[pptp-server] PoPToP wins! (routing issues resolved)

[Frank Cusack]

On Wed, Jun 12, 2002 at 03:14:30PM -0700, Christopher Aedo wrote:
> I realized the sensible way to deal with the routing issues I discuss 
> (routing over diverse networks) was just to allow the new PPP connection 
> to be the default gateway.  It does introduce the issue of potentially 
> routing ALL internet traffic through the VPN connection, but that is 
> something that we can overcome easily.  This allows us to have routes as 
> wacky as we like on our internal side, and not have to try pushing this 
> out through PPP.

Well, not potentially.  You WILL route all internet traffic through the
VPN.  I'm not sure what you mean by "overcome", but if you mean "avoid" I
for one would love to hear about it if you get a solution.

The problem I've found with "use default gateway on remote network" is if
the user is far from the VPN endpoint (say, east coast or international
users connecting to a single west coast VPN server) it's a significant
penalty to have all traffic make the extra round trip.

My solution is to use the 10 network.  When the ppp client connects,
it cannot know the netmask of the remote ip.  So if adds a network route
for the remote ip, it must use the natural mask, 10/8 in this case.

All the services that VPN users have to get to are on the 10 network,
those that aren't are natted by the firewall the vpn server is attached
to.  You could do this for 192.168 also, but not nearly as easily.  It
might not be possible at all depending on how many clients connect and
how many services you make available.

This restricts users to other than the 10 network for their local IP, which
hasn't been a problem -- most (all?) home firewalls give out 192.168 dhcp
addresses by default, and ISPs will give them a real (Internet routable) IP.

Also, if you use 192.168 addresses it is more likely you will conflict
with a user's local IP network.  I guess in reality as long as you stay
away from 192.168.0 and .1 you should be OK.

/fc