[pptp-server] PoPToP wins! (routing issues resolved)

Chris Tooley ctooley at amoa.org
Thu Jun 13 09:32:15 CDT 2002 

On Wed, 2002-06-12 at 22:31, Frank Cusack wrote:
> On Wed, Jun 12, 2002 at 03:14:30PM -0700, Christopher Aedo wrote:
> > I realized the sensible way to deal with the routing issues I discuss 
> > (routing over diverse networks) was just to allow the new PPP connection 
> > to be the default gateway.  It does introduce the issue of potentially 
> > routing ALL internet traffic through the VPN connection, but that is 
> > something that we can overcome easily.  This allows us to have routes as 
> > wacky as we like on our internal side, and not have to try pushing this 
> > out through PPP.
> 
> Well, not potentially.  You WILL route all internet traffic through the
> VPN.  I'm not sure what you mean by "overcome", but if you mean "avoid" I
> for one would love to hear about it if you get a solution.

Having two default routes (or really two routes to 0.0.0.0/0) is not
that big of an issue.  If you have the VPN Server be a default route and
don't want all of your internet traffic going through it, you set your
other gateway (or real gateway) up as a route to 0.0.0.0/0 as well, and
make rules on your VPN Server to only route the traffic you want
routed.  For instance, if the traffic is to yahoo you drop the packet. 
That way the client rolls over to their "other route" to the internet.

> 
> The problem I've found with "use default gateway on remote network" is if
> the user is far from the VPN endpoint (say, east coast or international
> users connecting to a single west coast VPN server) it's a significant
> penalty to have all traffic make the extra round trip.
> 
> My solution is to use the 10 network.  When the ppp client connects,
> it cannot know the netmask of the remote ip.  So if adds a network route
> for the remote ip, it must use the natural mask, 10/8 in this case.
> 
> All the services that VPN users have to get to are on the 10 network,
> those that aren't are natted by the firewall the vpn server is attached
> to.  You could do this for 192.168 also, but not nearly as easily.  It
> might not be possible at all depending on how many clients connect and
> how many services you make available.
> 
> This restricts users to other than the 10 network for their local IP, which
> hasn't been a problem -- most (all?) home firewalls give out 192.168 dhcp
> addresses by default, and ISPs will give them a real (Internet routable) IP.
> 
> Also, if you use 192.168 addresses it is more likely you will conflict
> with a user's local IP network.  I guess in reality as long as you stay
> away from 192.168.0 and .1 you should be OK.
> 
> /fc
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list