PPTP client, masquerade and routing - Networking

This is a discussion on PPTP client, masquerade and routing - Networking ; My Buffalo WHR is operating as an ip router. The box brings up a link succesfully with PPTP client to a remote windows server ok without problems. I can ping from the router to the remote PPTP server and can ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: PPTP client, masquerade and routing

  1. PPTP client, masquerade and routing

    My Buffalo WHR is operating as an ip router. The box brings up a link
    succesfully with PPTP client to a remote windows server ok without
    problems. I can ping from the router to the remote PPTP server and can
    get packets on the remote network ok. I presume this is becasue the
    router has a ppp0 address of 10.19.0.192, and the remote server has
    this address in its routing table.

    What I am trying to do is route all my traffic from the lan through
    this ppp0 device. However, with the client pc's default gateway set to
    the routers ip, 192.168.1.3, the traceroute shows the packet hitting
    the router and then nothing comes back. My main adsl modem is on the
    same subnet as 192.168.1.1. How do i add the default route to send
    packets over the ppp0 link? I think i still need the 192.168.1.1 entry
    as this is how the ppp0 link is bought up over this default route out
    onto the net.

    I am running the following on my box:

    ~ # pptp 100.200.100.200 file /tmp/pptpd_client/options.vpn debug
    nodetach
    ~ # route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref
    Use Iface
    10.19.0.190 * 255.255.255.255 UH 0 0
    0 ppp0
    192.168.1.0 * 255.255.255.0 U 0 0
    0 br0
    10.19.0.0 * 255.255.255.0 U 0 0
    0 ppp0
    127.0.0.0 * 255.0.0.0 U 0 0
    0 lo
    default 192.168.1.1 0.0.0.0 UG 0 0
    0 br0

    As mentioned, pinging works ok on the router but not from any other
    pc. Is this an issue with the remote pptp server not knowing where to
    send the replies (i.e. it will be receiving packets from
    192.168.1.0/24)? Ideally, i would like to masquerade/PAT on the ppp0
    link so multiple computers can route through this link.

    Any ideas how i can achieve this?

    Thanks


  2. Re: PPTP client, masquerade and routing

    morleyc@gmail.com wrote:
    > My Buffalo WHR is operating as an ip router. The box brings up a link
    > succesfully with PPTP client to a remote windows server ok without
    > problems. I can ping from the router to the remote PPTP server and can
    > get packets on the remote network ok. I presume this is becasue the
    > router has a ppp0 address of 10.19.0.192, and the remote server has
    > this address in its routing table.


    You presume correctly.

    > What I am trying to do is route all my traffic from the lan through
    > this ppp0 device. However, with the client pc's default gateway set to


    Assuming you mean traffic bound for the server LAN, masquerading
    ppp0 should provide the means for return traffic to reach hosts on
    192.168.1.0/24.

    > the routers ip, 192.168.1.3, the traceroute shows the packet hitting
    > the router and then nothing comes back. My main adsl modem is on the
    > same subnet as 192.168.1.1. How do i add the default route to send
    > packets over the ppp0 link? I think i still need the 192.168.1.1 entry
    > as this is how the ppp0 link is bought up over this default route out
    > onto the net.


    I don't think you want to change the default route.

    > I am running the following on my box:


    > ~ # pptp 100.200.100.200 file /tmp/pptpd_client/options.vpn debug
    > nodetach
    > ~ # route
    > Kernel IP routing table
    > Destination Gateway Genmask Flags Metric Ref
    > Use Iface
    > 10.19.0.190 * 255.255.255.255 UH 0 0
    > 0 ppp0
    > 192.168.1.0 * 255.255.255.0 U 0 0
    > 0 br0
    > 10.19.0.0 * 255.255.255.0 U 0 0
    > 0 ppp0
    > 127.0.0.0 * 255.0.0.0 U 0 0
    > 0 lo
    > default 192.168.1.1 0.0.0.0 UG 0 0
    > 0 br0


    > As mentioned, pinging works ok on the router but not from any other
    > pc. Is this an issue with the remote pptp server not knowing where to
    > send the replies (i.e. it will be receiving packets from
    > 192.168.1.0/24)? Ideally, i would like to masquerade/PAT on the ppp0


    Yes.

    > link so multiple computers can route through this link.


    > Any ideas how i can achieve this?


    Checkout "LAN to LAN" in

    http://pptpclient.sourceforge.net/routing.phtml

    I'm not certain it fits your needs exactly but maybe it will help.

    > Thanks


    --
    Clifford Kite
    /* "Be liberal in what you accept, and conservative in what you send"
    RFC 1122 */

  3. Re: PPTP client, masquerade and routing

    > > the routers ip, 192.168.1.3, the traceroute shows the packet hitting
    > > the router and then nothing comes back. My main adsl modem is on the
    > > same subnet as 192.168.1.1. How do i add the default route to send
    > > packets over the ppp0 link? I think i still need the 192.168.1.1 entry
    > > as this is how the ppp0 link is bought up over this default route out
    > > onto the net.

    >
    > I don't think you want to change the default route.
    >


    Thanks for the reply Clifford, I do want to replace the default route
    so that all traffic is routed via ppp0. However i know if i replace my
    default route (which i do want to do!), i will have a problem in how
    will the vpn traffic get out? i.e. how will i be able to ping the vpn
    server ip, as its a chicken and egg scenario, what came first?! I
    still need a route to the pptp server.

    So what i propose is (once the ppp0 link comes up or this would even
    work with startup scripts), is:

    route add -net 66.77.88.99 netmask 255.255.255.255 dev br0
    route del default gw 192.168.1.1
    route add default gw 10.19.0.190

    note that 66.77.88.99 is my PPTP server ip

    This way i can still talk to the PPTP server, and thus bring the link
    up. Once the link is up i can then route my traffic through the ppp0.
    How does that sound? Once i am able to route properly i will
    masquerade ppp0 with iptables and should be good to go Are there any
    hidden traps i should look out for?

    Thanks,

    Chris


  4. Re: PPTP client, masquerade and routing

    To expand on my question, this is an excerpt from a site a saw and i
    think i understand it a bit better:

    [QUOTE]d#!/bin/sh
    # pppd ip-up script for all-to-tunnel routing

    # name of primary network interface (before tunnel)
    PRIMARY=eth0

    # address of tunnel server
    SERVER=tunnel.example.com

    # provided by pppd: string to identify connection aka ipparam option
    CONNECTION=$6
    if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi

    # provided by pppd: interface name
    TUNNEL=$1
    if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi

    # if we are being called as part of the tunnel startup
    if [ "${CONNECTION}" = "tunnel" ] ; then

    # direct tunnelled packets to the tunnel server
    route add -host ${SERVER} dev ${PRIMARY}

    # direct all other packets into the tunnel
    route del default ${PRIMARY}
    route add default dev ${TUNNEL}

    fi

    Note: if you need the network connection to work again after the
    tunnel is taken down but before the main connection is terminated, you
    will need to restore the default route. Use an ip-down script for the
    tunnel, as follows:

    #!/bin/sh
    # pppd ip-down script for all-to-tunnel routing

    # name of primary network interface (before tunnel)
    PRIMARY=eth0

    # provided by pppd: string to identify connection aka ipparam option
    CONNECTION=$6
    if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi

    # provided by pppd: interface name
    TUNNEL=$1
    if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi

    # if we are being called as part of the tunnel shutdown
    if [ "${CONNECTION}" = "tunnel" ] ; then

    # direct packets back to the original interface
    route del default ${TUNNEL}
    route add default dev ${PRIMARY}

    fi

    >From that i can see before the ppp0 link is alive, eth0 will be the

    default route thus the connection to the ppp server can be
    established. Once the link is up ppp0 will be set as the default
    route. After the ppp0 link is lost the eth0 will be restored as the
    default gateway. From my understanding, if eth0 were not restored as
    default gateway it would be impossible to bring the ppp0 link back up?

    >From windows route print, i understand this compeletly as it

    explicitly shows the route to the pptp server 100.200.100.200 (please
    note this is all automatically added by windows when the vpn
    connection comes up, and 172.16.1.61 is my eth0 interface and
    172.16.1.1 is the adsl router on my LAN):

    Active Routes:

    Network Destination Netmask Gateway
    Interface Metric
    0.0.0.0 0.0.0.0
    10.19.0.191 10.19.0.191 1
    0.0.0.0 0.0.0.0
    172.16.1.1 172.16.1.61 26
    10.19.0.191 255.255.255.255 127.0.0.1
    127.0.0.1 50
    10.255.255.255 255.255.255.255 10.19.0.191
    10.19.0.191 50
    127.0.0.0 255.0.0.0
    127.0.0.1 127.0.0.1 1
    172.16.0.0 255.255.0.0 172.16.1.61
    172.16.1.61 25
    172.16.1.61 255.255.255.255 127.0.0.1
    127.0.0.1 25
    172.16.255.255 255.255.255.255 172.16.1.61
    172.16.1.61 25
    100.200.100.200 255.255.255.255 172.16.1.1
    172.16.1.61 25
    224.0.0.0 240.0.0.0 172.16.1.61
    172.16.1.61 25
    224.0.0.0 240.0.0.0 10.19.0.191
    10.19.0.191 1
    255.255.255.255 255.255.255.255 10.19.0.191
    10.19.0.191 1
    255.255.255.255 255.255.255.255 172.16.1.61
    10004 1
    255.255.255.255 255.255.255.255 172.16.1.61
    172.16.1.61 1
    Default Gateway: 10.19.0.191
    ================================================== =========================

    Now i know this isnt a windows forum, but how is linux able to route
    data to the pptp server when it doesnt have a route to it? Under Linux
    is ppp0 interally remembering the route over which it was established,
    and thus sending packets over eth0 creating the encapsulated tunnel we
    know as a vpn.

    How does this sound, or am i still miles off understanding the inner
    workings?


  5. Re: PPTP client, masquerade and routing

    morleyc@gmail.com wrote:
    > To expand on my question, this is an excerpt from a site a saw and i
    > think i understand it a bit better:


    > [QUOTE]d#!/bin/sh
    > # pppd ip-up script for all-to-tunnel routing


    > # name of primary network interface (before tunnel)
    > PRIMARY=eth0


    > # address of tunnel server
    > SERVER=tunnel.example.com


    > # provided by pppd: string to identify connection aka ipparam option
    > CONNECTION=$6
    > if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi


    > # provided by pppd: interface name
    > TUNNEL=$1
    > if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi


    > # if we are being called as part of the tunnel startup
    > if [ "${CONNECTION}" = "tunnel" ] ; then


    > # direct tunnelled packets to the tunnel server
    > route add -host ${SERVER} dev ${PRIMARY}


    If the tunnel "goes down" then this host route should allow it to be
    reestablished without replacing the tunnel routing with the primary
    network routing. Note that the host route is not removed in ip-down.

    > # direct all other packets into the tunnel
    > route del default ${PRIMARY}
    > route add default dev ${TUNNEL}


    > fi


    > Note: if you need the network connection to work again after the
    > tunnel is taken down but before the main connection is terminated, you
    > will need to restore the default route. Use an ip-down script for the
    > tunnel, as follows:


    > #!/bin/sh
    > # pppd ip-down script for all-to-tunnel routing


    > # name of primary network interface (before tunnel)
    > PRIMARY=eth0


    > # provided by pppd: string to identify connection aka ipparam option
    > CONNECTION=$6
    > if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi


    > # provided by pppd: interface name
    > TUNNEL=$1
    > if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi


    > # if we are being called as part of the tunnel shutdown
    > if [ "${CONNECTION}" = "tunnel" ] ; then


    > # direct packets back to the original interface
    > route del default ${TUNNEL}
    > route add default dev ${PRIMARY}


    > fi


    >>From that i can see before the ppp0 link is alive, eth0 will be the

    > default route thus the connection to the ppp server can be
    > established. Once the link is up ppp0 will be set as the default
    > route. After the ppp0 link is lost the eth0 will be restored as the
    > default gateway. From my understanding, if eth0 were not restored as
    > default gateway it would be impossible to bring the ppp0 link back up?


    No, I think that the access to ${SERVER} through the Internet as provided
    by the host route in ip-up should be enough to restore the tunnel and
    so the PPP link.

    >>From windows route print, i understand this compeletly as it

    > explicitly shows the route to the pptp server 100.200.100.200


    And I don't understand windows routing at all.

    ....

    > Now i know this isnt a windows forum, but how is linux able to route
    > data to the pptp server when it doesnt have a route to it? Under Linux


    In the context of the ip-up script above it does have a route to the
    pptp server.

    > is ppp0 interally remembering the route over which it was established,
    > and thus sending packets over eth0 creating the encapsulated tunnel we
    > know as a vpn.


    I think there is a question here and the answer should be no. The ppp0
    interface will only "remember" the local and remote PPP addresses.

    > How does this sound, or am i still miles off understanding the inner
    > workings?


    My own understanding of PPTP is somewhat limited so I'll pass on this.

    --
    Clifford Kite
    /* Domain names are for water/carbon units that don't think in binary.
    --Allen Kistler */

+ Reply to Thread