Contributed by grey on from the neat things to try out dept.
Recently my employee was acquired by a large corporation which has alot of information and reporting systems on their intranet. This intranet can only be accessed by PPTP and each employee gets their own account. This causes major problems with a NAT'ed firewall as PPTP uses gre packets for the "secure" tunnel, the gre protocol has no ports and will fail miserably with multiple connections from one ip, the solution is to install a proxy.
A quick search on Google gave me nothing that would work on *BSD so I had to write my own. The proxy can be installed completely transparent on the firewall, it can also be chained from one proxy to another over multiple servers.
The proxy is still being improved little by little as bugs are found and I would appreciate any input from other users out there.
Project home for the proxy is: http://freshmeat.net/projects/frickin/
While I thankfully haven't had to deal with pptp anytime recently, I'm sure some pf firewall admins may find this useful.
(Comments are closed)
By Anonymous Coward (67.71.79.251) on
By Anonymous Coward (69.156.52.20) on
By Chris Laverdure (69.156.176.31) dashevil@sympatico.ca on
But I've had horrible luck and can't get poptop to work. :(
Comments
By Anonymous Coward (83.147.128.114) on
By Anonymous Coward (67.71.79.251) on
By djm@ (203.217.30.86) on
Comments
By Anonymous Coward (203.217.79.240) on
All in all this program is a good idea and I encourage its development.
By cellx (68.12.169.113) on
If Mr. Hartmeier is hearing me, please consider putting this onto the wishlist.
Thanks again,
cellx
Comments
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on
As for PPTP, it seems possible to read attributes from that protocol header to associate individual packets with 'connections', at least that's how I understand the proxy works. If that's so, it would be possible to include similar code in the kernel so pf can associate PPTP packets of individual connections with individual state entries.
This work would have to be done by someone who has a personal interest in the functionality, and the necessary infrastructure (I figure at least two Windows machines) to test and debug. This person will also be receiving support questions related to PPTP in general and be expected to act on them. I am not that person. I neither have any personal use for PPTP, nor any Windows boxen to do tests with. And, lacking any experience with PPTP, I wouldn't be qualified to do any kind of support for it.
But I'll note the feature request and if someone should approach me who matches the above criteria and is looking for a feature to implement, I'll relay the message.
In the meantime, why not try the proxy?
Comments
By cruel (195.39.211.10) on
Comments
By Shane (202.45.125.5) on
By cellx (68.12.169.113) on
Thank you for noting this to the feature request.
Your question is:
> In the meantime, why not try the proxy?
I can use this proxy to provide to a known PPTP server but I have windows users behind my PF firewall that need to access various PPTP servers. Think of it this way to, I want to deploy a hotspot running soekris and openbsd. Users will be connecting to the hotspot and PPTP to their business VPN servers.
> For IPsec, the answer is NAT-T (encapsulation in UDP), which OpenBSD now > supports through isakmpd.
Yes, this is a way to get IPSec working through a UDP stream but this doesn't take care of the original issue. I would like complete IPSec passthrough just like a Linksys/SMC router can. This is the same scenerio that the PPTP users have with different VPN endpoints.
Thank you always for your time,
cell x
Comments
By Martin Akesson (62.20.78.50) on
By Anonymous Coward (62.177.129.13) on
Comments
By cellx (68.12.169.113) on
By Anonymous Coward (67.71.79.251) on
By Alan DeWitt (70.56.192.138) aland@childhoodhealth.com on
Comments
By Anonymous Coward (203.45.41.88) on
By Anonymous Coward (65.57.245.11) on
Comments
By Albert J. Wong (216.254.22.95) on
> There is another implementation of pptp proxy
> at http://www.mgix.com/pptpproxy.
>
> It's got the added advantage of supporting ACLs
> and has more built-in debugging.
>
Looking at the code, as far as I can tell, it lacks privelege dropping, and seems to do some fairly unecessary things with threads (betcha the locking overhead overshadows the benefit from having multiple threads). Also, the code is more complicated than necssary and doesn't use syslog for debugging.