I'm trying to replace a Windows server providing PPTP with a Linux server running Poptop.
When a client connects to the Windows server, it is given an IP address which is local to the LAN - for example if the LAN is 172.16.0.0/16, a client might get 172.16.1.1.
As far as I can tell (I don't fully understand VPNs!) Poptop creates a new interface, ppp0, and uses a different subnet to allow clients to connect - for example 10.0.0.0/8.
So the Poptop server might have eth0=172.16.1.100, ppp0=10.0.0.100, and Poptop clients will have (for example, depending on how remoteip is set) 10.0.1.xxx.
This makes things more complicated, because now any machine on the LAN that a Poptop client wants to communicate with must know the route to the ppp subnet.
I've tried to bridge eth0 and ppp0, similar to how you bridge eth0 and tap0 in OpenVPN, but this doesn't work with ppp0.
Is it possible for Poptap to do this? Is it valid, for example, to give ppp0 the same IP address as eth0? Can the server then (using iptables?) pass packets back and forth between real LAN addresses and the ones which Poptap assigns to clients?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm trying to replace a Windows server providing PPTP with a Linux server running Poptop.
When a client connects to the Windows server, it is given an IP address which is local to the LAN - for example if the LAN is 172.16.0.0/16, a client might get 172.16.1.1.
As far as I can tell (I don't fully understand VPNs!) Poptop creates a new interface, ppp0, and uses a different subnet to allow clients to connect - for example 10.0.0.0/8.
So the Poptop server might have eth0=172.16.1.100, ppp0=10.0.0.100, and Poptop clients will have (for example, depending on how remoteip is set) 10.0.1.xxx.
This makes things more complicated, because now any machine on the LAN that a Poptop client wants to communicate with must know the route to the ppp subnet.
I've tried to bridge eth0 and ppp0, similar to how you bridge eth0 and tap0 in OpenVPN, but this doesn't work with ppp0.
Is it possible for Poptap to do this? Is it valid, for example, to give ppp0 the same IP address as eth0? Can the server then (using iptables?) pass packets back and forth between real LAN addresses and the ones which Poptap assigns to clients?
Part of the reason for wanting local IPs is so that connections can be opened to the VPN clients (some of whom will be running VNC, etc) and I also want to be able to distinguish between VPN clients from inside the network - I don't think the routing you suggest would allow this, as all VPN client traffic will seem to come from a single IP address.
If it's not possible with Poptop (not Poptap as I kept writing) I'll have to go with OpenVPN, but Poptop looks a lot easier on the users.
Is there anyway to fake a bridge between ppp0 and eth0 with iptables? Could ppp0 just re-emit every packet eth0 receives and vice-versa? Or is that silly?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Don’t use SNAT if you want to see the PPTP clients from the LAN. Still make sure that the Poptop server is configured to forward IPv4 packets and add a static route to your LAN default gateway to route packets for the client subnet through the Poptop server. If they are Windows clients and you configure them to register with an internal DNS server, they will update their name there. Otherwise you’ll need to train your users to find their IP address in the VNC system tray item.
There is another solution for VNC; get the PPTP client users to pick ‘add viewer’ from their VNC system tray item and have your internal support techs run VNC viewer in listening mode. This is also a bit more comfortable for the remote users, since they have control over who is looking at their desktops. These connection are started from the client, so they will work through SNAT.
I think Poptop is a layer 3 device (no L2TP support), so routing is your only option.
Part of the reason for wanting local IPs is so that connections can be opened to the VPN clients (some of whom will be running VNC, etc) and I also want to be able to distinguish between VPN clients from inside the network - I don't think the routing you suggest would allow this, as all VPN client traffic will seem to come from a single IP address.
If it's not possible with Poptop (not Poptap as I kept writing) I'll have to go with OpenVPN, but Poptop looks a lot easier on the users.
Is there anyway to fake a bridge between ppp0 and eth0 with iptables? Could ppp0 just re-emit every packet eth0 receives and vice-versa? Or is that silly?
Ok, thanks for the information. It's a shame it isn't quite as simple as Windows Server VPN. I'll have to give it some thought, as I was planning on not giving any of the LAN clients any gateway, but your static route idea might work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm trying to replace a Windows server providing PPTP with a Linux server running Poptop.
When a client connects to the Windows server, it is given an IP address which is local to the LAN - for example if the LAN is 172.16.0.0/16, a client might get 172.16.1.1.
As far as I can tell (I don't fully understand VPNs!) Poptop creates a new interface, ppp0, and uses a different subnet to allow clients to connect - for example 10.0.0.0/8.
So the Poptop server might have eth0=172.16.1.100, ppp0=10.0.0.100, and Poptop clients will have (for example, depending on how remoteip is set) 10.0.1.xxx.
This makes things more complicated, because now any machine on the LAN that a Poptop client wants to communicate with must know the route to the ppp subnet.
I've tried to bridge eth0 and ppp0, similar to how you bridge eth0 and tap0 in OpenVPN, but this doesn't work with ppp0.
Is it possible for Poptap to do this? Is it valid, for example, to give ppp0 the same IP address as eth0? Can the server then (using iptables?) pass packets back and forth between real LAN addresses and the ones which Poptap assigns to clients?
Rather than bridging, have you tried an iptables rule for SNAT?
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 172.16.1.100
You need to make sure your poptop server is routing packets between the ethernet and ppp networks:
sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
Bart…
From: David Horman davidhorman@users.sf.net<mailto:davidhorman@users.sf.net>
Reply-To: "[poptop:discussion]" 146880@discussion.poptop.p.re.sf.net<mailto:146880@discussion.poptop.p.re.sf.net>
Date: Thursday, 23 January 2014 15:36
To: "[poptop:discussion]" 146880@discussion.poptop.p.re.sf.net<mailto:146880@discussion.poptop.p.re.sf.net>
Subject: [poptop:discussion] Giving clients local LAN addresses - is it possible with Poptop?
Hi,
I'm trying to replace a Windows server providing PPTP with a Linux server running Poptop.
When a client connects to the Windows server, it is given an IP address which is local to the LAN - for example if the LAN is 172.16.0.0/16, a client might get 172.16.1.1.
As far as I can tell (I don't fully understand VPNs!) Poptop creates a new interface, ppp0, and uses a different subnet to allow clients to connect - for example 10.0.0.0/8.
So the Poptop server might have eth0=172.16.1.100, ppp0=10.0.0.100, and Poptop clients will have (for example, depending on how remoteip is set) 10.0.1.xxx.
This makes things more complicated, because now any machine on the LAN that a Poptop client wants to communicate with must know the route to the ppp subnet.
I've tried to bridge eth0 and ppp0, similar to how you bridge eth0 and tap0 in OpenVPN, but this doesn't work with ppp0.
Is it possible for Poptap to do this? Is it valid, for example, to give ppp0 the same IP address as eth0? Can the server then (using iptables?) pass packets back and forth between real LAN addresses and the ones which Poptap assigns to clients?
Giving clients local LAN addresses - is it possible with Poptop?https://sourceforge.net/p/poptop/discussion/146880/thread/467a39ad/?limit=25#ed78
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/poptop/discussion/146880/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
Part of the reason for wanting local IPs is so that connections can be opened to the VPN clients (some of whom will be running VNC, etc) and I also want to be able to distinguish between VPN clients from inside the network - I don't think the routing you suggest would allow this, as all VPN client traffic will seem to come from a single IP address.
If it's not possible with Poptop (not Poptap as I kept writing) I'll have to go with OpenVPN, but Poptop looks a lot easier on the users.
Is there anyway to fake a bridge between ppp0 and eth0 with iptables? Could ppp0 just re-emit every packet eth0 receives and vice-versa? Or is that silly?
Don’t use SNAT if you want to see the PPTP clients from the LAN. Still make sure that the Poptop server is configured to forward IPv4 packets and add a static route to your LAN default gateway to route packets for the client subnet through the Poptop server. If they are Windows clients and you configure them to register with an internal DNS server, they will update their name there. Otherwise you’ll need to train your users to find their IP address in the VNC system tray item.
There is another solution for VNC; get the PPTP client users to pick ‘add viewer’ from their VNC system tray item and have your internal support techs run VNC viewer in listening mode. This is also a bit more comfortable for the remote users, since they have control over who is looking at their desktops. These connection are started from the client, so they will work through SNAT.
I think Poptop is a layer 3 device (no L2TP support), so routing is your only option.
Bart…
From: David Horman davidhorman@users.sf.net<mailto:davidhorman@users.sf.net>
Reply-To: "[poptop:discussion]" 146880@discussion.poptop.p.re.sf.net<mailto:146880@discussion.poptop.p.re.sf.net>
Date: Monday, 27 January 2014 08:59
To: "[poptop:discussion]" 146880@discussion.poptop.p.re.sf.net<mailto:146880@discussion.poptop.p.re.sf.net>
Subject: [poptop:discussion] Giving clients local LAN addresses - is it possible with Poptop?
Part of the reason for wanting local IPs is so that connections can be opened to the VPN clients (some of whom will be running VNC, etc) and I also want to be able to distinguish between VPN clients from inside the network - I don't think the routing you suggest would allow this, as all VPN client traffic will seem to come from a single IP address.
If it's not possible with Poptop (not Poptap as I kept writing) I'll have to go with OpenVPN, but Poptop looks a lot easier on the users.
Is there anyway to fake a bridge between ppp0 and eth0 with iptables? Could ppp0 just re-emit every packet eth0 receives and vice-versa? Or is that silly?
Giving clients local LAN addresses - is it possible with Poptop?https://sourceforge.net/p/poptop/discussion/146880/thread/467a39ad/?limit=25#97d7
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/poptop/discussion/146880/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
Ok, thanks for the information. It's a shame it isn't quite as simple as Windows Server VPN. I'll have to give it some thought, as I was planning on not giving any of the LAN clients any gateway, but your static route idea might work.