The magazine of the Melbourne PC User Group
SnapGear Lite+ VPN Router
Ash Nallawalla
ash@melbpc.org.au


Ash Nallawalla explains some of the difficulties of Virtual Private Networks and how the SnapGear Lite+ VPN Router makes it all so much easier.

When I started at my previous employer's office, I noticed a strange problem concerning Internet connectivity. There was an ADSL link to the Net through a network server, yet all the staff were dialling with their laptop modems. I could access the corporate VPN over the network so I could not understand the problem. Sometimes I was thrown off the VPN, so I would log in again, only to be thrown off soon thereafter. I'd try again and sometimes I held the connection. So what was the problem?

VPN

A virtual private network (VPN) as the name suggests is a secure network inside a network - think of it as a small pipe inside a larger pipe. In most examples, the larger pipe is the Internet and it happens to be between two offices. In the old days, companies purchased a very expensive, leased line connection between two sites. This was also quite secure as long as nobody could tap into it. Today, the average branch office or the remote worker can use a cheaper alternative: the VPN.

At my former office the others would dial their own ISP with a modem, then run the VPN client, which required a manual login process, before they could access the US network. This ensured that the US network was not directly accessible over the Internet but it lived behind a firewall on a non-routable network. The gateway device opened a virtual door for each remote user who ran a VPN client. When I worked from home, I used the VPN client over my ADSL connection.

The problem at that office was that the file server did have an Internet connection for our normal Web browsing, but as soon as more than one person ran their VPN client, it booted off the previous user who was also running such a client. So, the other users had to disconnect from the LAN when their were using their modems and fetching their e-mail. There had to be a better way. I was not hired as their IT manager and so it wasn't for me to solve, so the problem continued for a few weeks until another staff member who wore a dual IT hat got some action from the US office. He was told to find a provider of a managed network and he did.

We now had a UNIX box running IPSec tunnels over the ADSL connection to the US office. IPSec refers to Internet Protocol Security and the tunnels refer to private, encrypted channels for each user's needs. We no longer needed to use the VPN client at work - we just connected with a LAN cable and did not worry about how to reach the US network because it was "there". This connection used to fail now and then, sometimes being the fault of the ADSL network itself, sometimes the tunnels would not restart until the managed network supplier did a remote reset.

SnapGear Lite+

Today, two offices can buy a couple of SnapGear Lite+ VPN Routers for about $550 each and place them at each end. This is a small, modem-sized box that goes between a broadband modem or ISDN terminal adapter and the LAN. Individual workers would be able to reach the remote network transparently and in a secure manner. It is powered by a tiny version of Linux, as a matter of interest: you don't need to know that to use it.


Figure 1. Your ISP login details are stored in the Lite+, enabling any device on the network to connect on demand, or you can leave the connection running all the time.


Figure 2. IP address setup is straightforward.
 

There isn't much to the unit itself and the supplied installation wizard simplifies the setup process. Like most modern devices, it uses a web page as its administrative interface so your browser is also the setup tool. It has the following features:

  • Network Address Translation (NAT) firewall that isolates the LAN from the Internet and offers network access control and filtering. This includes Stateful Packet Inspection, port and service restriction based on IP address or user class.
     
  • DHCP server and client that ensure simple and flexible IP network configuration.
     
  • PPTP VPN server that provides communications to remote users running standard Windows VPN client software.
     
  • PAP, CHAP, MSCHAPv2, RADIUS and TACACS+ tunnel authentication (RFC1334, RFC1994).
     
  • Transparent tunnel support for PPTP. IPSec pass through.
     
  • Dial-in remote access with PAP, CHAP, MSCHAPv2, RADIUS and TACACS+ authentication.
     
  • Dial-on-demand for outgoing Internet connections.
     
  • Wizard setup and browser-based management and configuration.
     
  • Flash upgradeable firmware that enables you to download and install the latest protocols and security software using the Web.
     
  • Connect Windows PCs, Macintoshes, Linux and Unix workstations - basically anything that talks IP - to the Internet.
In Use

I suspect that some PC Update readers will have given up trying to understand this jargon or are struggling with it. Unfortunately, there is no point in explaining every acronym, as the people who manage office networks understand it or know where to look up an unfamiliar term. Besides, you don't need to understand every term to benefit from the use of such a product. If you only use an analogue modem to dial your ISP and have a single PC, this device is not for you, although you could use it through its serial port. Its WAN port hooks up to your broadband modem, hence it is a secure, sharing device.

Fortunately, many of our readers run small networks at home or at work and have a broadband connection to the Internet. They need not have a second office at another location. My original connection was an Alcatel ADSL modem between my PC and the telephone jack. When I needed to connect the second PC to the Net, I added a second network card in the gateway PC (the one that dials my ISP) and used Windows ICS to perform the sharing.

What the Lite+ gives me and up to three other PCs on my LAN is firewall security that renders it invisible to an outsider on the Internet. The exception is that I can enable a VPN "opening" that would enable an authenticated remote computer to reach the LAN. The alternative is to place an insecure server open to the Internet and that would be foolish, because it would be discovered by the bad guys and compromised sooner or later. I need only one network card per PC.

Some ADSL modems such as mine do not have a built-in dialler, so they rely on a PC to control the dialling. If this PC were not left on day and night, other PCs in the network would not have access to the Internet on demand. The Lite+ can store your login information and will dial on demand in response to any PC on the network making the request. The users don't need to do anything special besides connecting to the LAN and running some Internet program such as a Web browser to get to their destination.

The DHCP server can assign an IP address to a PC if needed, or you can have fixed IP addresses for your PCs and not use the Lite+ DHCP facility. The filtering features can be used to grant or deny certain features, such as denying the Web access to some people but allowing e-mail access to all.

Installation was fairly easy, although I had to refer to the PDF manual because the printed Quick Installation booklet is brief. You will need some basic understanding of networking principles or someone who can help you with installation.

For me, the VPN and firewall features were the most useful even though I will rarely need the VPN for my home office. It's there if I travel or need to grant access to parts of my network to someone. A small office or a branch office would gain good value from the SnapGear Lite+. SnapGear makes many other communications devices. See them at their Web site: http://www.snapgear.com.au.

Reprinted from the April 2003 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]