On 11/21/06 00:20, Rangi Biddle wrote:> What I want to do is have a VPN (PPTP/IPSEC/CIPE/etc) server, but it > must support more than one simultaneous connection. > > I currently have a PPTP VPN server setup that has port 1723 and protocol > 47 DNAT’d through to the internal IP address of the VPN server and I > have not been able to have more than one connection at a time. I am > considering setting up the VPN server as a gateway (for lack of a better > word) and instead of DNATing the connections through to the internal IP > I would setup a DMZ with the VPN server as the only host. My only > concern in doing so is that if it does not work what other options do I > have besides getting a different connection type such as fibre? I’m > trying to do this as cheaply as possible.Can / will you provide some more information such as what type of client will be connecting to the VPN concentrator? I believe the 1 concurrent connection you are referring to is a limitation of IPTables match extension for PPTP tunnels. If you put the VPN Concentrator such that it is directly routable you should have better luck. Beyond PPTP, you can look in to IPSec or SSLTunnel, or any number of other products. However to be able to determine which of the products is best suited to your situation, we need to know more about your situation. Grant. . . .
Greetings List Members, I''ll firstly apologise if this isn''t the place that I should be posting this message but here goes. What I want to do is have a VPN (PPTP/IPSEC/CIPE/etc) server, but it must support more than one simultaneous connection. I currently have a PPTP VPN server setup that has port 1723 and protocol 47 DNAT''d through to the internal IP address of the VPN server and I have not been able to have more than one connection at a time. I am considering setting up the VPN server as a gateway (for lack of a better word) and instead of DNATing the connections through to the internal IP I would setup a DMZ with the VPN server as the only host. My only concern in doing so is that if it does not work what other options do I have besides getting a different connection type such as fibre? I''m trying to do this as cheaply as possible. Any and all comments/suggestions are welcome. Rangi _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi Guys and thanks for the replies so far. Sorry for the lack of information, but if you have questions I am more than willing to answer them.> Can / will you provide some more information such as what type of clientwill be connecting to the VPN concentrator? The clients that will be connecting to the VPN server will be Windows clients. This is why I chose to build a PPTP VPN server as there would be no additional software to install on any of the clients.> I believe the 1 concurrent connection you are referring to is a limitationof IPTables match extension for PPTP tunnels. If you put the VPN> Concentrator such that it is directly routable you should have betterluck. What do you mean by directly routable? Are you referring to the DMZ suggestion I made earlier or something else such as bridging the connection? _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi Grant,> Is your VPN concentrator / server directly on the internet or is theresome sort of port forwarding going on. You could use a DMZ, if the machine in> the DMZ had a globally routable IP, i.e. did not use port forwarding ofany sort. Unfortunately the VPN server does not explicitly have a public IP address that would allow it to receive connections. At present, the VPN server is currently sitting behind a DSL router which has a public IP and is receiving connections via DNAT, in particular port 1723 (PPTP) and protocol 47 (GRE). The DMZ setup that the DSL router offers is basically having all connections on the public IP DNAT through to the internal IP address of the VPN server. I have been able to verify this, as the router itself runs a minimal linux environment which includes using IPTables for its firewalling capabilities (D-Link branded DSL router). Also, I have already mentioned that moving to another type of connection such as fibre isn''t an option as I cannot afford a connection of this type (I live in New Zealand). Other alternative connections to DSL are not very affordable and we are very limited to the connection types that we can choose from. At present the range of connections are as follows: Dial-Up - Far too slow DSL - Affordable and very quick ISDN - Far too pricey ($900 per month not including data charges) Cable - Only available in certain areas in New Zealand Fibre - Far far too pricey ($1,500 per month - 2 Mbps National / 512k International) Fibre by far would be the best option as I would receive around 7 public IP addresses but as you can see from the cost it just isn''t very feasible for only a VPN solution. As you also mentioned in your previous email about the limitation of IPTables . is there any workarounds such as using the patch-o-matic patches? Any comments/suggestions are welcome from anyone. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> Hum. Is your DSL modem built in to the router you are using, or could yousupplant your router with a / your Linux box?> If you can put your Linux box directly on the internet, then your VPNconcentrator will (inherently) be directly on the net too. Unfortunately my router is combined with the DSL modem effectively a single CPE.> I believe the limitation, which may have been patched and with out beingaware of it as I don''t use PPTP (yet), is in the helper module for> connection tracking for PPTP. I would have to refresh my self on the PPTPprotocol and it''s interaction with IPTables. I suggest you do some more> reading on the mailing list as well as on NetFilter.org to see if you canfind out something else. I have just come across some information that says that the connection tracking support for PPTP connections in particular is now part of the mainstream kernel ( >= 2.6.14 ). I am currently downloading version 2.6.18-3 and will let you know how it goes. PS. I''m using CentOS which probably isn''t the best choice for hacking things to pieces - guess that serves me right. I believe debian (Sarge) has support for pptp_conntrack in it already so I might give that a go as well. If you''re interested I am more than happy to discuss this matter off the mailing lists, but perhaps may serve a better purpose by being on the lists for future reference for others. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi List, This is an update for anyone that has been attempting to get a PPTP VPN working using PopTop with more than one simultaneous connection from an external source to a PPTP VPN behind a router that is NATing connections through. I assume that whoever is setting this up has some general knowledge of linux and how to compile a kernel. I also make the assumption that you already have a PPTP server up and running but are requiring more than one simultaneous connection. I also offer no warranties or take on any responsibility on whether or not this breaks your system and causes damage of any kind. With that said, I used the most recent kernel (2.6.18.3) and used all the default settings and added in all (except the experimental) iptables modules. I also added in PPP MPPE support (even though it is experimental). To make things easier on myself I compiled the kernel as a binary RPM package since the distro that I am using uses RPMs. After installing the new kernel I made modifications to my boot loader (in my case grub) to use the new kernel and then rebooted the system. I used the following IPTables rules: iptables -t nat -A POSTROUTING -j MASQUERADE - (Very general masquerading - not recommended and should be tied down to specific subnets) iptables -A INPUT -p tcp -dport 1723 -j ACCEPT (Accept inbound PPTP connections) iptables -A INPUT -p gre -j ACCEPT (Accept inbound GRE connections) iptables -A OUTPUT -p gre -j ACCEPT (Accept outbound GRE connections) I executed the command: service iptables save to save my newly added iptables rules. I then edited /etc/rc.local and added in the following lines modprobe ip_nat_pptp modprobe ip_conntrack_pptp Which loads the additional modules needed for PPTP NAT connections and finally rebooted the system once more to make sure everything starts up as expected. If you have any problems please mail them to the list and I will see if I can be of some assistance. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Rangi Biddle wrote:> This is an update for anyone that has been attempting to get a PPTP VPN > working using PopTop with more than one simultaneous connection from an > external source to a PPTP VPN behind a router that is NATing connections > through. I assume that whoever is setting this up has some general > knowledge of linux and how to compile a kernel. I also make the > assumption that you already have a PPTP server up and running but are > requiring more than one simultaneous connection. I also offer no > warranties or take on any responsibility on whether or not this breaks > your system and causes damage of any kind....> If you have any problems please mail them to the list and I will see if > I can be of some assistance.So I take it that you were you able to get PPTP / PopTop working the way you wanted with multiple concurrent PPTP connections? Grant. . . .
> So I take it that you were you able to get PPTP / PopTop working the wayyou wanted with multiple concurrent PPTP connections? Yup! _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc