[pptp-server] Small VPN...

Cowles, Steve Steve at SteveCowles.com
Fri Jan 26 13:27:45 CST 2001


> -----Original Message-----
> From: Seth Northrop 
> 
> Hi.  I'm very new to PoPToP, and, didn't find the answer to 
> my question within the various pieces of documention on the
> site.  My apologies if this has been asked before..
> 
> I want to build a fairly simplistic VPN.  
> 
> Currently a very simplistic view of an architecture looks like:
> 
>          --  Mail Server   Intranet
>          |-  Web Server    DB
> Internet |-  Firewall <--- File Server      
>          --  DNS           Internal LAN

I could not determine what type of firewall you are using from your post.
i.e. linux based or third party. I'm assuming its linux based. Either way, a
PPTP tunnel will require that protocol 47 (GRE) and TCP port 1723 be
ACCEPTED on the firewalls external interface. In addition, based on where
you insert your PPTP server into your network architecture, i.e. running on
the firewall itself or behind it masq'd will dictate whether or not you have
to also deal with port forwarding issues like patching your kernel and using
ipmasqadm/ipfwd. Checkout the following site for more information:
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

> Ideally, we want to allow remote users with both static 
> AND/OR dynamic ip addresses (dialup/DSL/Cable etc.) into
> the internal network securely so that we can allow SMTP
> relaying to only occur from an internal interface /
> SMTP server, along with giving users access to our corporate
> intranet and/or fileserver(s).

Not an uncommon requirement when implementing a VPN solution. Obviously,
your ipchain input rules will have to grant access to protocol 47 and TCP
port 1723 from all public IP addresses. i.e. -s 0.0.0.0/0

> Currently we are doing port forwarding from the firewall and
> POP authenticated relay restrictions on the external mail
> server.  Neither seem as clean as a VPN solution.  And, absent
> serving file directories via apache, we have no good means to
> provide access to samba shares to remote users.

If you do not have a WINS server running on your internal LAN, install one.
It will help the remote PPTP clients deal Microsoft Networking related
file/print sharing issues.

> Clients are mostly Windows 95/98/2000 with the potential that 
> windows ME could pop into the picture.  There are also a few
> linux clients that could gain access. 

I have tried all of the above OS's with PopTop. The only problem I
encountered had to do with implementing 128bit encryption on WIN9x clients,
not on my PopTop server. NT/W2K clients worked without a problem.
 
> This is not a heavily remotely used network.  I wouldn't 
> expect more than a couple of people at any given point remotely
> accessing the network.. and, of those they will not be pushing
> a large amount of data.
> 
> The question is whether PoPToP is appropriate for this
> configuration; particularly as it pertains to routing IP 
> traffic through the tunnel->internal corporate net from dynamic
> (unknown) remote IPs.  If not, what other software/hardware
> options are there?

Based on your post, PopTop seems like a good match to me...

Steve Cowles



More information about the pptp-server mailing list