A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.
A VPN tunnel provides the following benefits:
The most common types of LAN-to-LAN VPN connection on DrayTek routers; PPTP and IPsec.
IPsec is the more secure of the two protocols and can generally provide higher throughput so it is recommended to use that where the routers have fixed public IP addresses. The throughput across a VPN connection is limited by the WAN interface’s upload throughput on each side.
The DrayTek router’s implementation of VPN has a Dial-In side of the VPN and a Dial-Out side of the VPN:
The direction of the VPN tunnel (Dial-In, Dial-Out, Both) only defines which side initiates the connection; when the VPN is active, traffic is able to route in either direction across the VPN tunnel.
On the Dial-Out side, any client connection attempts to destinations that are reachable across the VPN tunnel will cause the VPN to be initiated if it is inactive. The VPN connection can be configured to remain active at all times by enabling the “Always On” option on the Dial-Out side of the VPN connection. On the Dial-In side of the VPN, setting the “Idle Timeout” value to 0 will have the same effect. If the “Idle Timeout” value has a number above 0 set, the VPN will drop depending on what the “Idle Timeout” value is set to. This can be useful in scenarios where the internet connection may not always be active i.e. 3G/4G modem WAN.
Above, is a simple example of a VPN between two offices. One in London, the other in Liverpool. Each private LAN is on a private subnet as shown. Those private address ranges are not visible to the internet - they are only reachable through the VPN tunnel, and that tunnel will only carry data to its preset destination.
To configure the routers for the VPN, everything we need to know is available in the diagram above. For simplicity, we are using an example where the receiving office (London) has a fixed/known (static) IP address from the ISP, not a dynamic one (For dynamic DNS, you can use the router's DDNS IP-Posting facility). Also, in our example, only the Liverpool office will initiate VPN tunnels to the London office (not vice-versa) but it can work either way, or both.
Traditionally it is essential that a different private address range (subnet) is used for each network. If they are the same, local PCs cannot determine when traffic is for the remote network and when to use the router rather than transmit locally. For example, if one network is on 192.168.1.X, the other could be on 192.168.2.X (both with class C 255.255.255.0 subnet masks).
For your own situation, you should draw up a table like the ones below (we have filled in our example values). Examine and understand how each piece of information in the table fits into the diagram at the top of the page:
London |
Liverpool |
|
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Router Admin Password |
shilton |
keegan |
Public IP Address |
203.0.113.12 |
198.51.100.17 |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Dial-Out Username |
n/a |
scouser |
Dial-Out Password |
n/a |
tyne44 |
Dial-In Username |
scouser |
n/a |
Dial-In Password |
tyne44 |
n/a |
Protocols |
PPTP only |
PPTP only |
Pre-Shared Key |
n/a |
n/a |