How do I use it, in 60 seconds ?
if:
. You'd like to establish a VPN between your home workstation
and a remote PPTP server located at IP address pptp.mycorp.com
. Your workstation accesses the internet through a unix firewall on
which you can run custom software (i.e. a Linux box).
. The unix firewall is dual-homed (it has two network interfaces).
. One of the firewall's interfaces has an IP address of 192.0.168.1
and is used to communicate with the "inside" LAN.
. The other firewall's interface is used to communicate with the "outside"
(the internet). It can have any IP address, static or dynamic.
. Your workstation's IP is 192.0.168.2.
then:
. Configure the workstation to connect to a PPTP server located at 192.0.168.1.
All other client configurations should be as if connecting directly to pptp.mycorp.com
. Run pptpproxy as follows on the unix firewall:
pptpproxy -p pptp.mycorp.com -a 192.0.168.0/255.255.255.0
There are more examples in the man page.
It doesn't work !
The most common cause is a badly configured firewall.
The machine that pptpproxy runs on must have firewall rules that:
- lets GRE (protocol 47) packets in and out
- allow outgoing tcp connections on port 1723
- accepts incoming tcp connections on port 1723
On linux with iptables, your mileage may vary, but it is usually
achieved with something along the lines of:
iptables -A INPUT -p 47 -j ACCEPT
iptables -A INPUT -p tcp --sport 1723 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
Do I need to enable kernel forwarding ?
No. The very reason pptpproxy exists is to take over the forwarding
when the kernel can't handle it. All kernel forwarding of GRE packets
and traffic on port 1723 must be off.
It still doesn't work!
If your setup allows it, you should first make sure that your PPTP
client and your PPTP server are properly configured.
The best way to verify this is by connecting the client to the server
directly (i.e. getting rid of the firewall, and not getting pptpproxy
involved in any way).
Once this works, all you should have to do is replace the address of
the PPTP server on your client with the address of the machine pptpproxy
will run on, and launch pptpproxy on the server:
pptpproxy -p my.pptp.server.address
Still not working
Try to run pptpproxy in debug mode and see what goes wrong.
I've tried all of the above and I'm stuck
Try to drop me an email at mgix@mgix.com.
I tried to compile pptpproxy on my platform, but it doesn't work
The two officialy supported platforms are Fedora core 3 and OSX tiger.
pptpproxy should compile fine on most Linux distros, but again, your
mileage may vary.
If need to run pptpproxy on something else and need a binary,
see question above.
Can multiple clients access a remote PPTP server simultaneously
Yes, and there is no limit to the number of clients. (although given pptpproxy's
current architecture, it may not be very efficient past 100 clients or so. If
you need to support more than 100 concurrent client connections, contact me)
Can I use pptpproxy to access multiple PPTP servers from my firewalled home computer
This is where it gets a bit tricky, partly because of the braindead design of the
PPTP protocol, but also because the microsoft PPTP client does not let you specifiy
(as of this writing) a remote TCP port to connect to and assumes it to always be 1723.
pptproxy does support multiple proxy "pairs". However, when you initiate a connection
to pptpproxy, it needs to figure out where to forward that connection (i.e. which remote
server to connect to, or which "pair" to use).
Method 1 : listen on multiple ports
The first trick consists in making pptproxy listen on different tcp ports. It only works
if you can configure your PPTP client to change the port to connect to. If you can (as of
this writing, it isn't possible on Windows :( ), then run pptpproxy as follows:
pptpproxy \
-p 0.0.0.0:1723,server1.remote.com \
-p 0.0.0.0:1724,server2.remote.com \
-p 0.0.0.0:1725,server3.remote.com \
-p 0.0.0.0:1726,server4.remote.com
When pptprpoxy receives a connection on port 1723, it'll forward it to server1.remote.com.
When pptprpoxy receives a connection on port 1724, it'll forward it to server2.remote.com.
You get the idea.
Method 2 : multiple IP's on single NIC
If your firewall runs a unix that supports assigning multiple IP addresses to a single actual
NIC (Linux does for example), it works wonders: if your internal NIC (i.e. the one that's connected
to your LAN) NIC is eth0, you can do something along the lines of:
ifconfig eth0 192.0.168.1
ifconfig eth0:1 192.0.168.2
ifconfig eth0:2 192.0.168.3
ifconfig eth0:3 192.0.168.4
You can then run pptpproxy as follows
pptpproxy \
-p 192.0.168.1,server1.remote.com \
-p 192.0.168.2,server2.remote.com \
-p 192.0.168.3,server3.remote.com \
-p 192.0.168.4,server4.remote.com
You then configure your clients to connect to IP 192.0.168.{1,2,3,4} to respectively get
access to server{1,2,3,4}.remote.com.
Method 3 : proxy chaining
If none of the options above are feasible, then there is the 'chaining' trick, where
you run pptproxy on multiple machines inside your firewalled LAN, each redirecting to
the main pptpproxy on the firewall, but on a different port. In other words:
On machine1: pptpproxy -p my.fire.wall:1723
On machine2: pptpproxy -p my.fire.wall:1724
On machine3: pptpproxy -p my.fire.wall:1725
On machine4: pptpproxy -p my.fire.wall:1726
On the firewall:
pptpproxy \
-p 0.0.0.0:1723,server1.remote.com \
-p 0.0.0.0:1724,server2.remote.com \
-p 0.0.0.0:1725,server3.remote.com \
-p 0.0.0.0:1726,server4.remote.com
You then configure your clients to connect to machine1, machine2, machine3, machine4
based which remote server you want to connect to.
|
