + Certified

Ok, so in the software case I would need to install the software in both PCs... Now I have another question. I just entered the settings for the secureIX VPN.. it did connect nicely but now I have a problem... how do I use it as internet service since it is using my standard DSL wireless connection? I mean, if I try to connect to x website or to use E program to download anything it will still reveal my true IP... how do I make winXP route traffic using the VPN service??

reply to fenix_jn
I'd highly recommend OpenVPN as your main VPN solution. It's very secure, very fast, very configurable, allow broadcasting traffic to path through (you may need it), gives you a separate VPN interface that you may additionaly configure (e.g. create routing entries to route specific traffic), it doesn't have any problem with NAT routers, there is no any limits on number of VPN channels and, as you know, it's free. It's exactly what contemporary VPN solution should be.
--
Keep it simple, it'll become complex by itself...

Thanks for the reply. Exactly what I needed for one of the questions. Now I have something to read (how to set it up, I printed the FAQ and the HOWTO 1.x).

now I still need to know if this would work with emule. It should since ALL traffic will be using the VPN protocol whenever they comunicate with the internet.

The next question is related to that... If I setup the VPN do I need a PC set as a server like:

[ PC / VPN Client ] (ICS?) -> [ VPN PC / VPN Server ] -> [ WC ] -> [ WR ] -> [ MODEM ] ~~> Internet

What I mean is: What if I want to use my VPN server as a PC for my usage. Will this PC create a tunnel for VPN connections for itself? and do I need to enable ICS in winXP to allow other PCs to access the internet using the server VPN PC or they can still connect to the internet using the default connection ( [ WC ] -> [ WR ] -> [ MODEM ] ~~~> Internet?

So each computer MUST have the VPN software installed in order to access each other (at least at network level)?

So the software (in this case OpenVPN which I been reading a lot of good material and got some good recommendations even outside this forum) must be installed in both PCs (actually in ANY PC which I want to access)? am I in the right direction here?

Thanks for the reply.

Well its seems like the answer is YES. Today I successfully installed (and currently running) my own VPN server and client using 2 differents ISPs . I'm totally able to access my files over the internet using tunneling and TLS encryption. Thanks OZO for your recommendation.

BTW I found an extremely easy way to set up my own VPN at »itsatechworld.com/2006/01/29/how···-openvpn Its a step by step guide that will help you to access your files over WinXP.

EDIT:

I made this work even with my firewall Zone Alarm SS turned on. The trick is to install all VPN programs WITHOUT the firewall. Test for connections OK. When everything is set and working disconnect all the vpn software but do not exit. Start up the firewall and when its ready start the VPN apps.

The idea is that ZA (or any other firewall) will detect the attempt of connection by the OpenVPN. It will ask you if you want to allow or deny access. In this case you will want to allow access.

Now there is another issue: since the VPN creates another network its higly probable that your firewall will ask you what to do with the new network (usually it'll give you an indication from 192.168.10.0). You must allow this new network to access both the internet and your internal network in order to allow it to connect to the internet and be able to transfer files.

Also, you should give full access to the VPN program under program control section (applies to ZA, I'm sure NIS has a option under the same name or close to it at least). Then test connections again (disconnect and reconnect... even reboot and reconnect and voila! You have your VPN setup running behind a firewall.

The process applies to both PCs (server and client) and make sure you get a sucessful "cold" connection before assuming that everything is fine (meaning that after a reboot). YOU MUST HAVE A GREEN ICON ON VPN GUI TO CONFIRM on all PCs which will be part of the VPN. Try to transfer some files. (I did some PDFs and mp3s)

The setup should be like this:

PC > firewall > VPN ~~ internet ~~ VPN > firewall > PC

The idea is since your PC still connects to the internet it still is vulnerable to attacks/virus/ads or whatever is outside so it was priority for me to enable this feature on my VPN.

EDIT 2:

The connection speed is about 31 KB/s. Kind of slow but gets the work done. Rite now im moving a song fron this PC to my laptop which is connected to a neighbor wireless internet. I wonder if I could print from my laptop...

Answers:

File transferred sucessfully. avg speed 31.1 kb/s (better than dialup LOL)

Print test: OK. Got to print a single page text from Word 2003 sent from laptop to desktop in 40.8 secs. Slow but its ok.

Glad to hear that it's working for you and, at the same time, thank you for sharing your experience with us.

I'm sure that OpenVPN is not the bottleneck and doesn't make your communications slow. You're yet far away from reaching any noticeable overhead from using your processor to support the VPN. BTW, as you may guess if your VPN tunnel uses a compression method - you may even gain speed in transferring some files via the same network (DSL, dial-up or whatever).
--
Keep it simple, it'll become complex by itself...

Well, the connection I used was a wireless one in which the connection was very slow due to low signal. I will try this again using another connection and let you guys know.

It can be possible that my firewall/AV/router's firewall is slowing down my connection. right?

reply to fenix_jn
FWIW...

Here is a method to access an XP box using a PPTP VPN link with a PocketPC. Its written for the WM 2003 OS but should work with the newer WM5, except the part about remote sync. That was removed in WM5 for standalone PCs...

»theillustratednetwork.mvps.org/W···VPN.html

There was a OpenVPN client for the PocketPC but I don't know its current status...
--
"When all else fails, read the instructions..."

Its a very interesting article and, with some changes, it may work with my Treo 650. I used it several times to sync it with my PC using standard hotsync interface.

Activesync, however... well they (M$) took the network sync functionality so you can only sync it on USB,IR and BT. No internet/WiFi connection is allowed anymore on newer activesync devices. I know some older devices allowed a serial (modem) connection but not anymore..

Actually network sync still works in Windows Mobile 5 if you sync with an Exchange server. Its just that network sync to a stand alone PC was removed supposedly for security reasons...
--
"When all else fails, read the instructions..."

Too bad. I really wanted to sync my 8525 over the internet like I do with my treo... well...

Now the news:

I tried to connect using my cingular 8525 as a modem... I ran some speed tests and I got 700 kbps as avg. So ok, moving on to the next test, the VPN one: It repeated itself... speed tests dont go over 30 KB/s (but they DO go under ) (about 240 kbps not stable)... is it supposed to behave in that way? Is there any way I can improve my speed? I'm happy because it works, I just want more speed.

I know it will never reach 100% of my DSL speed but at least something better than 30 KB/s should be worth to look at.

Any suggestions? Thanks

bump

reply to SoonerAl
Ok news/update:

I was able to connect my treo 650 using Mergic VPN and Wifile PRO so I can manage and transfer files from and to my PC. Neat but slow but hey at least it connects and works. The reason is because 650 supports the old data network.

Now the other update: I was able to connect to my home PC from my laptop using WInXP VPN client/server. The speed is a little higher (42.85 KB/s) but I don't understand something: If windows can support VPN connection natively why use a complex app like OpenVPN to set up a even slower networking process.

Is it because my netowrk is even safer (since I'm using certificates) by using OpenVPN?

I really need to know this because I'm about to drop openVPN, sure is nice because I feel that my little home network has industry-level security but I can get the very same connection using WinXP settings. am I doing the right thing here??

EDIT

Ok I forgot to mention: I ran the test with my firewall OFF so when I turn it back on my client is able to connect BUT not to access the files... any ideas? My firewall is ZA Security Suite

Also I found that OpenVPN is a VPN with IPSec (like) so yesit is safer... but I still want to know if its possible to connect with the firewall on.

reply to fenix_jn
How is the firewall configured?

I used the XP SP2 Windows Firewall and configured that for File & Print Sharing (F&PS) for specific local LAN IP addreeses and the addresses assigned to the OpenVPN clients only. All other addresses were excluded...
--
"When all else fails, read the instructions..."

Well I've playing with the expert section of ZA firewall. So far I specified a rule that follows:

Mode: Allow
Source: 192.168.10.0 to 192.168.10.10
Destination: 192.168.10.0 to 192.168.10.10
Protocols:

TCP 1723 (PTPP)
GRE 47 --- This is not a port. It is the protocol ID
ICMP 8 (PING) --- Not a port. ICMP type: Echo req
TCP/UDP 139 (SMB)
TCP 445 (another SMB)

So what happens is that both computers are able to connect fine but they can't trasnfer files. I can ping them but the file transfer does not happen.

I set up the VPN address myself (192.168.10.x) since it was connecting to some 169.254.x.x (x = arbitrary values). It connected but I just did not like my private network over there. The DHCP on the server is active and the client must request an IP address so far is fine in there but the idea is to be able to transfer files "safely" over the internet not just to check if my PC is on (like what happens now).

The network connections for the VPN are in the trusted zone inside the firewall.... I don't know what other port should I open. I mean it can connect but the firewall has to be offline. I don't want to risk my PC just because I want to transfer some files.

Any ideas??

PS: I read somewhere that M$ PPTP was hacked.. is this true?
-----------------------------------------------------------

UPDATE:

I continued to play with ZA firewall rules and found this:

windows SMB works with TCP/UDP 135 ~ 139, 445

so guess what?

IT DID WORK!

The idea is to define 2 rules: One for the initial connection (from foreign IP client side) and one for the private address (192.168.10.x) VPN side.

Instructions for ZA:

I assume that you already have created the VPN connection on both sides (server and client(s)). I also assume that you are trying to connect from 2 different (public) IP addresses. Always use passwords for your accounts.

I also assume that you are using the following connection structure:

PC(firewalled) - router - modem ~ internet ~ modem - router - PC(firewalled)

The first rule must have the port TCP 1723 open so PTPP can connect to the server. Since this can be incoming from any IP the source must be set to ANY. Destination can be ANY (if your DHCP server assigns IP to the computer in your LAN) or the IP of your preference if you got a static IP (or single PC).

Ok now we have to move on to the next stage: Windows SMB ports.

For this you need to use the following settings:

Source: -your private VPN IP range-
Destination: -same as above-
Ports:

TCP/UDP 135 ~ 139 Windows SMB
TCP/UDP 445 Windows SMB (it will use it)
TCP 1723 PPTP (it will be used inside the internal VPN. Mainteinance??)
GRE 47 (not a port. IT IS A PROTOCOL ID)
ICMP 8 (not a port. ICMP type 8/echo. IF YOU WANT TO PING)

It is very important that you define the internal VPN network for these ports and protocols. If you forget a single port the VPN won't work. If you forget to set up the IP addresses pointing to your VPN your PC and your entire network may be in a major security risk

(Omit this if you don't have a router)

If this is not enough you also may need to set the following on your router (SERVER SIDE ONLY):

PTPP Passtrough ENABLED

PTPP (1723) port forward to local IP

Advanced routing:

Mode: Gateway
Source IP: -your private VPN initial IP address-
Subnet: -self explanatory, VPN side-
Destination IP: -your local (LAN) IP-
ENABLED

----------------------------------------------------------

If these step does not work for you check your firewall logs (look for your VPN IP and Blocked lines) and make sure that you click the Apply button whenever you change your firewall settings.

That should be enough. Happy file-transfering LOL

Thanks to SoonerAl for giving me that great idea about windows file print and sharing. You gave me the idea of looking for the FP&S ports (NetBIOS/Windows SMB ports)

It doesnt allow me to edit so I have to post a new reply:

UPDATE:

After re-reading ZA firewall logs it seems that you dont NEED all 135-139 ports open. Just 139 TCP-UDP and 445 TCP/UDP. Remeber to open these ports only on VPN side (or to VPN internal address) You don't need to open them on router to make it work.

1723 must be opened on router,

Everything else must be implemented to work.