Virtual Private Networks

TunnelVision allows you to create a virtual private network (VPN) using the internet instead of a WAN and dedicated phone lines for server-to-server or network-to-network connections. A VPN can be illustrated this way:

Diagram of a VPN

Making a Virtual Network Private

In a conventional private network, your company owns all the routers, all the computers, and all the phone lines involved. Because the only people using the network are employees, the network is secure (at least in theory).

The internet, on the other hand, is connected to any number of businesses and organizations. As your private data passes through the internet, it is possible that people may intercept what you are sending. In order to prevent this from happening, all of the data that passes through a VPN is encrypted with the strongest encryption technology available: 1024-bit RSA and 128-bit Blowfish algorithms. Such encryption makes it very difficult to access the data in your transmissions.

VPN Network Topologies

Topology refers to the shape of a network, or the network's layout. How different nodes in a network are connected to each other and how they communicate are determined by the network's topology. A VPN allows organizations to interconnect their offices securely. Applications and data can be readily shared throughout the VPN network if desired. For example, you could have the accounts departments of each branch connected to each other or each department could be connected to a central point.

TunnelVision can work in either a “fully meshed” topology or a “non-meshed” topology.

Fully Meshed Topology

In a mesh topology, devices are connected with many redundant interconnections between network nodes. In a true mesh topology every node has a connection to every other node in the network. An advantage of such a network would be that no branch is reliant upon a single connection.

Non-Meshed Topology

In a non-meshed, or “hub-and-spoke,” topology all devices are connected to a central hub, i.e. Headquarters, which dictates the access rules of the VPN to the other branches. Nodes communicate across the network by passing data through the hub. A typical application would be to implement a Terminal Services solution using the Headquarters as the gateway for the branch sites.

How TunnelVision Works

A VPN allows all of the computers on two networks to communicate with each other. For this to happen, you have to first configure their subnet addresses.

When you install Nitix, the IP addresses used on your local network do not really matter. Internet standards recommend that all IP addresses that are owned by internal business networks (and not used on the internet itself) begin with 192.168. The third part of the IP address specifies which private subnet number you are using, and the fourth part identifies an individual computer on the network. In special circumstances, however, you can use any subnet number at all (the first three parts of the IP address).

The important thing is that the Nitix server and the computers on the local network have the same subnet number and unique IP addresses.

Network Address Translation (NAT)

When you communicate with other computers on the internet, Nitix uses network address translation (NAT) to give each connection a valid, unique IP address that does not conflict with other networks.

But for a VPN, we do not want Nitix to use NAT, because then only two addresses will be visible: Nitix server #1 and Nitix server #2. Instead, Nitix should pass addresses on each network through to the other network unchanged.

For this to happen. you need to assign different subnet numbers to each Ethernet network involved in the VPN. For example, use 192.168.1 for Network #1 and 192.168.2 for Network #2. That means each computer on Network #1 has an address starting with 192.168.1, and each computer on Network #2 has an address starting with 192.168.2.

The Steel Pipe

To summarize, Network #1 is connected to the internet through Nitix server #1 and has the subnet number 192.168.1. Network #2 is connected to the internet through Nitix server #2 and has the subnet number 192.168.2.

Gateway settings work like this: a computer on your Ethernet send packets directly to another computer if its subnet number is the same. That means that 192.168.1.15 will transmit directly to 192.168.1.46, since they are both on the same subnet. However, 192.168.1.15 cannot send packets directly to 192.168.2.20 - the subnet numbers are similar, but they are not the same. The station then sends the data through its default gateway: Nitix server #1.

Now TunnelVision can work its magic, as long as you have configured the Nitix servers to create a VPN (you will do that later in this chapter). When TunnelVision starts, it creates an encrypted connection between the two Nitix-powered servers through the Internet. This connection is sometimes called a steel pipe (because, like a true steel pipe, it is hard to see what is inside or to break through it). More often it is known as a tunnel.

Nitix server #1 treats data addressed to Network #2 from its local Ethernet in a special way. Rather than just passing the data to your ISP, Nitix encrypts it and sends it through the tunnel. When Nitix server #2 receives the encrypted data, it decrypts the information and forwards it on to Network #2 as if it had arrived directly from Network #1. That way, Network #1 can communicate securely with Network #2 without any need for special changes to individual workstations.

Creating a VPN (server-to-server)

Because your Nitix-powered server does most of the work for you, creating a VPN is much easier than it sounds. All you have to do is create the encrypted tunnel.

Using Unique Subnet Numbers

We have already mentioned it once in this chapter, but it is so important that we will say it again: each Ethernet network in your VPN must use a different subnet number. We recommend using any of the networks from 192.168.1 to 192.168.255, since these numbers are specifically reserved for private use.

The Master Server needs an IP Address or FQDN

The only way to find someone on the internet is to know their IP address. This can be accomplished with either a static IP address (a static IP address is guaranteed never to change, so people on the Internet can always find you), or through the use of a fully qualified domain name (FQDN) such as server.domain.com. The DNS system translates the FQDN into an IP address. This is particular useful for systems that utilize Dynamic DNS.

Nitix’s Dynamic Domain Name System (DDNS) feature automatically updates DNS information when a new IP address is assigned to a network, allowing you to publish DNS entries and provide internet services even if you have a dynamic IP address.

To create a connection between two Nitix-powered servers, someone needs to act as the Client and someone as the Master server. Think of it like a phone call to your ISP: you (the client) need to know their phone number, but they (the server) don't need to know yours. With TunnelVision, you have a similar situation: the server side (accepting a connection) needs a static IP address or FQDN, while the client side can have either a static or dynamic IP address.

Only one Nitix-powered server (usually the computer with the fastest internet connection at your head office) needs to act as the server and have a static IP address or fully qualified domain name. All the others can simply act as clients.

A static IP address is guaranteed never to change, so people on the internet can always find you. To obtain a static IP address, talk to your ISP. DynamicDNS can be used in place of a static IP address. Refer to DynamicDNS in Chapter 23: Domain Name Services for more information.

Configuring a TunnelVision Master Server

Ensure that the Nitix server that you are configuring as the Master server has a static IP address, or has a fully qualified domain name.

Select VPN from the Network Setup menu on the left side of any WebConfig screen. The VPN Setup screen will be displayed:
Select "Enable" for the PPTP Server setting.
Select "Enable" in the Tunnel Vision section of the screen.
In the Tunnel Vision: Use Fully Meshed Mode box, select "Yes" to run Tunnel Vision in a Fully Meshed mode, and "No" to run it in a Non-Meshed mode.
- If you enable TunnelVision to work in "fully meshed" mode, then your server can learn about other servers on the VPN by exchanging information through the Master Server. Then each server will make connections directly to each of the other VPN-connected servers directly, as needed, without needing to go through the master. If you disable "fully meshed" mode, then your server will only communicate directly with the master server and the master's local network. Your server will not be able to see any of the other VPN-connected servers or networks.
- In previous versions of the Nitix software, "fully meshed" mode was always enabled, and this is still the recommended setting.
Leave the Address of Master Server field empty (since the Master server does not initiate connections).
Enter a password that the server and client will use to prove to each other that they are trusted.
Re-enter the password to ensure it was entered correctly.
Click Save Changes.

Configuring a TunnelVision Client

A Nitix-powered server does not need a static IP address to act as a TunnelVision client, but it needs to know the static IP address or fully qualified domain name of the Master server.

To find this information, select Local from the Network Settings menu on the master server. On the screen that is displayed, click Advanced.... Then look at the address assigned to eth1.

Select VPN from the Network Setup menu on the left side of any WebConfig screen. The VPN Setup screen will be displayed:
Leave the default PPTP Server setting.
Select "Enable" in the Tunnel Vision section of the screen.
In the Tunnel Vision: Use Fully Meshed Mode box, select "Yes" if you are running Tunnel Vision in a Fully Meshed mode, and "No" if you are running it in a Non-Meshed mode.
- If you enable TunnelVision to work in "fully meshed" mode, then your server can learn about other servers on the VPN by exchanging information through the Master Server. Then each server will make connections directly to each of the other VPN-connected servers directly, as needed, without needing to go through the master. If you disable "fully meshed" mode, then your server will only communicate directly with the master server and the master's local network. Your server will not be able to see any of the other VPN-connected servers or networks.
- In previous versions of the Nitix software, "fully meshed" mode was always enabled, and this is still the recommended setting.
Enter the Master server's static IP address or fully qualified domain name.
Enter the password that was used in step 6 of Configuring a Master Server.
Re-enter the password to ensure it was entered correctly.
Click Save Changes.
- TunnelVision immediately begins to create the tunnel between the client and the master server. If the client and the server are connected to the internet and everything is configured correctly, this process should only take a few seconds.

To configure another Nitix-powered server as a client, simply repeat this process.

TunnelVision Status

The System Status screen always displays the status of active VPNs. You may need to click your browser’s Refresh button to see the latest information.

VPN status screen

The Idle Time-out

If either end of the tunnel does not receive any data for approximately 20 minutes, it assumes that one end has disconnected from the Internet or that the tunnel is no longer needed.

If one end of the tunnel is still on-line, it will try to rebuild the connection automatically. Since this only takes a few seconds and happens only when the tunnel has been idle for a long time, this should not affect you. However, this behavior can often cause the VPN Tunnel's status light to turn yellow or red. This is not a sign of malfunction.

Licensing

Net Integration Technologies has licensed TunnelVision under the terms of the GNU Lesser General Public License (LGPL).

Virtual Private Networks

Views

From Nitix Knowledgebase

Contents

Private Networks