1

tl;dr Can I ensure the PPTP ppp0 interface is always available, so that nginx and other services can bind to its IP address?

I have an nginx server on Ubuntu 12.04 hosting a handful of public sites. This box also acts as a PPTP VPN, with the following config:

localip 10.76.44.1
remoteip 10.76.44.100-110

I'm installing a new service, proxied behind nginx, and I wanted to limit access to clients on the VPN. I thought I could just tell the server to listen on the localip port:

server {
    listen 10.76.44.1:80;
    ...
}

This worked fine when I initially tested it, but when I restarted the nginx service outside an active PPTP connection, the ppp0 interface was not available and nginx could not bind to the IP address:

nginx: [emerg] bind() to 10.76.44.1:80 failed (99: Cannot assign requested address)
nginx: configuration file /etc/nginx/nginx.conf test failed

In this specific case, I can use the nginx deny directive to limit access the way I want, but that may not be the case for other services I install. Is there a way I can initiate this ppp0 interface at boot so it's available to nginx? Do I need another workaround like binding to an internal-only IP, and adding a forwarding rule for VPN clients?

Community
  • 1
Annika Backstrom
  • 214
  • 2
  • 9
  • 3
    You know PPTP is *horribly* insecure, right? Any systems you have using it should be on the short list to move to a modern VPN technology (IPSec, OpenVPN, etc.). – EEAA Jan 26 '16 at 18:26
  • Why not just firewall it? And get rid of PPTP first, of course. – Michael Hampton Jan 27 '16 at 03:35

2 Answers2

1

Assuming you are running Linux, you can just make your ppp interface part of system configuration. So that it will be enabled at the start. See : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-control.html https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_ppp_connection

You just need to hook-up your PPTP software into interface up/down phases.

Other solution which comes to my mind is editing the Nginx init script so it will simply enable interface before it starts and disable it when service is being stopped.

MAQ
  • 111
  • 2
1

In addition to the comment and answer, I'll describe another way to solve your problem / question:

Not sure what OS you're running, because you didn't state this, but if it's some Linux flavor: Allow processes to bind / listen to / on "non-local" IPs. To do so:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind

If you wan't to make this persistent, aka "across reboots", you have to put it "somewhere". For Debian based distributions, this would be for example /etc/sysctl.conf: Inside, put a line reading

net.ipv4.ip_nonlocal_bind = 1

and execute sysctl -p or do a reboot.

gxx
  • 5,483
  • 2
  • 21
  • 42