[pptp-server] pptpd still not handling dropped connections properly?

Bitt Faulk wfaulk at totalsports.net
Thu Jun 3 16:36:01 CDT 1999 

Okay, we're getting off on a tangent here, so smoke 'em if you've got 'em.

On Thu, 3 Jun 1999, Seth Vidal wrote:
>
> > Maybe I've made some sort of logical mistake.  Here's how I have it
> > configured:
> > 
> > /etc/pptpd.conf:
> > 
> > speed 115200
> > localip 172.17.0.1-100
> > remoteip 172.17.1.1-100
> are these /24 (255.255.255.0) subnets or /16 (255.255.0.0)

Hmm.  Interesting question.  They exist solely for the benefit of pptp.
I'll get back to this in a minute.

> > So a PTP is made between those two IPs and then (magically on the remote
> > side) a route is created to my routable network on that same server that
> > allows the VPN to happen.
> not really magically it just adds a route for the network and proxyarp
> allows users to find your users on the other side
> 
> proxyarp
>               Add  an entry to this system's ARP [Address Resolu­
>               tion Protocol] table with the  IP  address  of  the
>               peer and the Ethernet address of this system.  This
>               will have the effect of making the peer  appear  to
>               other systems to be on the local ethernet.           

That's not really what I meant.  The network they're connecting to via the
VPN is, let's say, 192.168.128.0/23  They use the arbitrary (and
unroutable)

172.17.1.(0-100)<->172.17.0.(0-100)

as the connection to the pptp server and for no other reason.  This
assigns 172.17.1.x to the remote user, which, importantly (and obviously),
is in a range that I know prior to their connection.  The route to these
addresses is on my local network, so any machine here can route back to
the remote users vi that IP properly.  Most importantly, an application
server can now authorize them by IP address.

There is a route created for the Point-to-Point connection, and then
another one seems to be created to the network on the other side of the
server.  When I ran netstat -rn on the client, I did not see a route to
that network, and therefore should have gone over the machine's default
route, but it went over the VPN anyway.  Maybe I just missed the line, but
that's what I meant by magic.  That, and the fact that the protocol
(apparently?) inserts this by itself.  I tend to like to do things by hand
so I know what's going on.

Proxyarp just prevents arp requests from being transmitted over that
relatively-expensive VPN connection, when the server knows it just as
well.  Nothing to do with routing, at least not on the IP level.

Let me know if I am an idiot with that.  There may well be something else
going on I don't understand.  And I don't think that proxyarp is
beneficial to this setup because I don't think anyone needs to know MAC
addresses because everything is P-t-P.  Right?  Not that it's harmful.

Also, keep in mind that all of the routing and whatnot seems to work fine
until the connection goes away.  If you look back at my initial ps output,
you'll see that there are mulitple pppds running trying to access the same
IPs.  Hmmm.  Now that I think about it, I assumed that the ones that were
duplicating the server-side IPs were duplicating the client-side IPs as
well.  Now that I think about it, I don't know that that's true.  I'll
have to revierify that.

> >  It seems to work fine until the pppds decide
> > not to die, and then pptpd decides to reallocate those IPs and, apparently
> > the old pppds confilct with the routing.  If there's a better, more stable
> > way to set this up, let me know.  I just need to have definable IPs for my
> > remote users.
> 
> how many users?

I upped the max limit to 100 as an arbitrary number greater than 10.  I
probably have about 25-30 folks who need to use it, but no more than 5 or
6 have connected at a time so far.

> what version of pptpd?

The just-released version, PoPToP v0.8.7

> Matt, Kevin, is pptpd ok for > 50 users. I noticed some potential leak
> fixes in the last changelog. Would this many users eat up the system
> resources? How well does it scale? Anybody know?
> 
> is ppp the out of the box version or did you recompile it?

PPP is out ot the box, but I have had no other problems with it.  At the
same time, I have not pressure-tested it, but I have used it, and am, in
fact, using it for another VPN underneath ssh.  That's been running for
days with no problem, but again, the problem seems to be in stopping.

-Bitt

PS: Whew...

More information about the pptp-server mailing list