Menu
homeBios

Organization of VPN between offices. · What is the security level of the corporate network. Creating a VPN, selecting and configuring equipment

What if you need to connect remote offices and connect them to one local network or connect remote employees to the office local network?

The Internet is developing rapidly, giving any computer owner access to unlimited information resources. Possibility of access to corporate network anytime, anywhere is quickly becoming a must-have in the business world. More and more companies are striving to implement technologies that make it possible to organize working together, regardless of the geographical location of employees or clients. Employees on business trips have the opportunity to log into the corporate network directly from their hotel rooms, and those who work from home maintain contact with company headquarters in real time. Until recently, this required expensive equipment and communication channels, the rental of which was also expensive.

What is a VPN?

From a consumer point of view, VPN (virtual private network) is a technology that allows you to organize remote secure access through open Internet channels to servers, databases, and any resources on your corporate network. Using a virtual private network, it is easy to connect offices or production facilities with each other, ensuring guaranteed high-quality and secure communications throughout Russia or abroad. The main advantage of a VPN over dedicated communication channels is saving the company’s money; you must admit, this is not the last issue for any person in our country, and indeed in the world.

VPN Features:

  • high degree of protection against unauthorized access based on cryptography;
  • work of personnel in remote offices of the organization with applications and programs located in the main office (for example, with the 1C: Enterprise system);
  • secure document flow between company offices;
  • optimization of costs for providing access to information.

Solutions:

All products for creating VPNs can be divided into two categories - software and hardware. A number of companies, such as Cisco Systems, NetScreen, Sonic, offer a whole range of solutions that can scale depending on the number of simultaneous VPN connections that you plan to work with. They are often easier and faster to configure, but the main disadvantage of hardware solutions is their very high cost.

VPN software solution - usually a ready-made commercial or free software application (OpenVPN) that is installed on a computer connected to the network? usually an Internet gateway. For reasons of security and performance, it is best to allocate separate machines for installing VPN applications, preferably with a *nix-like OS.

How it works?

In its simplest form, VPNs connect remote users or remote offices to a business network. The connection scheme is very simple - the remote user runs a client program on his computer with Internet access to connect to the remote office. In this case it is used OpenVPN client. The program connects to the enterprise server and encrypts all traffic, and access is organized using an encrypted user key, for which you can set a password.

In this case, a VPN channel is formed, which is a “tunnel” through which data can be exchanged between two end nodes. This tunnel is “opaque” to all other users, including the provider. VPN channels are protected by powerful encryption algorithms based on Internet Protocol Security (IPSec) standards.

Now you have some idea of ​​what a VPN is and how it works. If you are a manager, think about it, maybe this is exactly what you were looking for.

If you find this article useful,
don't be lazy to like and share with your friends.

Recently, in the world of telecommunications there has been an increased interest in virtual private networks ( Virtual Private Network - VPN). This is due to the need to reduce the cost of maintaining corporate networks by cheaper connection of remote offices and remote users via Internet network. Indeed, when comparing the cost of services for connecting several networks via the Internet, for example, with networks Frame Relay you can notice a significant difference in cost. However, it should be noted that when connecting networks via the Internet, the question of data transmission security immediately arises, so there is a need to create mechanisms to ensure confidentiality and integrity transmitted information. Networks built on the basis of such mechanisms are called VPN.

In addition, very often a modern person, developing his business, has to travel a lot. These could be trips to remote corners of our country or to foreign countries. Often people need access to their information stored on their home or company computer. This problem can be solved by organizing remote access to it using a modem and line. Using a telephone line has its own characteristics. The disadvantages of this solution are that calling from another country costs a lot of money. There is another solution called VPN. The advantages of VPN technology are that organizing remote access is not done through telephone line, but through the Internet, which is much cheaper and better. In my opinion, technology. VPN has the potential to become widespread around the world.

1. Concept and classification of VPN networks, their construction

1.1 What is a VPN

VPN(eng. Virtual Private Network - virtual private network) - a logical network created on top of another network, for example the Internet. Despite the fact that communications are carried out via public networks using insecure protocols, due to encryption, information exchange channels are created that are closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

In its own way essence of VPN has many of the properties of a leased line, but it is deployed within a public network, for example. With the tunneling technique, data packets are broadcast across the public network as if they were a normal point-to-point connection. A kind of tunnel is established between each data sender-receiver pair - a secure logical connection that allows data from one protocol to be encapsulated in packets of another. The main components of the tunnel are:

  • initiator;
  • routed network;
  • tunnel switch;
  • one or more tunnel terminators.

The principle of VPN operation itself does not contradict basic network technologies and protocols. For example, when establishing a connection remote access the client sends a stream of packets to the server standard protocol PPP. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, a fundamentally new aspect is the forwarding of packets through a secure tunnel organized within a public network.

Tunneling allows you to organize the transmission of packets of the same protocol in a logical environment using a different protocol. As a result, it becomes possible to solve the problems of interaction between several different types of networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

Existing network infrastructure corporations can be prepared to use VPN using both software and hardware. Setting up a virtual private network can be compared to laying a cable across a global network. Typically, a direct connection between a remote user and a tunnel end device is established using the PPP protocol.

The most common method for creating VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the resulting packets into a tunneling protocol. Usually the latter is IP or (much less often) ATM and Frame Relay. This approach is called second-level tunneling, since the “passenger” here is the second-level protocol.

An alternative approach is packet encapsulation network protocol directly into a tunneling protocol (such as VTP) is called layer 3 tunneling.

No matter what protocols are used or what purposes pursued when organizing a tunnel, the basic technique remainspractically unchanged. Typically, one protocol is used to establish a connection with a remote node, and another is used to encapsulate data and service information for transmission through the tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By type of environment used:

  • Secure VPN networks. The most common version of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN and PPTP.
  • Trusted VPN networks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It would be more correct to say that these protocols shift the task of ensuring security to others, for example L2TP, as a rule, is used in conjunction with IPSec.

2. According to the method of implementation:

  • VPN networks in the form of special software and hardware. The implementation of a VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.
  • VPN networks as a software solution. They use a personal computer with special software that provides VPN functionality.
  • VPN networks with an integrated solution. VPN functionality is provided by a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

3. By purpose:

  • Intranet VPN. Used to unite several distributed branches of one organization into a single secure network, exchanging data via open channels communications.
  • Remote Access VPN. They are used to create a secure channel between a corporate network segment (central office or branch) and a single user who, working at home, connects to corporate resources from a home computer or, while on a business trip, connects to corporate resources using a laptop.
  • Extranet VPN. Used for networks to which “external” users (for example, customers or clients) connect. The level of trust in them is much lower than in company employees, so it is necessary to provide special “lines” of protection that prevent or limit the latter’s access to particularly valuable, confidential information.

4. By protocol type:

  • There are implementations of virtual private networks for TCP/IP, IPX and AppleTalk. But today there is a tendency towards a general transition to the TCP/IP protocol, and the absolute majority VPN solutions supports him.

5. By network protocol level:

  • By network protocol level based on comparison with reference levels network model ISO/OSI.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of VPN builders. For example, if a router is already operating at its maximum capacity, then adding VPN tunnels and applying encryption/decryption of information can stop the entire network due to the fact that this router will not be able to cope with simple traffic, let alone a VPN. Experience shows that to build VPN is better Most of all, use specialized equipment, but if there is a limitation on funds, then you can pay attention to a purely software solution. Let's look at some options for building a VPN.

  • VPN based on firewalls. Most firewall vendors support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted. An encryption module is added to the firewall software itself. The disadvantage of this method is that performance depends on the hardware on which the firewall runs. When using PC-based firewalls, you must remember that such a solution can only be used for small networks with a small amount of information transferred.
  • Router-based VPN. Another way to build a VPN is to use routers to create secure channels. Since all information coming from the local network passes through the router, it is advisable to assign encryption tasks to this router.An example of equipment for building VPN on routers is equipment from Cisco Systems. Starting from software version iOS software 11.3, Cisco routers support L2TP and IPSec protocols. Besides simple encryption Cisco also supports other VPN features such as authentication when establishing a tunnel connection and key exchange.Can be used to improve router performance additional module ESA encryption. In addition, Cisco System has released a specialized device for VPN, which is called the Cisco 1720 VPN Access Router (VPN access router), intended for installation in small and medium-sized companies, as well as in branches of large organizations.
  • Software-based VPN. The next approach to building a VPN is to purely software solutions. When implementing such a solution, specialized software, which runs on a dedicated computer, and in most cases acts as a proxy server. The computer running this software may be located behind a firewall.
  • VPN based on network OS.We will consider solutions based on a network OS using the example of an OS Windows company Microsoft. To create a VPN, Microsoft uses the PPTP protocol, which is integrated into the Windows system. This solution is very attractive for organizations using Windows as a corporate operating system. It should be noted that the cost of such a solution is significantly lower than the cost of other solutions. VPN in operation Windows based a user database stored on the Primary Domain Controller (PDC) is used. When connecting to a PPTP server, the user is authenticated using the PAP, CHAP or MS-CHAP protocols. Transmitted packets are encapsulated in GRE/PPTP packets. To encrypt packets, a non-standard protocol from Microsoft Point-to-Point Encryption is used with a 40 or 128 bit key received at the time the connection is established. The disadvantages of this system are the lack of data integrity checking and the inability to change keys during the connection. The positive aspects are ease of integration with Windows and low cost.
  • Hardware-based VPN. The option of building a VPN on special devices can be used in networks that require high performance. An example of such a solution is the IPro-VPN product from Radguard. This product uses hardware encryption of transmitted information, capable of transmitting a stream of 100 Mbit/s. IPro-VPN supports the IPSec protocol and the ISAKMP/Oakley key management mechanism. Among other things, this device supports broadcasting tools network addresses and can be supplemented special board, which adds firewall functionality

2. VPN protocols

VPN networks are built using protocols for tunneling data through a communications network common use Internet, with tunneling protocols providing data encryption and end-to-end transmission between users. As a rule, today the following levels of protocols are used to build VPN networks:

  • Data Link Layer
  • Network layer
  • Transport layer.

2.1 Link layer

At the data link layer, L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

PPTP.

Currently, the most common VPN protocol is the Point-to-Point Tunneling Protocol - PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy PPP point-to-point protocol. In practice, RRR remains so communication protocol PPTP connection session. PPTP creates a tunnel through the network to the recipient's NT server and transmits PPP packets from the remote user through it. The server and workstation use a virtual private network and don't pay attention to how safe or accessible it is global network between them. Ending a connection session at the server's initiative, unlike specialized remote access servers, allows local network administrators to prevent remote users from leaving the security system Windows Server.

Although the competence of the PPTP protocol extends only to devices operating under Windows control, it gives companies the ability to interact with existing network infrastructures without compromising their own security systems. Thus, a remote user can connect to the Internet through a local ISP via an analogue telephone line or an ISDN link and establish a connection to the NT server. At the same time, the company does not have to spend large sums on organizing and maintaining a pool of modems that provides remote access services.

The following discusses the operation of the RRTR. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin exchanging service packets. In addition to the PPTP control connection that ensures the link is operational, a connection is created to forward the data through the tunnel. Encapsulating data before sending it through a tunnel occurs somewhat differently than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

  1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the data link layer.
  2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions typically associated with PPP, i.e. adds a PPP header and ending to the PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet, which belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to allow them to be transported over IP networks. However, GRE does not have the ability to establish sessions and protect data from intruders. This uses PPTP's ability to create a tunnel control connection. Using GRE as an encapsulation method limits the scope of PPTP to IP networks only.

After the PPP frame has been encapsulated in a frame with a GRE header, encapsulation is performed in a frame with an IP header. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.

The sending system sends data through the tunnel. The receiving system deletes everything service headers, leaving only PPP data.

L2TP

In the near future, an increase in the number of virtual private networks is expected, deployed based on the new second-level tunneling protocol Layer 2 Tunneling Protocol - L2TP.

L2TP emerged as a result of combining the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and L2F packets SLIP and PPP. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering Task Force (IETF) recommended that Cisco Systems combine PPTP and L2F. By all accounts, the L2TP protocol incorporates best features PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP uses UDP as a transport and uses the same message format for both tunnel control and data forwarding. L2TP as implemented by Microsoft uses UDP packets containing encrypted PPP packets as control messages. Delivery reliability is guaranteed by packet sequence control.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks; service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used on IP networks and requires a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee nearly 100 percent security for your organization's critical data. The features of L2TP make it a very promising protocol for building virtual networks.

The L2TP and PPTP protocols differ from third-level tunneling protocols in a number of features:

  1. Providing corporations with the opportunity to independently choose the method of authenticating users and verifying their credentials - on their own “territory” or with an Internet service provider. By processing tunneled PPP packets, corporate network servers receive all the information necessary to identify users.
  2. Support for tunnel switching - terminating one tunnel and initiating another to one of many potential terminators. Tunnel switching allows you to extend the PPP connection to the required endpoint.
  3. Enabling corporate network administrators to implement user access control strategies directly on the firewall and internal servers. Because tunnel terminators receive PPP packets containing user information, they are able to apply administrator-defined security policies to individual user traffic. (Third-level tunneling does not allow distinguishing packets coming from the provider, so security policy filters must be applied to end workstations and network devices.) In addition, if you use a tunnel switch, it becomes possible to organize a “continuation” of the tunnel second level for direct transmission of individual trafficusers to the corresponding internal servers. Such servers may be tasked with additional packet filtering.

MPLS

Also at the data link level it can be used to organize tunnels. MPLS technology ( From the English Multiprotocol Label Switching - multiprotocol label switching - a data transfer mechanism that emulates various properties of circuit-switched networks over packet-switched networks). MPLS operates at a layer that could be positioned between the data link layer and the third network layer of the OSI model, and is therefore commonly referred to as a data link layer protocol. It was designed to provide universal service data transmission for both clients of circuit-switched networks and packet-switched networks. MPLS can carry a wide variety of traffic, such as IP packets, ATM, SONET, and Ethernet frames.

Solutions for organizing VPN at the link level have a fairly limited scope, usually within the provider’s domain.

2.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements data encryption and confidentiality, as well as subscriber authentication. The use of the IPSec protocol allows for full-featured access equivalent to a physical connection to the corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. Each client must have software that implements IPSec.

IPSec

Naturally, no company would want to openly transfer Internet financial or other confidential information. VPN channels are protected by powerful encryption algorithms based on IPsec security protocol standards. IPSec or Internet Protocol Security - a standard chosen by the international community, the IETF - Internet Engineering Task Force, creates the security framework for the Internet Protocol (IP / IPSec protocol provides security on network level and requires support for the IPSec standard only from communicating devices on both sides of the connection. All other devices located between them simply provide IP packet traffic.

The method of interaction between persons using IPSec technology is usually defined by the term “secure association” - Security Association (SA). A secure association operates based on an agreement between the parties that use IPSec to protect passed on to a friend friend information. This agreement regulates several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consistent set of open standards with a core that can be easily extended with new features and protocols. The core of IPSec consists of three protocols:

· AN or Authentication Header - authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AH protocol is that it allows the receiving side to ensure that:

  • the packet was sent by a party with which a secure association has been established;
  • the contents of the packet were not distorted during its transmission over the network;
  • the packet is not a duplicate of an already received packet.

The first two functions are mandatory for the AH protocol, and the last one is optionally selected when establishing an association. To perform these functions, the AH protocol uses a special header. Its structure is considered according to the following scheme:

  1. The next header field indicates the code of the higher-level protocol, that is, the protocol whose message is located in the data field of the IP packet.
  2. The payload length field contains the length of the AH header.
  3. The Security Parameters Index (SPI) is used to associate a packet with its intended security association.
  4. The Sequence Number (SN) field indicates the sequence number of the packet and is used to protect against spoofing (when a third party attempts to reuse intercepted secure packets sent by the actual authenticated sender).
  5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called a digest, is calculated using one of the two computationally irreversible functions MD5 or SAH-1 that are required by the AH protocol, but any other function can be used.

· ESP or Encapsulating Security Payload- encrypted data encapsulation - encrypts transmitted data, ensuring confidentiality, can also maintain authentication and data integrity;

The ESP protocol solves two groups of problems.

  1. The first includes tasks similar to those of the AH protocol - ensuring authentication and data integrity based on the digest,
  2. The second is the transmitted data by encrypting it from unauthorized viewing.

The header is divided into two parts, separated by a data field.

  1. The first part, called the ESP header itself, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
  2. The remaining ESP protocol service fields, called the ESP trailer, are located at the end of the packet.

The two trailer fields - the next header and the authentication data - are similar to the fields of the AH header. The Authentication Data field is absent if a decision is made not to use the integrity capabilities of the ESP protocol when establishing a secure association. In addition to these fields, the trailer contains two additional fields - filler and filler length.

The AH and ESP protocols can protect data in two modes:

  1. in transport - transmission is carried out with original IP headers;
  2. in the tunnel - source package placed in a new IP packet and transmitted with new headers.

The use of one mode or another depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. Thus, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

  1. host-host;
  2. gateway-gateway;
  3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is only responsible for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a stripped down form). An ESP can support encryption and authentication/integrity functions in any combination, that is, either the entire group of functions, authentication/integrity only, or encryption only.

· IKE or Internet Key Exchange - Internet key exchange - solves the auxiliary task of automatically providing endpoints of a secure channel with the secret keys necessary for the operation of authentication and data encryption protocols.

2.3 Transport layer

The transport layer uses the SSL/TLS or Secure Socket Layer/Transport Layer Security protocol, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL/TLS can be used to secure TCP traffic, but cannot be used to secure UDP traffic. To operate a VPN based on SSL/TLS, there is no need to implement special software since every browser and email client is equipped with these protocols. Due to the fact that SSL/TLS is implemented at the transport layer, a secure connection is established “end-to-end”.

The TLS protocol is based on the Netscape SSL protocol version 3.0 and consists of two parts - the TLS Record Protocol and the TLS Handshake Protocol. The differences between SSL 3.0 and TLS 1.0 are minor.

SSL/TLS includes three main phases:

  1. Dialogue between the parties, the purpose of which is to select an encryption algorithm;
  2. Key exchange based on public key cryptosystems or certificate-based authentication;
  3. Transfer of data encrypted using symmetric encryption algorithms.

2.4 VPN Implementation: IPSec or SSL/TLS?

IT department managers are often faced with the question: which protocol to choose for building a corporate VPN network? The answer is not obvious since each approach has both pros and cons. We will try to conduct and identify when it is necessary to use IPSec, and when SSL/TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining the functional features of each of the implemented VPNs.

The choice of protocol for building a corporate VPN network can be made according to the following criteria:

· Type of access required for VPN users.

  1. Fully featured permanent connection to the corporate network. The recommended choice is the IPSec protocol.
  2. Temporary connection, e.g. mobile user or a user using a public computer in order to gain access to certain services, such as email or a database. The recommended choice is the SSL/TLS protocol, which allows you to organize a VPN for each individual service.

· Whether the user is an employee of the company.

  1. If the user is an employee of a company, the device he uses to access the corporate network via IPSec VPN can be configured in some specific way.
  2. If the user is not an employee of the company to which the corporate network is being accessed, it is recommended to use SSL/TLS. This will limit guest access to certain services only.

· What is the security level of the corporate network.

  1. High. The recommended choice is the IPSec protocol. Indeed, the level of security offered by IPSec is much higher than that offered by the SSL/TLS protocol due to the use of configurable software on the user side and a security gateway on the corporate network side.
  2. Average. The recommended choice is the SSL/TLS protocol, which allows access from any terminal.

· Security level of data transmitted by the user.

  1. High, for example, company management. The recommended choice is the IPSec protocol.
  2. Average, for example, partner. The recommended choice is the SSL/TLS protocol.

Depending on the service - from medium to high. The recommended choice is a combination of IPSec protocols (for services requiring high level security) and SSL/TLS (for services requiring a medium level of security).

What's more important fast deployment VPN or solution scalability in the future.

  1. Fast VPN deployment with minimal costs. The recommended choice is the SSL/TLS protocol. In this case, there is no need to implement special software on the user side as in the case of IPSec.
  2. VPN network scalability - adding access to various services. The recommended choice is the IPSec protocol, which allows access to all services and resources of the corporate network.
  3. Fast deployment and scalability. The recommended choice is a combination of IPSec and SSL/TLS: using SSL/TLS in the first stage to access the necessary services, followed by the implementation of IPSec.

3. Methods for implementing VPN networks

A virtual private network is based on three implementation methods:

· Tunneling;

· Encryption;

· Authentication.

3.1 Tunneling

Tunneling ensures the transfer of data between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden from the source and receiver of the data.

The transport medium of the tunnel, like a ferry, picks up packets of the network protocol used at the entrance to the tunnel and delivers them unchanged to the exit. Building a tunnel is enough to connect two network nodes so that, from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the “ferry” with data passes through many intermediate nodes (routers) of an open public network.

This state of affairs poses two problems. The first is that information transmitted through the tunnel can be intercepted by attackers. If it is confidential (bank card numbers, financial reports, personal information), then the threat of its compromise is quite real, which in itself is unpleasant. Even worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient will not be able to verify its authenticity. The consequences can be the most dire. Taking into account the above, we come to the conclusion that the tunnel in its pure form is suitable only for some types of network computer games and cannot claim to be used more seriously. Both problems are solved modern means cryptographic information protection. To prevent unauthorized changes to be made to the data packet as it travels through the tunnel, an electronic digital signature(). The essence of the method is that each transmitted packet supplied additional block information that is generated in accordance with the asymmetric cryptographic algorithm and is unique to the contents of the package and secret key Sender's digital signature. This block of information is the digital signature of the package and allows data to be authenticated by a recipient who knows public key Sender's digital signature. Protection of data transmitted through the tunnel from unauthorized viewing is achieved by using strong encryption algorithms.

3.2 Authentication

Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server may be located at a great distance from the client computer, and data on the way to the organization’s network passes through the equipment of many providers. How can I make sure that the data has not been read or modified? For this, various authentication and encryption methods are used.

PPTP can use any of the protocols used for PPP to authenticate users

  • EAP or Extensible Authentication Protocol;
  • MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
  • CHAP or Challenge Handshake Authentication Protocol;
  • SPAP or Shiva Password Authentication Protocol;
  • PAP or Password Authentication Protocol.

The best protocols are MSCHAP version 2 and Transport Layer Security (EAP-TLS), since they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates clients.

Although PPTP provides sufficient degree security, but still L2TP over IPSec is more reliable. L2TP over IPSec provides authentication at the user and computer levels, and also performs authentication and data encryption.

Authentication is carried out either by an open test (clear text password) or by a challenge/response scheme. Everything is clear with the direct text. The client sends the server a password. The server compares this with the standard and either denies access or says “welcome.” Open authentication is almost never seen.

The request/response scheme is much more advanced. IN general view it looks like this:

  • the client sends the server a request for authentication;
  • the server returns a random response (challenge);
  • the client takes a hash from his password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and transmits it to the server;
  • the server does the same, comparing the received result with the client’s response;
  • if the encrypted response matches, authentication is considered successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from a certificate authority. The client and server exchange certificates and create a secure connection ESP SA (security association). After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. For authentication, you can use any protocol, even PAP, which transmits the username and password in clear text. This is quite secure, since L2TP over IPSec encrypts the entire session. However, performing user authentication using MSCHAP, which uses different encryption keys to authenticate the computer and the user, can enhance security.

3.3. Encryption

PPTP encryption ensures that no one can access your data while it is being sent over the Internet. There are currently two supported encryption methods:

  • MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
  • EAP-TLS can automatically select the length of the encryption key when negotiating parameters between the client and server.

MPPE supports keys with lengths of 40, 56 or 128 bits. Older Windows operating systems only support 40-bit key length encryption, so in a mixed Windows environment you should choose the minimum key length.

PPTP changes the encryption key value after each packet received. The MMPE protocol was designed for point-to-point communication links in which packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the results of decryption of the previous packet. When building virtual networks through public networks, these conditions cannot be met, since data packets often arrive at the recipient in a different sequence than they were sent. Therefore, PPTP uses packet sequence numbers to change the encryption key. This allows decryption to be performed regardless of previous received packets.

Both protocols are implemented as in Microsoft Windows, and outside it (for example, in BSD), VPN operating algorithms can differ significantly.

Thus, the “tunneling + authentication + encryption” combination allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional pleasant effect of a VPN connection is the possibility (and even necessity) of using the addressing system adopted in the local network.

The implementation of a virtual private network in practice looks like this: A VPN server is installed in the local computer network of the company's office. The remote user (or router, if connecting two offices) using VPN client software initiates the connection procedure with the server. User authentication occurs - the first phase of establishing a VPN connection. If the authority is confirmed, the second phase begins - the details of ensuring the security of the connection are agreed upon between the client and the server. After this, a VPN connection is organized, ensuring the exchange of information between the client and the server in the form when each data packet goes through encryption/decryption and integrity check procedures - data authentication.

The main problem with VPN networks is the lack of established standards for authentication and encrypted information exchange. These standards are still under development and therefore products from different manufacturers cannot establish VPN connections and automatically exchange keys. This problem is causing VPN adoption to slow down because it is difficult to force various companies use the products of one manufacturer, and therefore the process of combining networks of partner companies into so-called extranet networks is difficult.

The advantages of VPN technology are that remote access is organized not through a telephone line, but through the Internet, which is much cheaper and better. The disadvantage of VPN technology is that VPN building tools are not full-fledged means of detecting and blocking attacks. They can prevent a number of unauthorized actions, but not all the possibilities that can be used to penetrate a corporate network. But despite all this VPN technology has prospects for further development.

What can we expect in terms of VPN technology development in the future? Without any doubt, a unified standard for constructing such networks will be developed and approved. Most likely, the basis of this standard will be the already proven IPSec protocol. Next, manufacturers will focus on improving the performance of their products and creating user-friendly VPN management tools. Most likely, the development of VPN building tools will go in the direction of router-based VPNs, since this solution combines fairly high performance, integration of VPN and routing in one device. However, low-cost solutions for small organizations. In conclusion, it must be said that, despite the fact that VPN technology is still very young, it has a great future ahead of it.

Leave your comment!

The Internet has firmly entered our lives, and if earlier, during the years of the dominance of analog modems, in order to access the Internet it was necessary to take into account both the volume of traffic and the connection time, but today an unlimited Internet connection has become the norm. That is, if there is no Internet at any time and in any “volume,” then this is already something out of the ordinary. Moreover, if earlier availability unlimited Internet was considered the de facto standard for corporate networks, today it has already become the norm for end users. As the Internet develops, the conceptual model of its use also changes. More and more new services are appearing, such as video on demand and VoIP, peer-to-peer file-sharing networks (BitTorrent), etc. are developing. Recently, the organization of virtual private networks (VPN) over the Internet with the ability to organize remote access to any computer as part of this network has become very popular. How this can be done will be discussed in this article.

Why is this necessary?

Organization of VPN networks over the Internet or within a local network has many use cases: network games on the Internet bypassing game servers (just like games over a local network), creating a network closed from outsiders for transmitting confidential information, the ability to remotely and securely manage computers (full control over a remote PC), organizing secure access for employees on a business trip to corporate network resources, communication via a virtual network of individual offices (local area networks).

The traditional approach to deploying such a virtual private network is that a VPN server (usually based on Linux OS) is installed and configured in the corporate network and remote users access the corporate network via VPN connections.

However, this approach is not applicable when the user needs to gain remote access to his home computer. It is unlikely that a situation where a separate VPN server is installed at home can be considered normal. However, don't despair. The task of creating a VPN network is solvable and even a novice user can do it. For this purpose there is special program Hamachi, which can be freely downloaded from the Internet (http://www.hamachi.cc/download/list.php). What is especially pleasing is the presence of its Russified version, so that any user can master the program.

Hamachi 1.0.2.2

So Hamachi ( Current version- 1.0.2.2) is a program that allows you to create a virtual private network (VPN) over the Internet and connect several computers in it. After creating such a network, users can establish VPN sessions among themselves and work on this network in the same way as on a regular local (LAN) network with the ability to share files, remotely administer computers, etc. The advantage of a VPN network is that it is completely protected from unauthorized intervention and is invisible from the Internet, although it exists on it.

Hamachi must be installed on all computers that are to be connected to a virtual private network.

The virtual network is created using a specialized Hamachi server on the Internet. To connect to this server, ports 12975 and 32976 are used. The first port (12975) is used only for establishing a connection, and the second - during operation. However, ordinary users are unlikely to need such detailed information.

After a virtual network is created between selected computers using the Hamachi server, information exchange between VPN clients occurs directly, that is, without the participation of the Hamachi server. The UDP protocol is used to exchange data between VPN clients.

Program installation

The Hamachi program is installed on computers with the Windows 2000/XP/2003/Vista operating system. There are also console versions of the program for Linux and Mac OS X. Next, we will look at installing and configuring the program using the Windows XP operating system as an example.

Installing the Hamachi program is quite simple and does not cause problems (especially considering that the interface of the installation wizard launched is Russian). After you begin installing the program on your computer, the installation wizard starts and prompts you to agree to license agreement, select a folder to install the program (Fig. 1), create an icon on the desktop, etc.

Among the useful optional features that can be activated during the installation process of the program are the automatic launch of Hamachi when the computer boots and the blocking of vulnerable services for Hamachi connections (Fig. 2). In the latter case, the service will be blocked Windows File Sharing for Hamachi virtual network adapter. As a result, other users of the VPN network will not have access to files and folders that are shared on your computer. At the same time, these files and folders will remain accessible to ordinary users of the local network, to connect with whom a VPN connection is not used.

Rice. 1. The Hamachi installation wizard allows you to specify the folder
to place the program, create an icon on the desktop
and select the option automatic start programs
when the computer boots

Besides blocking Windows services File Sharing, blocking vulnerable services for Hamachi connections also results in blocking remote access to certain Windows services that are often attacked. Accordingly, if you use the Hamachi program to connect to reliable clients that you trust, then it is better to disable the option to block vulnerable services.

Rice. 2. The Hamachi installation wizard allows you to block
vulnerable services for Hamachi connections

At the last stage, the installation wizard will ask you to choose which version of the program to install: basic version or Premium. Hamachi comes in two versions. The basic version is free, and the Premium version has more wide possibilities, - paid. Note that for most users the free basic version of the program is quite sufficient (we will talk about the detailed differences between the basic version and the Premium version a little later), but the standard approach is as follows: first the Premium version is installed for 45 days (free), and after this period it automatically there is a transition to the basic version.

After installing and launching the Hamachi program on your computer, if this is the first time you have installed the program, a short guide to Hamachi will launch, which describes how to work with the program.

First launch of the program

When you launch the program for the first time, your Account. At this stage, you need to set the computer name under which it will be visible to other users of the VPN network (Fig. 3).

Rice. 3. Specifying the name of the computer under which
it will be visible to other users of the VPN network

When the computer name is specified, the program establishes a connection to the Hamachi database server and requests an IP address that will be assigned to the virtual network Hamachi adapter and will be used in the future to establish a VPN connection. Each Hamachi client is assigned an IP address in the 5.0.0.0/8 range (subnet mask 255.0.0.0), which is not generally reserved for Internet use. These ranges reserved for private use on local networks include the following ranges: 10.0.0.0/8 (range from 10.0.0.0 to 10.255.255.254), 172.16.0.0/12 (range from 172.16.0.0 to 172.31.255.254) and 192.168.0.0 /16 (range from 192.168.0.0 to 192.168.255.254). However, the 5.0.0.0/8 range has been reserved for more than 10 years by the IANA (Internet Assigned Numbers Authority - an American organization that manages IP address spaces) and is not used as public (external) Internet addresses. Thus, the range 5.0.0.0/8, on the one hand, refers to the range of external (public) Internet addresses, that is, the possibility is excluded that the IP address assigned to you is already used in your local network (in local networks only those reserved for private application of an IP address), and on the other hand, these addresses are not yet occupied by anyone.

After assigning you an IP address from the range 5.0.0.0/8, it becomes a kind of identifier for your computer in a virtual private network. This IP address is assigned to the Hamachi virtual network adapter. So, if you type the ipconfig / all command on the command line, then in addition to the network interface settings of the real network adapter (which is physically present in your PC), you can find that another Hamachi virtual Ethernet adapter has appeared with a MAC address and IP address assigned to it , subnet mask, gateway IP address, etc. (Fig. 4).

Rice. 4. After the first launch of the program, the virtual network adapter
Hamachi is assigned an IP address from the range 5.0.0.0/8 and configured
network interface

So, after the Hamachi program has configured the virtual network adapter, you can start working with the program.

At this point, your computer is not yet a member of any virtual private network, so the first step is to connect to an existing virtual private network or create a new VPN network.

Working with the program

The program interface is very simple (Fig. 5). There are only three function buttons: On/Off, Network Menu Button and System Menu Button.

Rice. 5. Program interface
Hamachi is very simple -
only three function buttons

To create a new VPN network or connect a computer to an existing one, click on the network menu button and select the appropriate item (Fig. 6).

Rice. 6. The network menu button allows you to
create a new VPN network or join
computer to an existing one

Joining a PC to and leaving an existing virtual network

If you need to connect your computer to an existing virtual network and you know its name and password (if one is used), then in the network menu select Login to an existing network... Next, a window will open in which you need to set the network name and password (Fig. 7).

Rice. 7. Adding a computer
to an existing virtual network

After this, the name of the network and a list of computers connected to it (except yours) will appear in the program window - Fig. 8.

Rice. 8. After connecting the computer
to the virtual network in the program window
a list of connected ones is displayed
computers to her

If there is a green dot or star next to the computer name, this means that a connection with the computer has been established. A flashing green dot indicates that the connection is in the process of being established. A light circle around the green dot indicates that the given goes by computer information exchange.

The worst thing is when there is a yellow dot next to the computer name - this means that for some reason a direct connection to it could not be established. If the name of the computer is displayed in yellow, this means that the connection with it has been lost.

The appearance of a blue dot indicates that a direct connection to the computer could not be established and communication is carried out through the Hamachi server. The problem is that in this case the communication channel with the computer has very low bandwidth and long delays.

If the name of the computer and the dot next to its name are displayed in gray, this means that the computer, although connected to this virtual network, is inaccessible (for example, the PC is turned off, there is no Internet connection, or the Hamachi program is not running).

To log off the network, just click right click mouse on its name and select the item from the drop-down list Disconnect or Leave the network. In the first case, you only temporarily leave the network and the list of computers connected to it remains visible to you. In the second case, to enter the network you will have to repeat the entire procedure of connecting the computer to the existing network.

Creating a new network and deleting the created network

If you need to create a new virtual network, then in the network menu select Create a new network... A window will open in which you need to specify the name of the network being created and the password that other users will use to join this network (Fig. 9).

Rice. 9. Create a new VPN network

After creating a new network, you can connect user computers to it. If the network is created by you, then you are its administrator and receive full control over it, which other users are deprived of. It is important to remember that the created network can only be managed from the computer on which it was created. More precisely, the network can only be managed from a computer that is assigned exactly the same virtual IP address as the one that was used to create the virtual network. Why is this remark so important? Imagine this situation: you installed Hamachi and created a new VPN network. Then you completely deleted (including all configuration files) Hamachi program and after some time installed it again. You will be assigned a new virtual IP address, but using it, you will no longer be able to control the VPN network you created earlier.

If you are a network administrator, you can delete it. To do this, right-click on the network name and select the item from the drop-down list Delete. Note that when a network is deleted, all connections between its other users are completely destroyed.

Other actions with network computers

If you have joined a network, you can perform the following actions on the computers connected to it:

  • accessibility check;
  • folder browsing;
  • sending a message;
  • copying the address;
  • blocking;
  • setting the label.

In order to perform one of them, right-click on the computer name and select the appropriate item from the drop-down menu (Fig. 10).

Rice. 10. List of possible actions
with the selected computer on the network

When selecting an item Check availability the usual ping command will be executed to the address of the corresponding computer.

Paragraph Browse folders allows you to access shared folders on your computer.

Paragraph send a message makes it possible to exchange messages between separate computers networks similar to how it is done in ICQ.

Paragraph Copy address Pastes the IP address of the selected computer into the clipboard, which is convenient if you want to use this address in other programs (for example, remote administration).

Paragraph Block allows you to temporarily block the selected computer, that is, your VPN channel with it will be blocked and information exchange will be impossible.

Paragraph Set label allows you to select the format for displaying computer attributes on the network. By default, the computer's IP address and its name are displayed. You can choose to display only the computer name or only the IP address.

Setting up the program

In order to access the program settings, you must click on the system menu button and select the item Settings…(Fig. 11).

Rice. 11. Accessing settings
programs

After this a window will open Status and configuration, allowing to produce detailed setup programs (Fig. 12).

Rice. 12. Detailed program configuration window

Actually, everything here is quite simple, and detailed comments are unlikely to be needed, so we will simply list the features that can be implemented in the configuration window. So, in this window you can change the computer name, make detailed connection settings, set the program startup type, block or unblock vulnerable Windows services, block new network members and implement other, less significant options. Among the important features, we note the disabling of encryption when transferring data between individual computers on the network. In order to do this, you need to click on the icon Window and in the group Appearance check the box Show "Advanced..." per menu item(Fig. 13).

Rice. 13. Adding an Advanced item...
to the drop-down menu

After this, if you right-click on the name of a computer connected to the network, an item will appear in the drop-down menu Advanced… If you select it, a window will open Tunnel Configuration, which allows you to change the VPN tunnel settings. To disable encryption at Encryption you need to select a value Off. In this case, data from your computer will be transferred to the selected PC in unencrypted form. However, in the opposite direction, the data will be transmitted encrypted. To completely disable encryption for a VPN tunnel between two computers, it must be disabled on both computers.

Note that encryption should be disabled only in exceptional cases, since the encryption procedure itself is unlikely to affect traffic. The fact is that traffic will be determined by the bandwidth of your Internet channel, and not by the use or lack of encryption. Only if a VPN tunnel is formed between computers within the same local network and its throughput is about 100 Mbit/s, the use of encryption may slightly reduce the maximum transfer speed (up to 70-80 Mbit/s).

Conclusion

Hamachi program is powerful tool, allowing you to create VPN networks very quickly. Note that it was originally created to allow users to play online games by bypassing game servers. However, the possible scenarios for using this program are much wider. Thus, having created a virtual network and connected computers to it, you can, using standard remote administration programs, gain remote access to any computer in the virtual network, since each computer in such a network has its own dedicated IP address.

At the same time, it should be noted that it is not always possible to establish a direct connection between individual computers. And despite the fact that the manufacturer’s website claims that the program easily “breaks through” routers and NAT devices, in reality everything is not so optimistic. The documentation for the program states that in 5% of cases a direct connection between individual computers cannot be established, however, it seems to us that this figure is clearly underestimated. The real situation is this: if we're talking about When connecting two computers that are assigned a dynamic or static public IP address, there are no problems. That is, if you have only one computer with Internet access at home and you need to connect to a user who also has one computer with Internet access, then there will be no problems. As practice shows, there are no problems establishing a connection between a user’s computer with a dynamic or static public IP address assigned to it and a computer on a local network protected by a router. However, if a connection is established between two computers belonging to different local networks protected by routers, then problems are possible and it is not a fact that a direct connection will be established. That is, a connection can be established, but most likely it will not be direct, but through the Hamachi server. Accordingly, the speed of such a communication channel will be very low and there will be little use from such a connection. For example, in your home Internet access is implemented using wireless router, that is, your computer is part of your home local network and is assigned an IP address from the range of addresses reserved for private use, and a public address is assigned to the WAN port of the router through which you access the Internet. If you are trying to establish a connection with another computer that is also part of the local network (for example, with a work computer in the office or with a user’s computer who has a local network deployed at home and uses a router), then in most cases problems arise.

The Hamachi User's Guide describes how you can avoid these problems. To do this, it is suggested to use a fixed (rather than dynamic) UDP port and implement port forwarding on the router. However, as practice shows, port forwarding or using a demilitarized zone in the router does not always help.

VPN (Virtual Private Network) is a widespread technology that allows you to organize virtual networks over existing real networks. This article will focus on terminology and general principles; setting up such networks will be considered separately.

Despite the word “Private” in the name of the technology, it is possible to organize public – unencrypted networks. At all, VPN organization can be carried out a huge amount methods using different technologies ( SSL VPN, IPSec, GRE and etc.).

Any construction of a VPN means the creation of tunnels; a tunnel means a channel between two devices through which data is transmitted. An important condition is that the data is isolated from the specifics of channel construction. The device transmitting useful data does so as if there were no tunnel, and setting up the tunnel itself is a separate task. There are two types of VPN tunnels:

  1. Remote access VPN– means that a tunnel is organized between an application on the client’s computer and some device that acts as a server and organizes connections from various clients (for example, a VPN concentrator, router, Cisco ASA, etc.)
  2. Site-to-site VPN– implies the presence of two devices (for example, routers), between which there is a permanent tunnel; in this case, users are behind the devices, on local networks and no special software is required to be installed on their computers.

The first type is used to connect, for example, remote workers to an enterprise’s corporate network via a secure channel. In this case, the employee can be located in any place where there is Internet, and the software on his computer will build a tunnel to the company router, through which useful data will be transmitted. The second type is used if necessary fixed connection between two remote branches, or a branch and a central office. In this case, employees without special software work on the local office network, and on the border of this network there is a router that, unnoticed by the user, creates a tunnel with a remote router and transmits useful traffic to it.

A tunnel typically uses three layers of protocols:

  1. Transport protocol (for example, IP). This is the protocol on which the existing real network, that is, it is not initially associated with the VPN, but is used to transport encapsulated packets containing encrypted or clear information related to the internal network of the tunnel.
  2. Encapsulation protocol (for example, GRE) - used as a layer between the transport protocol and the internal transport protocol.
  3. An encapsulated (transported) protocol (for example, IP, IPX, IPSec) is the actual packets of the intra-tunnel network; the user connected to the VPN sends packets that, at the entrance to the tunnel, become encapsulated, for example, in GRE, which, in turn, encapsulated in a transport protocol.

Thus, the general order of encapsulation, in the case of using site-to-site VPN, is as follows: the user sends a regular packet, the packet reaches the device on which the tunnel is raised, the device wraps this useful packet in the “data” field of the encapsulation protocol, which, in its the queue is wrapped in the “data” field of the transport protocol. After that, a seemingly ordinary, for example, IP packet leaves the device, in which, in fact, the payload field contains a GRE packet, which, in turn, contains another internal IP packet. This allows independent addressing inside the tunnel and outside the tunnel. When the target device receives such a packet, it expands it, decapsulating the GRE and then the inner IP packet from it. After which the internal packet is sent to the recipient. In this situation, as you might guess, the sender and recipient do not know anything about the presence of a tunnel, and act as if it does not exist. At the same time, in transport protocol one addressing is used (for example, public IP addresses), and the transported protocol can use private addresses, which does not prevent it from being transported over the Internet (since routing is carried out for an external, transport packet).

In this article we will look at the setup process in detail. VPN server and in the Windows Server operating system, and also answer the questions: What is a VPN and how to set it up VPN connection?

What is a VPN connection?

VPN (Virtual Private Network) is a virtual private network that is used to provide a secure connection to the network. A technology that allows you to connect any number of devices into a private network. As a rule, via the Internet.

Although this technology is not new, it has recently gained relevance due to the desire of users to maintain data integrity or privacy in real time.

This connection method is called a VPN tunnel. You can connect to a VPN from any computer, with any operating system that supports a VPN connection. Or a VPN-Client is installed, which is capable of forwarding ports using TCP/IP to a virtual network.

What does a VPN do?

VPN provides remote connection to private networks

You can also safely combine several networks and servers

Computers with IP addresses from 192.168.0.10 to 192.168.0.125 are connected through a network gateway, which acts as a VPN server. The rules for connections via the VPN channel must first be written on the server and router.

VPN allows you to safely use the Internet when connecting even to open Wi-Fi networks in public areas (in shopping centers, hotels or airports)

And also bypass restrictions on displaying content in certain countries

VPN prevents cyber threats from interception of information by an attacker on the fly, unnoticed by the recipient.

How VPN works

Let's look at how a VPN connection works in principle.

Let's imagine that transmission is the movement of a packet along a highway from point A to point B; along the path of the packet there are checkpoints for passing the data packet. When using a VPN, this route is additionally protected by an encryption system and user authentication to secure the traffic containing the data packet. This method is called “tunneling” (tunneling - using a tunnel)

In this channel, all communications are reliably protected, and all intermediate data transmission nodes deal with an encrypted package and only when the data is transmitted to the recipient, the data in the package is decrypted and becomes available to the authorized recipient.

VPN will ensure the privacy of your information along with a comprehensive antivirus.

VPN supports such certificates as OpenVPN, L2TP, IPSec, PPTP, PPOE and it turns out to be a completely secure and safe method of data transfer.

VPN tunneling is used:

  1. Inside the corporate network.
  2. Consolidation of remote offices, as well as small branches.
  3. Access to external IT resources.
  4. For building video conferences.

Creating a VPN, selecting and configuring equipment.

For corporate communications Large organizations or associations of offices remote from each other use hardware capable of maintaining uninterrupted operation and security on the network.

To use the VPN service, the role of the network gateway can be: Linux/Windows servers, a router and a network gateway on which the VPN is installed.

The router must provide reliable operation networks without freezes. The built-in VPN function allows you to change the configuration for working at home, in an organization or in a branch office.

Setting up a VPN server.

If you want to install and use a VPN server based on the Windows family, then you need to understand that client machines are Windows XP/7/8/10 this function do not support, you need a virtualization system, or physical server on the Windows 2000/2003/2008/2012/2016 platform, but we will look at this feature on Windows Server 2008 R2.

1. First, you need to install the “Network Policy and Access Services” server role. To do this, open the server manager and click on the “Add role” link:

Select the Network and Access Policy Services role and click next:

Select "Routing and Remote Access Services" and click Next and Install.

2. After installing the role, you need to configure it. Go to Server Manager, expand the "Roles" branch, select the "Network and Access Policy Services" role, expand it, right-click on "Routing and Remote Access" and select "Configure and enable routing and remote access"

After starting the service, we consider the configuration of the role complete. Now you need to allow users access to the server and configure the issuance of IP addresses to clients.

Ports that VPN supports. After the service is raised, they open in the firewall.

For PPTP: 1723 (TCP);

For L2TP: 1701 (TCP)

For SSTP: 443 (TCP).

The L2TP/IpSec protocol is more preferable for building VPN networks, mainly for security and higher availability, due to the fact that a single UDP session is used for data and control channels. Today we will look at setting up an L2TP/IpSec VPN server on the Windows Server 2008 r2 platform.

You can try to deploy on the following protocols: PPTP, PPOE, SSTP, L2TP/L2TP/IpSec

Let's go to Server Manager: Roles - Routing and Remote Access, right-click on this role and select “ Properties", on the “General” tab, check the IPv4 router box, select “local network and demand call”, and IPv4 remote access server:

Now we need to enter the pre-shared key. Go to the tab Safety and in the field Allow special IPSec policies for L2TP connections, check the box and enter your key. (About the key. You can enter an arbitrary combination of letters and numbers there main principle, the more complex the combination, the safer it is, and remember or write down this combination; we will need it later). In the Authentication Provider tab, select Windows Authentication.

Now we need to configure Connection security. To do this, go to the tab Safety and choose Authentication Methods, check the boxes EAP and Encrypted Authentication (Microsoft version 2, MS-CHAP v2):

Next let's go to the tab IPv4, there we indicate which interface will accept VPN connections, and also configure the pool of addresses issued to L2TP VPN clients on the IPv4 tab (Set the Interface to “Allow RAS to select an adapter”):

Now let's go to the tab that appears Ports, right-click and Properties, select a connection L2TP and press Tune, we will display it in a new window Remote access connection (incoming only) And On-demand connection (incoming and outgoing) and put it up maximum amount ports, the number of ports must match or exceed the expected number of clients. It is better to disable unused protocols by unchecking both checkboxes in their properties.

List of ports that we have left in the specified quantity.

This completes the server setup. All that remains is to allow users to connect to the server. Go to Server Manager Active Directory users – we find the user we want allow access press properties, go to the bookmark incoming calls