Installing a VPN server on XP

Interest of a VPN

Setting up a virtual private network allows you to connect remote computers in a secure fashion via an unreliable (Internet) connection, as if they were on the same LAN.

This procedure is used by many companies in order to allow their users to connect to the company network away from their workplace. It is easy to imagine a large number of possible applications:

• Remote, secure access to the (company) LAN for telecommuters
• Secured file sharing
• LAN gaming with remote machines
• ...

Setting up a VPN on Windows XP

Windows XP allows you to internally manage small virtual private networks, suitable for small or home offices("SOHO," for Small Office/Home Office). Thus, to set up a VPN, you just need to install a remote-access server (VPN server) at the LAN level, accessible from the Internet, and to set each client to allow it to connect.

VPN server installation on Windows XP

In our example, we will assume that the machine intended to act as a VPN server on the LAN has two interfaces; one to the LAN (e.g., a network card) and one to the Internet (e.g., a DSL or cable connection). It is through this interface connected to the Internet that VPN clients will connect to the LAN. Network connections in the Control panel. In the window you have opened, double-click on New connection wizard:

Then click Next:

From the three options offered in the window, select "Configure an advanced connection":

In the next screen, select "Accept incoming connections":

The next screen shows various peripherals to select for a direct connection. There may not be any peripherals shown. Unless you have a particular need, you do not have to select anything:

In the next window, select "Authorize virtual private connections":

A list of users of the system will appear; just select or add the users authorized to connect to the VPN server:

Then select the list of protocols authorized via the VPN:

By clicking on the Properties button associated with the TCP/IP protocol, you can set the IP addresses that the server assigns to the client for the entire duration of the session. If the LAN on which the server is located has no specific addressing, let the server automatically determine an IP address. However, if the network has a specific addressing plan, you can set the address range to assign:

The VPN server has now been configured; you can click on the Finish button:

Installation of the VPN client on Windows XP

In order to allow a client to connect to your VPN server, it is necessary to set all of the connection parameters (server address, protocols to use, etc.). The new connection wizard available at the Network connections icon of the control panel allows for this configuration:

Then click Next:

From the three options offered in the window, select "Connection to enterprise network":

In the next screen, select "Virtual private network connection":

Then enter a name describing the virtual private network to which you wish to connect:

The next screen allows you to indicate whether a connection should be established in advance of connecting to the VPN. Most fo the time (if you are on a permanent connection, DSL or cable), it will not be necessary to establish the connection because the computer is already connected to the Internet; otherwise, select the connection to establish in the list:

In order to access the remote-access server (VPN server or host), it is indispensable to specify its address (IP address or host name). If it does not have a fixed IP address, it will be necessary to equip it with a dynamic naming device (DynDNS) capable of assigning it a domain name and specifying this name in the field below:

Once the VPN connection has been set, a connection window will open asking for a user name (login) and a password:

Before connecting, it is necessary to make some adjustments by clicking on the Properties button at the bottom of the window. A window with a certain number of tabs will allow for fine tuning the connection. In the Network management tab, select the PPTP protocol in the pulldown list, select Internet protocol (TCP/IP) and click on Properties:

The window that will appear allows you to set the IP address that the client machine will have during the connection to the remote-access server. This allows your addressing to be consistent with the remote addressing. Thus, the VPN server is able to act as a DHPC server, i.e., to automatically supply a valid address to the VPN client. To do this, just select the option "Get address automatically":

If the client uses DHCP, and the server assigns an internal IP address, the client will be connected to the enterprise network and will have access to the servers of that network, but it will no longer have access to the Internet via the interface used, because the IP address is not routable. In order to allow the client to be connected to the VPN while maintaining Internet access through the connection, the VPN server must be configured to share its Internet connection! Thus, the Advanced button allows you to arrange for the client to use the VPN server bridge if it shares its connection:

In order to set up the VPN link, it is necessary for the intermediate firewalls, in particular the built-in XP firewall, to be configured so as to allow the connection. It is necessary to deactivate the Windows XP built-in firewall as follows: In the control panel, click on Network connections, Right-click on the connection you use, Select the Advanced settings tab, Make sure the option Internet connection firewall is deactivated.

More information

For more information on virtual private networks, feel free to consult the page dedicated to the subject. If you have any questions, you can use the CCM forum.

Article by Jean-François PILLOU