Contributed by
jose
on
from the insecure-VPNs dept.
Obviously you should be using IPSec if at all possible, but a lot of OpenBSD hackers have to use PPTP on networks they don't control. In a helpful misc posting, qstreb posted a
PPTP recipe
for getting connected via PPTP. Note that you'll have to recompile your kernel and probably do some updating for the PF rules. However, this seems like a good place to start.
Note that the PPTP toolkits may not be very stable, but it's something (and maybe you can even improve upon it). Also, PPTP has known security vulnerabilities, this is only for situations where you have to use it. If you have any better documents, feel free to share them.
If you searched the web, you would have found the following papers.
http://www.counterpane.com/pptp-paper.html
http://www.counterpane.com/pptpv2-paper.html
Speaking of this... Anyone know how to setup a PPTP server on OpenBSD? I know, sounds lame. I can use IPSec, but I'm curious though. I've never seen any docs on how to setup a PPTP server; only client.
I wouldn't say it's a bad idea. I setup poptop on my gateway for my home wlan.. so my win2k laptop could use a vpn over the wireless connection. Worked for me.
http://www.poptop.org/
::chris
Comments
By
Anonymous Coward ()
on
Kewl. thx Chris!
By
Anonymous Coward ()
on
Why did you use pptp w2k supports IPSec (although it aint pretty what I've heared, it is supported). You may need to add some ms-patches though (for stronger encryption).
Comments
By
mra ()
on
Because you can be a pawn in a larger organization which is a MS shop. Or at least someone who is not in charge of deciding the remote access protocol.
By
RC ()
on
If you are looking for something else, you can setup a SOCKS server and tunnel the traffic through SSH. That's an easy way to get everything working, even though you need to have socks support on the clients. On the plus side, having client software gives you control over which connections should go over the tunnel, and which should not.
As for the socks server of choice, Dante works quite well, and it's BSD-licensed.
Comments
By
mra ()
on
For a second I thought you were talking about the -D flag for openssh.
snip from the
man page
:
-D port
Specifies a local ``dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.
Comments
By
RC ()
on
For one thing, SOCKS4 does not allow anything other than TCP/IP (eg. no UDP, ICMP, etc). That can be a problem.
For another thing, it looks like -D wasn't introduced until 3.0, which was (ironically) around the time I no longer needed to do this.
I'll check this out some more, but from reading it, it sounds like it may have a few defeciencies compared to a REAL SOCKS server.
By
djm ()
on
The free PPTP server (PoPToP) is pretty poor - the 'stable' version dies on out-of-order packets and the development version is a little unstable. It also seems to be unmaintained.
By Anonymous Coward () on
..what are they?
..how serious are they?
Comments
By Dries Schellekens () on http://www.counterpane.com/pptp.html
http://www.counterpane.com/pptp-paper.html
http://www.counterpane.com/pptpv2-paper.html
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By chris () spam@makenode.com on mailto:spam@makenode.com
http://www.poptop.org/
::chris
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By mra () on
By RC () on
As for the socks server of choice, Dante works quite well, and it's BSD-licensed.
Comments
By mra () on
snip from the man page :
-D port
Specifies a local ``dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.
Comments
By RC () on
For another thing, it looks like -D wasn't introduced until 3.0, which was (ironically) around the time I no longer needed to do this.
I'll check this out some more, but from reading it, it sounds like it may have a few defeciencies compared to a REAL SOCKS server.
By djm () on
Comments
By Steve () steve@netwaynetworks.com.au on mailto:steve@netwaynetworks.com.au
I've seen it twice in the last 2 days, and it doesnt look friendly imho. Is there a patch around for it?