Hands on: Inside incoming connections

With a little know-how, you can turn Windows Vista into a VPN server

Ever noticed that you can configure Vista to accept incoming connections? Ever wondered what this option was all about and why you might want to use it? Well, wonder no more.

In this month’s column, I’m looking at how to configure and use Vista’s incoming connections, and what they can do for you.

It’s a VPN, stupid
Also available in Windows XP, incoming connections let you configure your PC to act as a VPN (Virtual Private Network) server.

In other words, configure an incoming connection, and remote users will be able to access the resources on that PC (and elsewhere if you have a home network) over the internet. Which is good, as it means you don’t have to fork out for a dedicated VPN appliance in order to get remote Lan access, although there are a number of caveats you need to bear in mind.

First of all, you’re limited to just one incoming connection at a time, although for most home users that’s unlikely to be an issue. You’re also limited to using the Point-to-Point Tunneling Protocol (PPTP), which isn’t as secure as some alternatives; such as IPsec, for example.

However, if all you want is to access your home network when travelling it’s not really going to cause a problem and, since Windows has a compatible PPTP client built in as standard, you won’t have to buy anything extra.

You also have to make sure your firewall defences are configured to allow the supporting traffic through, and sort out name resolution and port forwarding issues, which we look at later. In the meantime, let’s just run through how you get started.

Create an incoming connection
Vista incoming connections are easy to configure, although you will need to be logged on with administrative privileges and put up with the UAC prompts along the way.

There are several ways of setting about the process, but the easiest is from the Start menu by right-clicking Network and selecting Properties. This will take you to the Network and Sharing Center, where you’ll find a link marked ‘Manage network connections’ in the left-hand pane.

Click this and the next window will list all your existing outgoing connections. To add to these, click on the File menu (press Alt first if the menu bar isn’t displayed) and select ‘New incoming connection’. First off, you’ll be asked which users will be allowed to access the host computer. Either choose one or more existing accounts from the list displayed, or create new ones. You can also add or change user passwords at this point and, if you are using old-fashioned dial-up, configure the software to dial the user back to complete the connection.

Next, when asked ‘How will people connect?, make sure that you click on the tickbox marked ‘Through the Internet’. On PCs with built-in modems and other network interfaces there may be other options too.

You’ll then be shown a list of networking software that will be associated with the incoming connection.

While the default selections are all you need, it’s a good idea to select the Properties of the entry marked ‘Internet Protocol Version 4 (TCP/IPv4)’ and check that the box marked ‘Allow callers access to my network’ is ticked if you want to be able to access anything other than the Vista PC itself.

I would also opt to assign IP addresses to connecting clients from a range that can be set here, as it makes it easier to sort remote from local users. The addresses need to be on the same subnet as the host PC, but because Vista only allows one incoming connection at a time, you don’t need a huge range. Alternatively, if you have a DHCP server, you can use that to assign the addresses instead.

Bear in mind, that when you connect to a PPTP VPN server, the PC you’re using needs to be on a different subnet. If it isn’t, the client will appear to connect successfully, but none of the remote Lan resources will be accessible, because the client won’t know whether to communicate via the local network or its VPN connection.

Once you’ve finished configuring the incoming connection, you’re told the name of the PC, which clients will need to specify when connecting remotely, after which the service will start immediately. If you’ve made a mistake, need to add another user or check anything, you’ll find an Incoming Connections icon in the ‘Manage network connections’ window. Right-click and select Properties to view and edit the configuration.

And now the client
Having turned your Vista PC into a VPN server, you need next to direct your attention to the client side of the equation and set up another Windows connection to access it. Compatible PPTP client software is available in Windows 2000 and XP as well as Vista, however, here I’ll just run through the Vista setup.

Again, it’s not difficult. Start at the Network and Sharing Center, click on the link marked ‘Set up a connection or network’ and choose the option ‘Connect to a workplace’. Create a new connection and, when asked how you want to connect, specify ‘Use my Internet connection (VPN)’. You’ll then be asked for the name or IP address of the Vista VPN server, followed by the username and password you want to use to log on.

If you have a static public IP address, you can simply use that rather than a name, although if it’s cross-referenced to a DNS name it’s easier to use that. Where the public address is dynamically assigned life gets a little harder, but there are dynamic DNS services you can use to keep a name associated with the address, even though it may change.

But there’s more
That’s all you have to do as far as Windows is concerned. However, there are one or two other things you’ll need to put in place.

To start with, the PC you’re using as your VPN server needs to be accessible from the internet at all times, which means an ADSL or cable broadband connection.

Moreover, if that connection is via a router with Nat (Network Address Translation), you’ll need to make sure the router can forward the VPN traffic sent to the public IP address (the address the VPN clients will use) to the address of the Vista VPN server.

How you go about this depends on the router involved and is usually quite easy, although not all routers have a port forwarding option.

Any firewalls between the server and its clients will also need to be configured to let VPN traffic through, although this may be done automatically. For example, an exception rule for the Windows firewall will normally be created when you configure an incoming connection on the Vista host or when a PPTP client connection is defined on a Vista or XP PC. However, if you’re using a third-party or external firewall, you’ll need to open up TCP port 1723 in both directions to allow PPTP traffic to pass.

You also need to make sure that GRE (Generic Route Encapsulation) traffic is allowed through. On some firewalls GRE has to be configured separately (it may be listed as protocol 47), while on others it’s enabled automatically when port 1723 is opened. Yet others configure suitable rules for you if you select a ‘VPN Passthrough’ option - you should check your firewall documentation if you’re not sure.

Access all areas
Having got this far, you should be able to double-click the VPN connection icon on the client and connect to the Vista PC over the internet. However, you probably won’t be able to browse resources on the remote network because the Netbios information, used to map network names to IP addresses, isn’t normally propagated over the VPN tunnel.

One way around this is to set up local and remote Wins and DNS servers, but for home use that’s going to add hugely to the amount of work required. Instead, you can simply use IP addresses rather than network names to locate and access the resources you want. For example, you can locate a remote server by searching for it by IP address, then once found, create a desktop shortcut for future use.

An lmhosts file can also be created on the client to map computer names to IP addresses on the remote network. You’ll find an example of this file, which you can modify to suit your requirements, in the C:\Windows\system32\drivers\etc folder on the client computer. Once this is set up, the client can use the format \\ComputerName\ShareName to access shared folders on the remote network.

Similarly, you can map network drives to shared folders using IP addresses. If the shared folder is on a server with an address of 192.168.1.99, for example, you can map a drive to \\192.168.1.99\
sharename. This can be done from the command line (using the net use command), or graphically by right-clicking My Computer and selecting ‘Map Network Drive’. Printers can be identified in the same manner.

Finally, remember that you’re accessing the remote Lan over the internet. Depending on the type of connection at either end bandwidth will, therefore, be in short supply, and you may not be able to do everything you want in the same way as if working locally. As such, it’s usually advisable to run local rather than remote applications and to copy large files to your local hard disk to work on. You will have to copy them back again when finished, but it’s more efficient, especially if the VPN connection is lost in the middle of a large edit.