PPTP NAT passthrough

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PPTP NAT passthrough

Szél Gábor
Dear @misc

Our customer need more parallel outgoing PPTP session.
I know PPTP is no security VPN, but our client not have any options.
(our customer remote partner accept only PPTP VPN ...)

OpenBSD PF can't use parallel PPTP session. First session is NAT-ed, but
second session is broken.
I know OpenBSD not supported PPTP NAT passthrough.

I found two, very old PPTP proxy for openbsd:

  * https://github.com/crvv/pptp-proxy
    This is ftp-proxy fork(?)
  * https://sourceforge.net/projects/frickin/

frickin 1.x working only fix remote PPTP address, not good for me.
frickin 2.x (beta) not compiled on oBSD 6.6.

pptp-proxy is compiled, and started, but not working.
We tested very simple pf.conf (NAT, and some rules)

pass in quick log on $int_if proto gre from any to ! $int_if:0 rdr-to
127.0.0.1
pass in quick log on $int_if proto tcp from any to ! $int_if:0 port 1723
rdr-to 127.0.0.1 port 2317

pptp-proxy is accepted session, but not working.
(in tcpdump only 2 outgoing, 1 inbound packet found)

Does anyone know a working solution for PPTP NAT passthrough?

In openbsd based securityrouter.org firewall a found PPTP-Proxy support:
https://securityrouter.org/wiki/Comparison
But I don't know what to use.

--
Üdvözlettel,
Szél Gábor

WanTax Kft.
------------
tel.: +36 20 3838 171
fax: +36 82 357 585
email: [hidden email]
web: http://wantax.hu
web: http://halozatom.hu

Reply | Threaded
Open this post in threaded view
|

Re: PPTP NAT passthrough

Edgar Pettijohn III-2
This appears to be actively maintained.

https://sourceforge.net/projects/pptpclient/

On 02/25/20 12:15, Szél Gábor wrote:

> Dear @misc
>
> Our customer need more parallel outgoing PPTP session.
> I know PPTP is no security VPN, but our client not have any options.
> (our customer remote partner accept only PPTP VPN ...)
>
> OpenBSD PF can't use parallel PPTP session. First session is NAT-ed,
> but second session is broken.
> I know OpenBSD not supported PPTP NAT passthrough.
>
> I found two, very old PPTP proxy for openbsd:
>
>  * https://github.com/crvv/pptp-proxy
>    This is ftp-proxy fork(?)
>  * https://sourceforge.net/projects/frickin/
>
> frickin 1.x working only fix remote PPTP address, not good for me.
> frickin 2.x (beta) not compiled on oBSD 6.6.
>
> pptp-proxy is compiled, and started, but not working.
> We tested very simple pf.conf (NAT, and some rules)
>
> pass in quick log on $int_if proto gre from any to ! $int_if:0 rdr-to
> 127.0.0.1
> pass in quick log on $int_if proto tcp from any to ! $int_if:0 port
> 1723 rdr-to 127.0.0.1 port 2317
>
> pptp-proxy is accepted session, but not working.
> (in tcpdump only 2 outgoing, 1 inbound packet found)
>
> Does anyone know a working solution for PPTP NAT passthrough?
>
> In openbsd based securityrouter.org firewall a found PPTP-Proxy support:
> https://securityrouter.org/wiki/Comparison
> But I don't know what to use.
>

Reply | Threaded
Open this post in threaded view
|

Re: PPTP NAT passthrough

Stuart Henderson
On 2020-02-26, Edgar Pettijohn <[hidden email]> wrote:
> This appears to be actively maintained.
>
> https://sourceforge.net/projects/pptpclient/

Gábor is looking a proxy / "nat helper" not a client.

> On 02/25/20 12:15, Szél Gábor wrote:
>> Dear @misc
>>
>> Our customer need more parallel outgoing PPTP session.
>> I know PPTP is no security VPN, but our client not have any options.
>> (our customer remote partner accept only PPTP VPN ...)
>>
>> OpenBSD PF can't use parallel PPTP session. First session is NAT-ed,
>> but second session is broken.
>> I know OpenBSD not supported PPTP NAT passthrough.
>>
>> I found two, very old PPTP proxy for openbsd:
>>
>>  * https://github.com/crvv/pptp-proxy
>>    This is ftp-proxy fork(?)
>>  * https://sourceforge.net/projects/frickin/
>>
>> frickin 1.x working only fix remote PPTP address, not good for me.
>> frickin 2.x (beta) not compiled on oBSD 6.6.
>>
>> pptp-proxy is compiled, and started, but not working.
>> We tested very simple pf.conf (NAT, and some rules)
>>
>> pass in quick log on $int_if proto gre from any to ! $int_if:0 rdr-to
>> 127.0.0.1
>> pass in quick log on $int_if proto tcp from any to ! $int_if:0 port
>> 1723 rdr-to 127.0.0.1 port 2317
>>
>> pptp-proxy is accepted session, but not working.
>> (in tcpdump only 2 outgoing, 1 inbound packet found)
>>
>> Does anyone know a working solution for PPTP NAT passthrough?

I haven't heard of other implementations for PF.

There was one named pptp-proxy discussed on tech@ about 10 years ago
which needed kernel patches as well, this might be some modified version
of that but it may have been converted to userland-only as well, I haven't
looked closely. It doesn't appear to rewrite call-id so it wouldn't work
for connections from multiple natted clients going to the same server.

>> In openbsd based securityrouter.org firewall a found PPTP-Proxy support:
>> https://securityrouter.org/wiki/Comparison
>> But I don't know what to use.

Likely some variant of this same pptp-proxy .. A lot of securityrouter.org
things are closed source afaik.

If you want to run this on OpenBSD then probably you will need to either
write code or fix code.