PPTP Proxy for OpenBSD Firewalls

Contributed by grey on 2004-10-09 from the neat things to try out dept.

Recently my employee was acquired by a large corporation which has alot of information and reporting systems on their intranet. This intranet can only be accessed by PPTP and each employee gets their own account. This causes major problems with a NAT'ed firewall as PPTP uses gre packets for the "secure" tunnel, the gre protocol has no ports and will fail miserably with multiple connections from one ip, the solution is to install a proxy.

A quick search on Google gave me nothing that would work on *BSD so I had to write my own. The proxy can be installed completely transparent on the firewall, it can also be chained from one proxy to another over multiple servers.

The proxy is still being improved little by little as bugs are found and I would appreciate any input from other users out there.

Project home for the proxy is: http://freshmeat.net/projects/frickin/

While I thankfully haven't had to deal with pptp anytime recently, I'm sure some pf firewall admins may find this useful.

(Comments are closed)

Comments

By Anonymous Coward (67.71.79.251) on 2004-10-09 01:00

That is awesome man! Thank you!!! I know a bunch of people that can use this and I will be trying it soon too.
By Anonymous Coward (69.156.52.20) on 2004-10-09 01:22

Thanks! this is *SO* cool! I used to do a route-to in the firewall to something like a trendnet router (yuck!) TY again!
By Chris Laverdure (69.156.176.31) dashevil@sympatico.ca on 2004-10-09 05:15

I want to set my OpenBSD box up as a PPTPd so my friends can all be on the same LAN as me, so to speak, and we can all play games without tossing IPs back and forth. That'd be grand.

But I've had horrible luck and can't get poptop to work. :(
Comments
1. By Anonymous Coward (83.147.128.114) on 2004-10-09 21:09
  
  man 4 ipsec ?
2. By Anonymous Coward (67.71.79.251) on 2004-10-09 23:35
  
  You can do that or a PPPoE server...
By djm@ (203.217.30.86) on 2004-10-09 13:23

A possibly better solution would be to extend pf's state code to track the GRE call-id extension (by resuing the src/dst ports in the state entry). This would allow it to differentiate states between different NATted connections.
Comments
1. By Anonymous Coward (203.217.79.240) on 2004-10-09 23:34
  
  Yes I agree, editing PF to support multiple GRE connections would be an excellent idea. Another one would be to ditch PPTP all togethor, although lately its acceptance has been widespread with those I like to call "pseudo-system administrators" (They have done all their microsoft certs but can't show me what an AGP slot is). So I guess we're stuck with it for the time being. Either that or use IPSEC.
  
  All in all this program is a good idea and I encourage its development.
2. By cellx (68.12.169.113) on 2004-10-10 18:48
  
  I second that. I would LOVE to see support for PPTP passthrough AND IPSec passthrough. I mean, if my cheap $50 dollar linksys router can do passthrough for both PPTP and IPSec, I don't see why my openbsd fw can't.
  
  If Mr. Hartmeier is hearing me, please consider putting this onto the wishlist.
  
  Thanks again,
  cellx
  Comments
  1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on 2004-10-10 20:58
    
    For IPsec, the answer is NAT-T (encapsulation in UDP), which OpenBSD now supports through isakmpd. As far as I know, that's the common solution for NATed VPN clients, and most products support it.
    
    As for PPTP, it seems possible to read attributes from that protocol header to associate individual packets with 'connections', at least that's how I understand the proxy works. If that's so, it would be possible to include similar code in the kernel so pf can associate PPTP packets of individual connections with individual state entries.
    
    This work would have to be done by someone who has a personal interest in the functionality, and the necessary infrastructure (I figure at least two Windows machines) to test and debug. This person will also be receiving support questions related to PPTP in general and be expected to act on them. I am not that person. I neither have any personal use for PPTP, nor any Windows boxen to do tests with. And, lacking any experience with PPTP, I wouldn't be qualified to do any kind of support for it.
    
    But I'll note the feature request and if someone should approach me who matches the above criteria and is looking for a feature to implement, I'll relay the message.
    
    In the meantime, why not try the proxy?
    
    Comments
    
    By cruel (195.39.211.10) on 2004-10-11 09:18
    
    >But I'll note the feature request and if someone should approach >me who matches the above criteria and is looking for a feature to >implement, I'll relay the message. maybe pptp-proxy's author? :) i think he is skilled enough if he has written pptp-proxy code for bsd systems...
    
    Comments
    
    By Shane (202.45.125.5) on 2004-10-11 12:17
    
    Daniels point is, that the author would have to want to do this. Writing code and supporting code are two very different beasts. One could typically be done ad-hoc but with passion and the other usually has unrealistic expectations from users. I imagine Daniel would be looking for interest in all required aspects from someone, including the author.
    
    By cellx (68.12.169.113) on 2004-10-12 05:01
    
    Mr. Hartmeier,
    
    Thank you for noting this to the feature request.
    
    Your question is:
    > In the meantime, why not try the proxy?
    
    I can use this proxy to provide to a known PPTP server but I have windows users behind my PF firewall that need to access various PPTP servers. Think of it this way to, I want to deploy a hotspot running soekris and openbsd. Users will be connecting to the hotspot and PPTP to their business VPN servers.
    
    > For IPsec, the answer is NAT-T (encapsulation in UDP), which OpenBSD now > supports through isakmpd.
    Yes, this is a way to get IPSec working through a UDP stream but this doesn't take care of the original issue. I would like complete IPSec passthrough just like a Linksys/SMC router can. This is the same scenerio that the PPTP users have with different VPN endpoints.
    
    Thank you always for your time,
    cell x
    
    Comments
    
    By Martin Akesson (62.20.78.50) on 2004-10-12 12:27
    
    This is something I've been thinking about too. The proxy is only usable whenever you know the destination server. Anyway, I did at first think of writing some passthrough handling of PPTP for PF but as I was pressed for time I decided to go for the proxy solution. I have no realy clue how hard it is to implement in PF but the proxy was pretty stright forward and easy. PPTP itself is a very simple protocol..
    
    By Anonymous Coward (62.177.129.13) on 2004-10-13 13:12
    
    Just use Linux. It has proper support for PPTP connection tracking through netfilter. For a modular kernel just do "modprobe ip_nat_proto_gre ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre".
    
    Comments
    
    By cellx (68.12.169.113) on 2004-10-14 06:18
    
    I guess we're almost there if someone could just volunteer on Hartmeier feature request.
    
    By Anonymous Coward (67.71.79.251) on 2004-10-15 02:31
    
    Thing is, not everyone likes Linux. Not everyone wants to use it and not everyone likes, uses or wants to use netfilter. I'm not putting it down, but personally, netfilter is not for me, for one.
By Alan DeWitt (70.56.192.138) aland@childhoodhealth.com on 2004-10-09 20:00

Thank you! I've been looking for a way to handle PPTP besides poptop. I'll be installing that ASAP.
Comments
1. By Anonymous Coward (203.45.41.88) on 2004-10-11 14:13
  
  err, I believe this is just a proxy and has no pptp serving capabilities, so it's not a poptop replacement...
By Anonymous Coward (65.57.245.11) on 2006-03-12 19:35

There is another implementation of pptp proxy at http://www.mgix.com/pptpproxy. It's got the added advantage of supporting ACLs and has more built-in debugging.
Comments
1. By Albert J. Wong (216.254.22.95) on 2006-06-26 04:24
  
  >
  > There is another implementation of pptp proxy
  > at http://www.mgix.com/pptpproxy.
  >
  > It's got the added advantage of supporting ACLs
  > and has more built-in debugging.
  >
  
  Looking at the code, as far as I can tell, it lacks privelege dropping, and seems to do some fairly unecessary things with threads (betcha the locking overhead overshadows the benefit from having multiple threads). Also, the code is more complicated than necssary and doesn't use syslog for debugging.

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]