This series of posts describe how VPNs using various routers can be implemented quickly and easily. It covers both dial-up and site-to-site (S2S) VPNs, and includes walk-throughs, configuration notes and troubleshooting steps. It describes the simplest way of deploying and supporting a VPN – which usually means using built-in tools and minimising third-party product installation.
I have broken each connection type into a scenario – for example one scenario would be Windows dial-up VPN to Draytek using L2TP. Another might be Draytek-to-pfSense S2S using IKEv2. Each scenario has its own configuration guide, as listed in the tables below.
For each scenario I include notes about how to roll out the VPN, how to make changes, ensure security, and log activity.
I don’t have every vendor – there are just too many – but have decided to start with Windows clients for dial-up VPN and Draytek-Draytek and Draytek-pfSense for site-to-site. Next will be Mac clients, Sophos XG routers, then probably Microsoft RRAS, Sonicwall, Watchguard and Cisco.
–
Dial-up VPN – which to choose?
In short, choose L2TP over IPsec for dial-in VPN. This VPN is easy to setup and provides excellent security. Otherwise, choose IKEv2 if you router supports it (still good security, but a little more setup required). PPTP is very easy, but security is weak by modern standards. See also: which is more secure: IKEv2 or L2TP/IPsec?
The characteristics of a VPN define how easy it is to setup and support, and how secure it is. They include:
- Security. There are a variety of security methods and algorithms which give a variety of different strengths. Authentication can be by username/password, a separate password-like piece of text (called a PSK or Pre-Shared Key), by certificate, by 2FA, or a combination of these. Generally, IPsec gives the strongest encryption and PPTP (MPPE) is the weakest. Certificates are better for authentication than usernames/password, with 2FA giving an excellent finishing touch to security.
- Ease of deployment. Here we only discuss VPNs that can be deployed easily by using the client device built-in capability. In the case of Windows, a VPN can easily be setup using Group Policy or a script, almost fully automating the process.
- Supportability. Once deployed, and your users are working away from the office, how easy is it to make changes (for example, if the router IP address changes)? How easy is it to see what is happening at the router end – who is connected for how long and how often, and is it under attack from hackers?
- Sensibility. What are the pros and cons of a certain type of VPN in a certain situation? For example, what if you have two users with dial-up VPNs at the same location (some VPNs allow this; some don’t)? Or, which VPNs can you use over a 4G connection? Which work well with dynamic IPs?
| Note: dynamic IPs and how to deal with them are worth extra consideration – see ‘Working with Dynamic IP addresses‘. |
VPN – dialup type comparison
The table below gives a simple overview of the different VPN types with an indication of the level of difficulty and security offered by each. So, we would suggest IKEv2 for dial-up if your router supports it. Failing that, L2TP/IPsec with PSK gives good security with medium difficulty. Of course, all deployments are easy if you use my guides!
| VPN type | Deployment and Support | Security |
|---|---|---|
| PPTP | Easy | Weak by current standards |
| L2TP/IPsec with PSK | Easy-Medium | Strong |
| L2TP/IPsec with certificate | Medium (certificates!) | Strong |
| IKEv2 with certificate | Medium (certificates!) | Strong |
VPN – dialup scenarios
Click on the link to see a detailed walk-through.
| From: | To Draytek, using: | To pfSense, using: |
|---|---|---|
| Windows | PPTP | – |
| Windows | L2TP with PSK | L2TP with PSK |
| Windows | – | L2TP with cert [coming soon] |
| Windows | IKEv2 with cert | IKEv2 with cert [coming soon] |
| Notes: Draytek does not appear to support L2TP with certs. I can find no documentation to say it doesn’t; nor can I find anyone who has documented that it does. When you configure the VPN to use certs and try to connect, the Draytek simply ignores the request. Use IKEv2 with cert instead. SSTP is in the list of Windows VPN protocols, but is a Microsoft-specific protocol, and works only with their Routing and Remote Access server, so is not discussed here (yet) pfSense simply does not support PPTP any more. |
VPN Protocols
A brief overview of the different VPN protocols that are built-in to Windows, and some notes about the pros and cons of each.
PPTP (Point To Point Tunnelling Protocol).
By far the easiest, requiring only a username and password to connect. It is very versatile and can be used by anyone anywhere. It can be used for both dial-up and S2S VPNs.
By modern standards it is considered insecure and is frowned upon in some circles, and for that reason not all modern routers support it (in fact the only router that I know of is the Draytek). However, if you want a quick and easy way to get a VPN going, perhaps just until you have implemented something more sophisticated, then this may be a useful VPN type.
| Router support | Draytek only (AFAIK) |
| Windows built-in support | ✓ |
| Ease of setup | Easy |
| Security – general | Weak by modern standards |
| Security – authentication method | Username/password by MSCHAPv2 |
| Security – encryption method | MPPE |
| Works with dynamic IPs | ✓ |
| Works over 4G | ✓ |
L2TP ( layer 2 tunnelling protocol)
L2TP is an easy, simple protocol BUT provides no encryption. For this reason, it is usually used with IPsec. IPsec provides the secure channel between two devices, then L2TP provides the data connection between the user’s device and connected network. L2TP over IPsec requires a little more setting up than PPTP.
| Router support | Draytek, pfSense and most others |
| Windows built-in support | ✓ |
| Ease of setup | Medium |
| Security – general | Strong |
| Security – authentication | Username/password (MSCHAPv2) with Cert or PSK |
| Security – encryption | By IPsec – usually DES, 3DES or AES |
| Works with dynamic client IPs | Dial-up – yes; S2S – depends, may need to use DDNS (dynamic DNS). |
| Works over 4G | ✓ |
IPsec (Internet Protocol Security)
A well-established and very secure protocol. It is used by itself for S2S VPNs and with L2TP for dial-up connections. It is comprised of bunch of encryption, hashing and authentication algorithms that together provide a secure VPN. However, it can be difficult to setup as there are many different parameters that have to be correct at both the client end and responder end. .
| Built-in Windows support | ✓ |
| Router support | Draytek, pfSense and most others |
| Ease of setup | Medium-difficult (unless you use my guide) |
| Security | Strong |
| Multi-user | No |
| 4G | ✓ |
IKEv2 (ISAKMP Key Exchange v2)
This is an updated version of IPsec. IKEv2 has some practical advantages – it is faster and more tolerant of poor quality connections (such as 4G, perhaps), and is better with dynamic IP addresses. It can be used for both dial-up and S2S VPNs. It allows two users at the same site to connect to the same router. A little simpler to setup than traditional IPsec.
| Built-in Windows support | ✓ |
| Router support | Draytek, pfSense and most others |
| Ease of setup | Medium (but dial-up VPN needs cert) |
| Security | Strong |
| Multi-user | ✓ |
| 4G | ✓ |