News: This forum is now permanently frozen.
Pages: [1]
Topic: Use PPTP VPN to connect to a remote network?  (Read 2518 times)
« on: October 10, 2007, 19:42:28 »
JackTripper *
Posts: 16

i don't know what the term for this technique is, i don't see anything in monowall that supports it, but...

My network is on the 192.168.1.1/23 subnet, and a remote network i want to connect to is on the 10.0.0.1/24 subnet. If i make a request on my 192.168.1.x network to talk to 10.0.0.x, i want monowall to connect to a Microsoft PPTP VPN server running out on the internet, login, and route the traffic.


Microsoft RARAS supports this feature, and so they created a pretty picture that i can steal:
(http://technet2.microsoft.com/QueryWS/GetOpenContent.aspx?assetID=2aea5a14-0230-4e04-8c6b-56c1a790ac11&DocumentSet=en-US&RenderKey=XML)

In this picture, monowall is the "calling router", and i want to have it call the "answering router".


Right now i have to VPN from my Vista desktop machine. Additionally, because monowall only NATs PPTP traffic (as opposed to proxying it) i'm only allowed one PPTP tunnel out. It would be so much cooler if monowall could setup this link for me.

The docs on IPSec seem to indicate this is what i want to do, but i don't have IPSec VPN. And the PPTP docs only seem to talk about setting up monowall as a PPTP vpn server.


i do realize that if i wanted traffic destined for, say, the 172.16.0.x network to go out over a different VPN link it would fail (because of the aforementioned lack of PPTP proxy). In this case it is okay, since i personally will only ever be talking to the one remote network.   (If i want to talk to the other one - i'll be forced to do it from my client PC)


a) Is there a name for this? PPTP VPN? VLAN? Captive Portal?
b) Does monowall support this functionality?
« Last Edit: October 10, 2007, 22:49:25 by JackTripper »
« Reply #1 on: October 11, 2007, 10:28:13 »
markb ****
Posts: 331

Hi Jack,
Nice post, really clear diagram.  Assuming that you have a DSL connection at the branch office, I think this should be okay. Although I have never tried it myself. The DSL router needs to be configured to handle the connection to the ISP rather than bridge mode and PPPoE You then configure the WAN interface of the Monowall to be PPTP and set up the connection.
I do know however, that you would be far better off using an IPSEC connection in this scenario.  Stick a Mono box at the remote end and they can set up a secure tunnel between them. Have a look here at site to site VPN in the monowall handbook.
« Reply #2 on: October 11, 2007, 20:52:07 »
JackTripper *
Posts: 16

The DSL router needs to be configured to handle the connection to the ISP rather than bridge mode and PPPoE You then configure the WAN interface of the Monowall to be PPTP and set up the connection.

Monowall is my DSL router at my "branch office". Monowall needs to be PPPoE so it can connect to the internet, so it can use PPTP to connect the the "Main Office".

Are you suggesting that i use a router that is not a monowall router as my router, then use my monowall router as an "internal" router?

So rather than:
LAN-->Monowall Router--PPPoE-->Modem--(internet)-->Main Office PPTP Server

You're suggesting:
LAN-->Monowall Router-->DSL Router--PPPoE-->Modem--(internet)-->Main Office PPTP Server

The reason i ask is that i'm trying to get rid of crummy consumer routers in favor of monowall - not have to put one back in. Also, i don't want all internet traffic from my LAN to have to go over the tunnel, only traffic destined for the remote network.
« Reply #3 on: October 12, 2007, 10:13:48 »
markb ****
Posts: 331

Ah, that makes it clearer, it wasn't clear before if you were wanting to route all the traffic.  In this case, you definitely want to do it by an IPSEC VPN, as you can't do it with a single Mono box.  Although I have never actually had to set it up, I believe that when using an IPSEC VPN to link the sites, the tunnel is seen by Monowall as another Interface and you can route the traffic accordingly. In addition to the link I posted earlier, there is more information here which tells you how to set up the IPSEC tunnel with a variety of different routers.  Do you have control of the router on the main site?

If this isn't an option, you should be able to do it with a second Mono on your LAN to handle a PPTP connection and then add a static route.
« Reply #4 on: October 12, 2007, 22:55:13 »
JackTripper *
Posts: 16

You can't do it with a single Mono box.

Do you have control of the router on the main site?

i don't really have control over the router here "at the office".  We already have a Microsoft Windows Server machine listening for VPN connections from the internets - it would just have been nice to have this feature.

Microsoft's own router can do it (it's called a Dial on Demand interface), so i just thought m0n0wall could do it too.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines