Problem solve Get help with specific problems with your technologies, process and projects.

Install your own VPN

Some information about do-it-yourself VPNs, especially what components to buy.

A reader recently requested we discuss basic IP address requirements for VPNs. As he pointed out, ADSL and cable-modem users are taking advantage of the popular "self-install" option from their providers that gets them out of their providers' installation fees. Add to this the plethora of turn-key, appliance-like VPN solutions marketed to the small- and home-office crowd, which rarely have the luxury of a full-time networking staff, and you get a situation where knowing what components you need to buy is actually more difficult than installing them.

The first thing you need is service from an ISP. This includes your basic connection, a given level of bandwidth, one or more IP addresses and usually DNS service. The basic connection is probably cable or ADSL but could also be ISDN or even frame-relay or a T1, depending on where you live, and how much you want to spend. The bandwidth depends entirely on how much you want to spend, but be SURE to understand how much you are guaranteed in both directions. Many providers only quote download speed and neglect to mention that upload speed is usually a tiny fraction of the download speed.

The IP address also comes with some caveats. If you get a normal service, your IP address will probably be dynamic, which means it will change periodically. This makes it very impractical for others to initiate a conversation with you, because others have no idea what your new IP address is after it changes, but it does not hamper your ability to initiate a conversation with others. If you pay extra, or get a "business-class" service, you typically get a static address. As this address doesn't change, you can host a server or have VPN clients initiate contact to your address using your domain name.

Unfortunately, there are a lot of other caveats regarding your service provider. First, depending on the type of service you buy, there is probably a limit on the amount of data you can download in a month. Read your contract carefully, otherwise you could get a surprise on your bill. Worse, they might reduce your bandwidth unexpectedly, if you pass the limit. Also, it has been reported that a number of ISPs now consider VPN traffic to be "business-class" traffic. Thus, IPSec ports and protocols are blocked for normal users and you have to pay extra to use a VPN. Again, read your service agreement carefully.

Another consideration is the number of addresses. Most users get only one. However, most, but not all, Internet Service Providers offer additional static addresses for a monthly fee. You may want multiple addresses if you have multiple devices or want redundancy, but most subscribers use a single registered IP address from their service provider, and employ Network Address Translation between that address and a practically unlimited number of "private addresses" on their internal network. If you have your cable or ADSL modem connected to a VPN appliance, it should only require 1 registered IP address.

That brings us to the last component, the VPN appliance itself. There are dozens of vendors supplying cheap VPN appliances, so you have a lot to choose from. Pick one with an appropriate number of ports. (If you get one with only one "LAN" port, you will need a hub as well.) Also, make sure it runs your preferred protocol. All of them will support IPSec, but some support Microsoft's PPTP as well. If you want to support Novell's IPX or Apple's Appletalk protocol for Macintosh clients, be sure to check compatibility before you buy. Last, encryption takes a lot of processing resources, which are often scarce in cheap VPN solutions. If you only have a couple clients connecting over a typical broadband connection, any VPN appliance should work, but if you are at all concerned about performance, you may want to look at the higher-end models.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was last published in November 2002

Dig Deeper on WAN technologies and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.