RRAS, Tomato, and outgoing VPN Connections
Links: home · search · speed test · login · more ·
Links: Reply New Topic
Forums » Up and Running » Virtual Private Networking » RRAS, Tomato, and outgoing VPN Connections
savantcoder @ 14th Aug 03:32PM:
RRAS, Tomato, and outgoing VPN Connections
Hey guys,
I have a Windows Server 2008 RRAS running behind a WRT54GL running Tomato.
With Port forwarding, I can get PPTP connections to work flawlessly. I use iptables to forward GRE and TCP 1723 packets to the server.
Since the router sends all GRE and TCP 1723 packets to the W2k8 Server, no one in the office can establish a VPN connection with another external VPN server as the PPTP client deems the packets to be lost since it doesn't know that they're being redirected to the server.
So, my question is, what can I do? I need to allow incoming VPN connections to be handled by the server but still have outbound VPN connections work.
--
*
reply
Matt @ 19th Aug 02:28PM:
Re: RRAS, Tomato, and outgoing VPN Connections
said by savantcoder :
Hey guys,
I have a Windows Server 2008 RRAS running behind a WRT54GL running Tomato.
With Port forwarding, I can get PPTP connections to work flawlessly. I use iptables to forward GRE and TCP 1723 packets to the server.
Since the router sends all GRE and TCP 1723 packets to the W2k8 Server, no one in the office can establish a VPN connection with another external VPN server as the PPTP client deems the packets to be lost since it doesn't know that they're being redirected to the server.
So, my question is, what can I do? I need to allow incoming VPN connections to be handled by the server but still have outbound VPN connections work.
It sounds to me like to need to fix your iptables rule only handle INBOUND GRE/1723 packets. It sounds as if the rule was created to grab ALL GRE and 1723 packets, whether inbound or outbound.
reply
savantcoder @ 19th Aug 05:05PM:
Re: RRAS, Tomato, and outgoing VPN Connections
Hey Matt,
Thanks for replying.
Wouldn't that still cause the reply GRE packets to get trapped? Or is it a one way thing? I've been assuming two way gre communication was necessary.
Sad part is I read the RFC for PPTP (but for a encryption handshake issue). I guess I'll go back and read it again.
Edit:
I should also mention that the modules ip_conntrack_proto_gre the nat one had to be disabled because they throw errors when enabled. This is why I'm trying to use a rule based approach.
From my understanding, if I tell it to accept all inbound NEW gre connections and send them to the server, that should work. Except connection tracking for gre doesn't work on this light linux install.
--
*
reply
Matt @ 19th Aug 08:51PM:
Re: RRAS, Tomato, and outgoing VPN Connections
You could use an inbound/outbound iptables rule with a source and destination of the 2008 server's IP. That way all GRE/1723 traffic without a source or destination IP of your 2008 server wouldn't match the rule and would bypass it.
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC