RE: PPTP Connection sharing behind NAT



Hi !

Great to see there is always PPTP tunnels on the Internet ! :). Hope confidentiality is not your priority (http://www.schneier.com/pptp.html).

Fot more infos on PPTP, I used to read a book called "Building Linux Virtual Networks ( VPNs)" from O. KOLESNIKOV & B. HATCH, their chapter about building VPNs with PPTP was quite clear.

BTW, any reason for discarding IPSec ?


-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De la part de J. Theriault
Envoyé : dimanche 7 janvier 2007 15:00
À : security-basics@xxxxxxxxxxxxxxxxx
Objet : PPTP Connection sharing behind NAT


Hello,


I would like to set up a Linux machine to route connections over a PPTP connection to a secondary ISP inside a pre-existing network, so that internal machines generally use the "standard" ISP connection, and others can be configured to use the Linux machine's PPTP connection as a gateway/tunnel for their internet access.

I have no previous practical experience with PPTP and most of the Linux PPTP documentation seems quite daunting, so if anyone knows a simple way to do this, I'd appreciate any help or advice before I get started.

-----

So far, I'm visualizing it like so:

U = Standard Unencrypted connection
E = PPTP Encryption connection

------------ ------- ---------- -----------
| Internet |--U--| ISP |--U--| Router |-----U-----| Clients |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| E--|--E--|--E--|--E--|----E | | |
------------ ------- ---------- -----------
| | WAN DHCP/LAN 10.0.0.1 (10.0.0.0/8)
U E |
| | E
--------- |
| ISP-2 | E ---------- -----------
--------- |-E-| Linux* |-E-| Clients |
---------- -----------
(192.168.0.0/24)

* Linux (Ubuntu 6.10):

WAN: 10.0.1.0/8 (For PPTP connection both DNS/routing are required)
LAN: 192.168.0.0/24 (For the few clients who are to use ISP-2)
PPP: PPTP connection to ISP-2

IPTables:
- Incoming from WAN/PPP blocked
- Outgoing LAN to WAN blocked
- Outgoing LAN to PPP passed

Routing/DNS forwarding: Set to use ISP-2's gateway and DNS for all

-----

So, does anyone know a simple way to do this, such as if m0n0wall (which has support for a PPTP WAN but does not seem to allow me to set DNS or gateway options to be able to resolve and contact the PPTP server in the first place to establish the connection) can be configured to do this, or is there going to be a lot of trial and error? ;)


Thank you,

Joseph Theriault
administrator@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------



Relevant Pages

  • Re: [SLE] Roadwarriors, VPN or pptp?
    ... > I'm using PPTP for some of our remote users, but that's because I have Win ... > poptop on a SnapGear firewall, though I'm planning to start moving to ipsec ... pptp is not as secure of a vpn ... Also recommended for consideration is Astaro Secure Linux. ...
    (SuSE)
  • Re: Routing
    ... Why are you setting up this PPTP tunnel? ... Internet through the ADSL on the Linux box? ... forwards the packet out to the "eth0" interface where 192.168.8.4 ...
    (Debian-User)
  • Re: Routing problem
    ... So you need you home router to work as a pptp client to the linux box too. ... The network at the office is not conected to internet, ...
    (microsoft.public.windowsxp.general)
  • Re: Firewall (cheap) that supports PPTP inbound to firewall
    ... > Not pptp but another CHEEP solution to this problem is to run a Linux ... > firewall and use Safe Passage as the VPN instead of running PPTP. ...
    (comp.security.misc)
  • Re: Firewall (cheap) that supports PPTP inbound to firewall
    ... > Not pptp but another CHEEP solution to this problem is to run a Linux ... > firewall and use Safe Passage as the VPN instead of running PPTP. ...
    (comp.security.firewalls)