Which routers can act as a VPN Server?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by BrianStradale, Jul 16, 2005.

  1. BrianStradale

    BrianStradale Network Guru Member

    I've been using Linksys Routers for running my small businesses (5-40 computers). When one group requested VPN access, I figured the best solution would be a Linksys router that can handle the VPN Server responsibilities. So, I went and got a BEFVP41 which claims "use VPN client software to securely connect to your office when travelling"... exactly our goal.

    It setup to do the router stuff just fine. But when configuring it for VPN, the only settings available seemed to be to create tunnels to other similar routers... tunneling between two LANs. Useless for our purpose. So, we call Linksys for help and are told that the VP41 can NOT be used as a VPN Server supporting VPN clients, using the Linksys software or 3rd party software. WTF?!? It says "The VPN Router is compatible with other major IPSec VPN devices and IPSec VPN client software..."

    Anyway, the Linksys rep said the only two Linksys routers that would work as a VPN Server like we want is the WRV54G and the RV042.

    Before I go buy another useless device, I thought I better try to find confirmation... surely there would be a success story or instructions under "RV042 VPN Server"... well, I haven't found it searching.

    Can anyone point me to what is the easiest device to setup VPN access to a network is? Bonus points for a pointer to instructions!

  2. AlecUK

    AlecUK Network Guru Member

  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    Alright, partner,

    strap yourself down and prepare to get your "hair blown back" with what I'm about to lay down...

    Your router is "more" than capable of handling vpn connections with a third party client. What's happening is that the new technicians coming on board at linksys only have knowledge of the new "quick and easy vpn solution routers" (i.e., WRV54G, RV0XX series routers) and have not bothered to study the "old" product line (BEFVP41 and BEFSX41). The BEFVP41 handles 50 tunnels with its internal pptp vpn server and the BEFSX41 handles only two tunnels with its internal pptp server.

    Unless you're looking for a specific firmware update, bring "all" of your vpn questions to this forum because a majority of us have better knowledge dealing with these routers because the tech support linksys has now is not designed to handle "real" problems (as told to me by a stateside Level 3 technician); their only job is to get you by "basic" things like "Is it turned on?" or "Have you cycled the modem?" Anything past that and you'll be told the exact same dumb shit someone told you...

    Getting back to it, you should (for starters) try using the greenbow vpn client for your users "if" you want to get some use out of the router you have now. A third party client is the "only" way you'll be able to use your particular router (BEFVP41). Now, if you had the WRV54G or any of the RV0XX series routers, you could use "either" the built in 50 tunnel pptp vpn server that comes with each of these routers also "or" the linksys quickvpn client, "however," when using a third party vpn client with the WRV54G an RV0XX series routers, you "must" be plugged DIRECTLY into a modem "because" the NAT-T functionality in both of these two router versions was omitted because linksys was/is trying to push the linksys quickvpn utility (its soooooo easy for clients to configure) and does not want the competition of third party clients being used with these particular routers... *whew*

    What this means is that if you tried to initiate a vpn session from behind a WRV54G/RV0XX router with a third party vpn client to a BEFVP41/BEFSX41 that was hosting the vpn connection, the WRV54G/RV0XX would send out the request and contact the other router, but as soon as the packet comes back, the packet is discarded at the port because of NAT-T not being available to interpret the packet structure.

    On the other hand, if you used a BEFVP41/BEFSX41 as the distant end host and were initiating a session from behind anothr BEFVP41/BEFSX41 using a third party client, you would have "no problems" establishing a tunnel because of the NAT-T functionality being available in these two "older" linksys products.

    If you wanted to rely solely on the quickvpn utility which is designed to work "only" with the WRV54G/RV0XX router line, then you're mobile clients will have to use quickvpn exclusively (which ain't too bad at all). Personally, I don't think any of your mobile users want to put a pillow and a blanket next to a modem that's downstairs behind the hotel's customer service counter at 3 AM to check out what's going on at the office due to them having a third pary vpn client loaded on their laptops (that would suck)...

    Long story made short, PM me and I'll send you a copy of configuring the greenbow vpn client to work with WRV54G/RV0XX/BEFVP41/BEFSX41 routers. I wrote the guide originally for the WRV54G but the interface is 95% the same with the others so it works with them also.

  4. BrianStradale

    BrianStradale Network Guru Member

    Great, looks like I found the right forums.

    Whew, indeed! I'd like my users to be able to "VPN in" to our network no matter how they are connected to the Internet... very few will be able to plug directly into a modem. So, its clear I won't want to be using QuickVPN utility; but its not clear: Will I be able to do that with the BEFVP41 router?...

    Does that imply that my users will only be able to connect in if they happen to be behind a BEFVP41/BEFSX41? Or only if they are behind a router with NAT-T functionality? Or?

    PM sent. Thanks, Doc!
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    Like I'd mentioned before, "if" you had one of the WRV54G/RV0XX series routers, quickvpn would be "perfect" for what you want. There would be no problems connecting "quickvpn" behind other routers; if you tried to use a third party vpn client (i.e., greenbow vpn client) from behind a WRV54G/RVOXX, you would not be able to connect because of the NAT-T functionality not being present. However, being that you have a BEFVP41, all you need to do is configure the greenbow vpn client and everything will be alright. And yes, your clients will be okay using greenbow from behind other routers; it's just the WRV54G/RV0XX routers that have this deficiency due to Linksys wanting to make quickvpn the "point-and-click" vpn utility for the masses...

    98% of the SOHO market makes routers that support NAT-T; Linksys just got stupid and opportunistic with the quickvpn utility. They've lost a fair amount of business because of this, but, I've got a quickvpn setup guide I put together that's posted on this site that helps WRV54G/RV0XX users connect to via quickvpn.

  6. BrianStradale

    BrianStradale Network Guru Member

    I see. Looks like either would work for me then... to that point.

    Bonus questions:

    1) In addition to PC's, I have a couple Macs that ideally also would be able to VPN into the network. Neither QuickVPN nor Greenbow appear to have Mac versions. Sooo, I'd like to figure out how to make the Mac OS X VPN Client work with my solution. It sounds like it would not work consistently with RV0XX, but MIGHT with BEFVP41?? (I haven't seen your setup guide yet, so maybe I'll be able to figure it out from that?)

    2) The network I am VPN'ing into is currently nested within two other networks/routers. Is it good enough to enable VPN pass through on each? Or do I need to do explicit port forwarding on each of the other two routers? Or is it just not going to work that deep? Is either the BEFVP41 or RV0XX preferable in that case?

    Thanks again!
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    At this point, I would say don't worry about the RV0XX series routers. The BEFVP41 you have right now is "more" than enough...

    If you want your MAC computer to connect, you might want to look into an application called "IPSECURITAS." I've seen a few MAC users discuss then when discussing vpn configuration with Linksys routers. Here's a link you can start with:


    As far as answering your second question, I would try port forwarding to the BEFVP41 to see if I could make the connection that way. All of this is pretty much trial and error until it works. I emailed the guide to you a little while ago, so unless it rejected, you should have it by now...

  8. BrianStradale

    BrianStradale Network Guru Member

    After realizing that the costs of a new Mac VPN Client and the Greenbow VPN Client for Windows users would far eclipse the costs of the router, I decided to look for a router that implemented a standard PPTP Server that would work with the built-in VPN Client capabilities.

    I found several... just not from Linksys. I bought one... the SMC BR18VPN ($85)... enabled the PPTP Server, specified account name and password, and in minutes had Macs and Windows machines connecting up using the built-in clients.

    I think I'm done with Linksys and Cisco... their approach of non-standard VPN is just waayyyy too expensive and anti-social for me.

    Thanks, Doc and Alec, for helping me figure out what was going on.

    Worked just fine... just forwarded port 1723.

    Now, with all that said, I still have some things to work out, but at least the basics are working. I can VPN into my inner LAN and access any of the machines there, just as if I was there. However, when VPN'd in, I can't see the networks outside the LAN... I can't see the Internet. I'm not quite sure why that is yet.

    Thanks again!

  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    For those, you might just have to type the ip address of the system your accessing to include the name of the folder being shared. For example;

    Try that...

  10. TazUk

    TazUk Network Guru Member

    It's not non-standard, it uses IPSEC, which is preferable to PPTP anyway :roll:
  11. BrianStradale

    BrianStradale Network Guru Member

    It uses IPSEC, but not in a form that the Windows VPN client can connect to and not in a form that the Mac VPN Client can connect to. You have to get a special VPN client that knows how to do "Linksys style VPN". At least that's how I read the Greenbow documentation... its not just a generic IPSEC VPN Client... rather, it knows how each different manufacturer's routers work, you tell it you're using a BEFVP41 and then it knows how to connect to it. That's workable... but way more expensive than going with a PPTP or L2TP Server that is compatible with the VPN Clients already available on most every machine on the planet for free.

    True? Or am I missing something? Is it possible to use Windows and Mac VPN clients to connect to a Linksys VPN server? Or must you buy a client that knows how to do Linksys VPN?
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    Okay, I think I understand what you're getting at now...

    "MANY PEOPLE" before you and I tried to use the information inside of the wrv54g pdf file that's on the included router setup disk to create an "IPSEC security policy" to connect to a wrv54g by using the built-in "windows vpn client." Those particular directions were a load of shit and poorly written...

    Alot of us tried to do it that way also when we first bought our wrv's, but it was a "less than workable" solution because linksys (again) did a poor job of properly illustrating the configuration. And as far as I know, there've only been a handful of people (literally) I've seen post who were able to connect to the wrv54g using windows "built-in" vpn client.

    Because alot of wrv54g owners couldn't connect to the vpn using the instructions that came with it to configure the windows built-in vpn client, Linksys quickvpn was born. The directions that many of us tried to follow to set up the windows vpn client to work with the wrv54g is now "automatically" configured when you install the Linksys quickvpn client. Still, the more "resilient" users just turned to using third party vpn clients (greenbow, safenet, ssh sentinel) with the wrv54g's built-in pptp server the same way everyone else had always done with the BEFVP41 and set their vpn tunnels up that way.

    Piggy-backing off of what Taz said, IPSEC "is what it is," which is a common standard, just like tcp/ip. There's nothing special going on; Linksys just did a "VERY POOR JOB" with the wrv's original vpn client configuration instructions.

    Additionally, I use greenbow all of the time if I get bored using quickvpn, and others use ssh sentinel. It's all the same everywhere you look, it's just getting a vpn client configured properly that makes the difference :)

  13. TazUk

    TazUk Network Guru Member

    Nope, I've connected to mine using both Greenbow and SSH Sentinel, both are bog standard VPN clients and didn't need any special Linksys settings. I've also created VPN tunnels between Linksys and other brands of VPN routers. What makes the WRV54G different to other Linksys routers is it doesn't support NAT-T, which means the only way to connect to it from behind a NAT enabled router is using their Quick VPN client :roll: This is a major issue and one which Linksys seem reluctant to resolve :evil: What makes it more irratating is the WRV54G is Linux based and uses the standard Free S/WAN VPN server, so fixing it should just mean recompiling with a newer version.
  14. DocLarge

    DocLarge Super Moderator Staff Member Member

    We'll all have to resign ourselves to the fact that the wrv54g may never have NAT-T functionality, however, maybe they might take the time to fix quickvpn's inherent nature to hog port 443. This could help in easing the pain methinks... :) :)

  15. TazUk

    TazUk Network Guru Member

    Not really, I want to be able to use one VPN client to connect to any of my customers VPN's for support purposes. Up until now SSH Sentinel has done the job brilliantly but of course it won't connect to a WRV54G if I'm behind a NAT enabled router. So I would need to use SSH Sentinel for 99% of sites and QuickVPN for 1% :roll: The other solution is of course to dump the WRV54G and replace it with a BEFVP41 and a WAP54G which would give me the same functionality and probably save me a few quid too.
  16. rixxx

    rixxx Network Guru Member

    Hello I stumpbled upon this thread looking for VPN information regarding the RV016.

    At the office here, we initially purchased the BEFVP41 v2 Router, and after finding out it only supports (well from what we were told anyways) linking to a VPN server, we put it aside and purchased the RV016.

    After spending quite some time tech support we were informed of the v2.0.0 firmware and were told to use that. We ended up using the quickVPN software, but that became problematic because after a few minutes of use we would get disconnected. We are currently running the v2.0.6 firmware for the RV016 (as of today actually) and I've tested the PPTP vpn tunnel over a dial up connection I was successfuly able to log in.

    The BEFVP41 is in use at my home, VPN'ed into the office (works like charm, I must admit!). The firmware on that model is running v1.01.04 - and from what I'm seeing there is no place to configure incoming VPN connections.

    Doclarge, would it be okay if I PM'ed you as well for this document? I would like to try this out.

    Due to our frustrations with the QuickVPN utility, we've started looking at other routers/vpn solutions. Is PPTP strong enough to protect our data, or should keep looking for a new router/vpn device with?

    Also, we have 2 people going to Japan and Guam - will the internet latency between there and Hawaii affect the VPN tunnels?
  17. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sure, you can PM me or go up to the sticky section of this forum and there are the "exact" same instructions; to save time, you can just copy and paste that info into a word document :) If you still would like to use quickvpn, check out the "quickvpn setup guide" that's also above in the sticky section.

    I'm a little confused as to why you were told you couldn't use the BEFVP41 for your vpn needs because the WRV54G/RV0XX series routers were based off of its design (standard 50 PPTP vpn tunnels). Unless there's been a "DRASTIC" change in firmware, the most likely thing is that you talked to another "I'm just here because I need to work somewhere" linksys support technician who doesn't know the product. (Catch your breath when I tell you this...)

    You didn't need the RV016; your BEFVP41 would have sufficed perfectly. The same place where you configured your VPN from home to work is the "same" place where you'd configure incoming communications. Unless I'm mistaken, all you had to do was:

    BASIC SETUP ----> SECURITY ------> VPN

    From here you could have configured your vpn connections. Let this be a lesson to you about calling Linksys tech support. "Unless" you need a beta version to try or something like that, you should look for answers here :)

  18. rixxx

    rixxx Network Guru Member

    after reading all the posts in this thread I came to the same conclusion, and I didn't see you sticky until a couple hours after I made my post :p

    Thank you for the wealth of information here, I wish I knew about this site long ago.

    And now my befvp41 won't do a hardware to hardware VPN connection to my RV016, though it was having issues today before I upgraded the firmware on the RV016. I have the PPTP server enabled on the RV016, and I can use the windows VPN client to login to the network (DNS fails for connecting to the intranet services via that route), which seems a lot more stable then the QuickVPN client (been connected a couple of hours now, and got someone from a neighbor island to connect as well).

    though when the befvp41 was handling all the VPN duties, intranet DNS worked fine (i used to be able to hit www.mai-hawaii.com with the VPN on and off, if on then I would get the lan side).

    One thing I noticed, we're running a 192.168.5.x network at home and at work it's 192.168.10.x - both run on the subet - when the windows vpn client connects, it get the right IP address, but the subnet mask is - is that ok?

    I can still hit the server share's via IP address \\192.168.x.x though when I click on the domain in network neighborhood it says I'm not authorized to view the network.

    Never had this problem under the BEFVP41 to RV016 vpn conection. Any thoughts on that?

    Thanks for your time, and I'm sorry if my posts are quite long - just trying to be thorough :) :)
  19. DocLarge

    DocLarge Super Moderator Staff Member Member

    Yes, that's okay because your computer is just synchronizing communications with the endpoint node (router) to maintain the vpn tunnel (unless I'm missing something; I overlook stuff too :) )
    By chance, is there another server that the server you connect to uses for DNS, or is connected to maybe another server is being used for RRAS for another subnet and the server you connect has it in its tables??????

    As for network neighborhood, if you're getting the error, it could be due to a share permission. Being that you're able to connect, I don't (at this time) think it has anything to do with encryption.

  20. rixxx

    rixxx Network Guru Member

    ok here's a quick n dirty network layout:

    befvp41 (lan side is 192.168.5.x)
    rv016 (lan side is 192.168.10.x)
    server1 (intranet DNS server, Domain login server, www server for lan+inet)
    pc's 1-8

    We have an internet hosted DNS server as well, which points www services to the same computer as the intranet DNS server - obviously using seperate IP addresses with the RV016 doing port forwarding on port 80.

    PC1 (this computer) is configured to us the intranet DNS server first, then my ISP's DNS servers 2nd, 3rd, & 4th. This worked awesome when the befvp41 was handling the tunnel to the RV016. When the link was disconnected, my ISP's DNS servers obviously took over when needed.

    Now that the PPTP server is turned on in the RV016, it seems the BEFVP41 won't link up using the tunnel, and now there's the aforementioned DNS issues. Which really strikes me as odd because I can do an nslookup and I immediately connect to my intranet DNS server. Going to try a reboot and see if that fixes anything.

    edit: doh! just realized I never bothered with the TCP/IP properties on the vpn setup - once I manually entered the intranet DNS server in there (it defaulted to the PPTP server ip address - where there is no DNS server running), I can now view the www site while the vpn is connected. However, it's connecting through the wan instead of the vpn (I have a script on there that tells me my ip address). But I assume that's ok since the intranet domain is the same as the internet domain, so obviously my wan link is going to use it's DNS servers befor the VPN server.
  21. rixxx

    rixxx Network Guru Member

    well now I realize what the DNS server for the VPN link does - I can now (quite speedily) hit all my intranet servers via the \\computername convention, instead of using \\ipaddress


    Now I can't wait to get back to work to try the greenbow setup.
  22. Bukas

    Bukas Network Newbie Member

    How can I create a VPN connection using a Linksys WRT54L Wireless-G Broadband Router?
  23. tony.lay.52

    tony.lay.52 New Member Member

    Can I install a vpn on my
    linksys ea8500 router?
    I am pretty inexperienced about this but need a vpn to do streaming in private. Thanks
    for any help...

    Sent from my iPhone using Tapatalk
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice