When establishing a VPN connection over the Internet, the remote user must make two connections. The first connection is to the user's Internet service provider (ISP) by way of a dial-up or broadband session. This session uses TCP/IP and PPP to communicate with the ISP. At the time the connection is made, the remote user is automatically assigned an IP address by a Dynamic Host Configuration Protocol (DHCP) server at the ISP's office.

The second connection actually creates the VPN. It uses some of the Windows code that's normally associated with dial-up networking to establish this connection over the existing PPP connection. Packets are sent across the second connection in the form of IP datagrams containing encapsulated PPP packets.
Under normal circumstances, when a remote user tries to access a corporate network via the Internet, the company's firewall prevents PPP packets from entering the network. This means the private network is inaccessible to Internet users. However, when the company loads the VPN services, it can enable certain firewall ports that provide a route across the firewall (or router) and allow Internet users who meet specific security criteria to access the private network from across the Internet.

When a VPN server receives a packet from across the Internet, it disassembles the packet. From this packet, it can derive the name of the computer the packet was intended for. The packet also contains the underlying protocols, such as NetBEUI and IPX/SPX. Once this information has been extracted into a usable form, the packet can be passed from the VPN server to the destination computer residing on the private network. The VPN server functions in a similar fashion to a gateway.

Because you can embed standard networking protocols into a packet that's sent across a VPN, all standard networking features continue to work. For example, name resolutions by way of a Windows Internet Naming Service (WINS) server or a Domain Name Service (DNS) server will function just as if the remote host were directly plugged into the local network.

Because name resolution continues to function, there are issues relating to the general DNS requirements. After all, addressing a computer by name across the Internet normally requires the name to be registered and globally accessible. However, in the case of virtual private networking, only the VPN server needs a valid, globally accessible DNS name (with a static IP address). This is because when you send packets from the remote computer, the VPN server is as far as those packets must travel. As far as anything on the Internet knows, the VPN server is the packet's final destination. It's not until the VPN server disassembles the packets that they're passed on to their true final destination.
Because the packet already resides at the local level at the time of disassembly, the Internet requires absolutely no knowledge of the name of the computer that's the true final destination of the packet. As a matter of fact, it's a bad idea from a security standpoint to make the name of that computer accessible via the Internet. You should place all local nodes on your network, as well as the VPN server, behind a firewall for protection.

Connecting to a VPN involves using two dial-up networking sessions. The first session establishes your Internet connection. Once you're connected to the Internet, you can establish the VPN connection via the second dial-up networking connection. However, there are a couple of side effects to be aware of.
First, when you launch the VPN session, the Internet is no longer accessible for standard access (Web browsing, e-mail, and so forth) unless the network you're connecting to can also get to the Internet. If the remote network doesn't provide access to the Internet, you can't surf the Web or check your e-mail at the same time you're connected to a VPN.

Second, you should know that establishing a VPN session kills your connection to any local networks you might be attached to. For example, suppose you're part of a 10-user workgroup. Now suppose you establish a VPN session to a corporate enterprise network. Once you do, the corporate enterprise network will be accessible but your workgroup won't be. Consequently, you won't be able to use Windows 98 to route packets between the two networks.

The reason for these routing limitations lies in the way the PPTP protocol affects Windows 98's local routing tables. If you absolutely have to connect to the Internet, to a local network, or to both at the same time you're connected to a VPN, you may be able to do so in some cases by using Windows 98's Route command. The Route command can be used to make Windows 98 aware of other IP networks that you're connected to without the aid of a router.