[LARTC] RE: VPN Solution

[LARTC] RE: VPN Solution

[Rangi Biddle]

[-- Attachment #1.1: Type: text/plain, Size: 858 bytes --]

Hi Guys and thanks for the replies so far.

 

Sorry for the lack of information, but if you have questions I am more than
willing to answer them.

 

> Can / will you provide some more information such as what type of client
will be connecting to the VPN concentrator?

 

The clients that will be connecting to the VPN server will be Windows
clients. This is why I chose to build a PPTP VPN server as there would be no
additional software to install on any of the clients.

 

> I believe the 1 concurrent connection you are referring to is a limitation
of IPTables match extension for PPTP tunnels.  If you put the VPN

> Concentrator such that it is directly routable you should have better
luck.

 

What do you mean by directly routable?  Are you referring to the DMZ
suggestion I made earlier or something else such as bridging the connection?

 

 


[-- Attachment #1.2: Type: text/html, Size: 4584 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] RE: VPN Solution

[Rangi Biddle]

[-- Attachment #1.1: Type: text/plain, Size: 1908 bytes --]

Hi Grant,

 

> Is your VPN concentrator / server directly on the internet or is there
some sort of port forwarding going on.  You could use a DMZ, if the machine
in 

> the DMZ had a globally routable IP, i.e. did not use port forwarding of
any sort.

 

Unfortunately the VPN server does not explicitly have a public IP address
that would allow it to receive connections.  At present, the VPN server is
currently sitting behind a DSL router which has a public IP and is receiving
connections via DNAT, in particular port 1723 (PPTP) and protocol 47 (GRE).
The DMZ setup that the DSL router offers is basically having all connections
on the public IP DNAT through to the internal IP address of the VPN server.
I have been able to verify this, as the router itself runs a minimal linux
environment which includes using IPTables for its firewalling capabilities
(D-Link branded DSL router).

 

Also, I have already mentioned that moving to another type of connection
such as fibre isn't an option as I cannot afford a connection of this type
(I live in New Zealand).  Other alternative connections to DSL are not very
affordable and we are very limited to the connection types that we can
choose from.

 

At present the range of connections are as follows:

 

Dial-Up - Far too slow

DSL - Affordable and very quick

ISDN - Far too pricey ($900 per month not including data charges)

Cable - Only available in certain areas in New Zealand

Fibre - Far far too pricey ($1,500 per month - 2 Mbps National / 512k
International)

 

Fibre by far would be the best option as I would receive around 7 public IP
addresses but as you can see from the cost it just isn't very feasible for
only a VPN solution.

 

As you also mentioned in your previous email about the limitation of
IPTables . is there any workarounds such as using the patch-o-matic patches?

 

Any comments/suggestions are welcome from anyone.


[-- Attachment #1.2: Type: text/html, Size: 7268 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] RE: VPN Solution

[Rangi Biddle]

[-- Attachment #1.1: Type: text/plain, Size: 1415 bytes --]

> Hum.  Is your DSL modem built in to the router you are using, or could you
supplant your router with a / your Linux box?  

> If you can put your Linux box directly on the internet, then your VPN
concentrator will (inherently) be directly on the net too.

 

Unfortunately my router is combined with the DSL modem effectively a single
CPE.

 

> I believe the limitation, which may have been patched and with out being
aware of it as I don't use PPTP (yet), is in the helper module for

> connection tracking for PPTP.  I would have to refresh my self on the PPTP
protocol and it's interaction with IPTables.  I suggest you do some more 

> reading on the mailing list as well as on NetFilter.org to see if you can
find out something else.

 

I have just come across some information that says that the connection
tracking support for PPTP connections in particular is now part of the
mainstream kernel ( >= 2.6.14 ).  I am currently downloading version
2.6.18-3 and will let you know how it goes.

 

PS. I'm using CentOS which probably isn't the best choice for hacking things
to pieces - guess that serves me right.  I believe debian (Sarge) has
support for pptp_conntrack in it already so I might give that a go as well.

 

If you're interested I am more than happy to discuss this matter off the
mailing lists, but perhaps may serve a better purpose by being on the lists
for future reference for others.


[-- Attachment #1.2: Type: text/html, Size: 4519 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] RE: VPN Solution

[Rangi Biddle]

[-- Attachment #1.1: Type: text/plain, Size: 1989 bytes --]

Hi List,

 

This is an update for anyone that has been attempting to get a PPTP VPN
working using PopTop with more than one simultaneous connection from an
external source to a PPTP VPN behind a router that is NATing connections
through.  I assume that whoever is setting this up has some general
knowledge of linux and how to compile a kernel.  I also make the assumption
that you already have a PPTP server up and running but are requiring more
than one simultaneous connection.  I also offer no warranties or take on any
responsibility on whether or not this breaks your system and causes damage
of any kind.

 

With that said, I used the most recent kernel (2.6.18.3) and used all the
default settings and added in all (except the experimental) iptables
modules.  I also added in PPP MPPE support (even though it is experimental).
To make things easier on myself I compiled the kernel as a binary RPM
package since the distro that I am using uses RPMs.

 

After installing the new kernel I made modifications to my boot loader (in
my case grub) to use the new kernel and then rebooted the system.

 

I used the following IPTables rules:

 

iptables -t nat -A POSTROUTING -j MASQUERADE - (Very general masquerading -
not recommended and should be tied down to specific subnets)

iptables -A INPUT -p tcp -dport 1723 -j ACCEPT (Accept inbound PPTP
connections)

iptables -A INPUT -p gre -j ACCEPT (Accept inbound GRE connections)

iptables -A OUTPUT -p gre -j ACCEPT (Accept outbound GRE connections)

 

I executed the command:

 

service iptables save

 

to save my newly added iptables rules.

 

I then edited /etc/rc.local and added in the following lines

 

modprobe ip_nat_pptp

modprobe ip_conntrack_pptp

 

Which loads the additional modules needed for PPTP NAT connections and
finally rebooted the system once more to make sure everything starts up as
expected.

 

If you have any problems please mail them to the list and I will see if I
can be of some assistance.


[-- Attachment #1.2: Type: text/html, Size: 7098 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] RE: VPN Solution

[Taylor, Grant]

Rangi Biddle wrote:
> This is an update for anyone that has been attempting to get a PPTP VPN 
> working using PopTop with more than one simultaneous connection from an 
> external source to a PPTP VPN behind a router that is NATing connections 
> through.  I assume that whoever is setting this up has some general 
> knowledge of linux and how to compile a kernel.  I also make the 
> assumption that you already have a PPTP server up and running but are 
> requiring more than one simultaneous connection.  I also offer no 
> warranties or take on any responsibility on whether or not this breaks 
> your system and causes damage of any kind.

...

> If you have any problems please mail them to the list and I will see if 
> I can be of some assistance.

So I take it that you were you able to get PPTP / PopTop working the way you 
wanted with multiple concurrent PPTP connections?



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] RE: VPN Solution

[Rangi Biddle]

[-- Attachment #1.1: Type: text/plain, Size: 139 bytes --]

> So I take it that you were you able to get PPTP / PopTop working the way
you wanted with multiple concurrent PPTP connections?

 

Yup!


[-- Attachment #1.2: Type: text/html, Size: 1546 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc