2

There is a Linux machine (A) running pptpd inside a university network behind a firewall but with real IP. I have no access or any knowledge of IP distribution in this network, so I can't just set remoteip X.Y.Z.200-250 in pptpd config, since it might cause conflicts. I wonder whether it is possible to create a virtual hub for all connected VPN clients, which is then NATed to the real network.

Here is some clumpsy ascii grpaphics illustrating what I want to achieve:

PPTP-client  ---\  ________________     ________________________
                 \ |   10.0.0.0/24 |    |10.0.0.0/24     real ip|
PPTP-client  ----->| Virt. hub (A) |----|ethX       A       eth0|----- Outside world
                 / |_______________|    |_______________________|
PPTP-client  ---/

Googling shows that PacketiX.NET and UT-VPN have such built-in capabilities, but I have no idea of how to do it with ordinary pptpd. I've tried creating dummy interface, configuring it with static IP and then giving to pptp-client the IPs from this interface subnet, but with no success.

Usage of other vpn-servers is problematic since quite paranoid firewall settings and me having to use wetware ssh server for any operations on A.

aland
  • 141
  • 1
  • 5
  • 2
    It seems like it should be possible. I am somewhat confused about the choice of PPTP when getting through a firewalls is a concern. I find that OpenVPN is far easier to get through a firewall, particularly on a Linux server. On Linux it pretty easy to setup OpenVPN to accept connections on any one of many ports, OpenVPN can even operate through an http proxy. Setting up a special IP range for OpenVPN is also simple. – Zoredache Nov 23 '11 at 01:56
  • @Zoredache Sorry for late feedback -- there were blackout out there, so there were no possibility to try OpenVPN. Now I've managed to do so, and it works like a charm! Could you repost your comment as an answer, so I will mark it 'Accepted'? – aland Nov 28 '11 at 21:10

1 Answers1

0

You could use PPTPd server (if GRE proto is not filtered by your network). PPTD will create new ppp interface for each client on your server.

For example you specify

localip 192.168.101.1-100
remoteip 192.168.101.101-200

So every ppp* interface will obtain new IP from 192.168.101 subnet. Finally, you could NAT all traffic from this subnet to you real IP (dont forget about net.ipv4.ip_forward=1)

# here could be full MASQUERADE or SNAT 
iptables -t nat -I POSTROUTING -o real_interface0 -j MASQUERADE
# forward for all ppp + MSS tune,  conntrack recommended 
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu
Shooorf
  • 101
  • 2