A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.

A VPN tunnel provides the following benefits:

• Authentication – prevents unauthorised parties from accessing the VPN tunnel, only the authorised devices can establish the VPN tunnel
• Integrity – ensures that the VPN tunnel end points can detect whether packets have been tampered with in any way
• Privacy – encrypts the traffic to prevent any person who’s able to intercept the traffic from reading it without decrypting the traffic using the credentials used to create the VPN tunnel

The most common types of LAN-to-LAN VPN connection on DrayTek routers; PPTP and IPsec.

• PPTP: Uses a username and password for authentication and can work with either static IP addresses or dynamic IP addresses (using dynamic DNS), this can use MPPE encryption and CHAP/MS-CHAP v2 authentication.
  
  
• IPsec: Uses a Pre-Shared Key and the IP address of each side for authentication and this requires a static IP address on both ends of the VPN for authentication to work successfully when using Main mode. It is possible to use dynamic IP addresses with IPsec using either a global Pre-Shared Key (configured on the [IPsec General Setup] page) or Aggressive mode, the latter uses a Peer and Local ID in place of the IP addresses, in addition to the pre-shared key to perform the authentication.
  IPsec VPN connections can use DES, 3DES or AES encryption with SHA1 or MD5 authentication.

IPsec is the more secure of the two protocols and can generally provide higher throughput so it is recommended to use that where the routers have fixed public IP addresses. The throughput across a VPN connection is limited by the WAN interface’s upload throughput on each side.

The DrayTek router’s implementation of VPN has a Dial-In side of the VPN and a Dial-Out side of the VPN:

• Dial-In: Receives and responds to connection attempts from remote sites, it is effectively a VPN server when configured this way.
• Dial-Out: Initiates the VPN connection and can be thought of as the client side of the VPN connection. The DrayTek Vigor 27xx and 21xx routers are able to make Dial-Out VPN connections so are well suited to being used in branch offices where there is a main office that has a DrayTek router with Dial-In VPN services such as the DrayTek Vigor 2860 series.
• Both: This requires configuring the Dial-In and Dial-Out settings of a VPN profile on both routers, this allows either side to initiate the VPN connection.

The direction of the VPN tunnel (Dial-In, Dial-Out, Both) only defines which side initiates the connection; when the VPN is active, traffic is able to route in either direction across the VPN tunnel.

On the Dial-Out side, any client connection attempts to destinations that are reachable across the VPN tunnel will cause the VPN to be initiated if it is inactive. The VPN connection can be configured to remain active at all times by enabling the “Always On” option on the Dial-Out side of the VPN connection. On the Dial-In side of the VPN, setting the “Idle Timeout” value to 0 will have the same effect. If the “Idle Timeout” value has a number above 0 set, the VPN will drop depending on what the “Idle Timeout” value is set to. This can be useful in scenarios where the internet connection may not always be active i.e. 3G/4G modem WAN.

Above, is a simple example of a VPN between two offices. One in London, the other in Liverpool. Each private LAN is on a private subnet as shown. Those private address ranges are not visible to the internet - they are only reachable through the VPN tunnel, and that tunnel will only carry data to its preset destination.

To configure the routers for the VPN, everything we need to know is available in the diagram above. For simplicity, we are using an example where the receiving office (London) has a fixed/known (static) IP address from the ISP, not a dynamic one (For dynamic DNS, you can use the router's DDNS IP-Posting facility). Also, in our example, only the Liverpool office will initiate VPN tunnels to the London office (not vice-versa) but it can work either way, or both.

Traditionally it is essential that a different private address range (subnet) is used for each network. If they are the same, local PCs cannot determine when traffic is for the remote network and when to use the router rather than transmit locally. For example, if one network is on 192.168.1.X, the other could be on 192.168.2.X (both with class C 255.255.255.0 subnet masks).

For your own situation, you should draw up a table like the ones below (we have filled in our example values). Examine and understand how each piece of information in the table fits into the diagram at the top of the page: