VPN PPTP
-
PFSENSE does not manage anything related to PPTP. the only function it does is the internet router
I just need to know if there is any solution and why it is happening
-
https://forum.netgate.com/topic/150260/vpn-pptp-connection-through-pfsense
-Rico
-
@pacomillan Its your connectiing server that has issues.
Can you describe how you setup pptp ?
-
@rico ok
-
@pacomillan you need to tell you client they need to find another solution, or let know where they are connecting they need to find another solution - say pfsense. If he is running pfsense he has multiple options for running vpn server on pfsense.
PPTP has been dead for 10 some years.. It is not secure at all..
That being said, passing pptp through pfsense there is nothing pfsense would do to block such traffic - unless you were running maybe IPS package. And its set to block it - because again its been dead for 10 years.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@pacomillan also looking at https://forum.netgate.com/topic/173587/sql-rules?_=1660909737405 your issue could be down to the double NAT occuring.
-
@johnpoz Security aside... its by far the easiest Point to Point tunneling setup and if you only need that, its fine.
You run your encrypted trffic inside a PPTP tunnel and then its fine.
I have never ever seen a PPTP connection beeing haked in the wild..... just because a lab rat says so.
Thats why so many are using it still.
-
No. I uncheck "Block private networks and loopback addresses" in Wan interface and all works
-
@cool_corona said in VPN PPTP:
You run your encrypted trffic inside a PPTP tunnel and then its fine.
Not really.. Its not that your traffic flowing through the vpn is at risk, its that anyone could connect to your vpn and have access to your network is the risk.
If this remote site has pfsense, then they have many options they could use to allow remote access vpn. ipsec, openvpn, wireguard or even the tailscale package which uses wireguard. Which is pretty no brainer setup to be honest. Took all of like 5 minutes to get that setup and have my phone using it.
There is zero reason to still be using a vpn tech that has been dead and compromised for over 10 years when there are other viable options that have no cost other then setup.
And continued support, or even help in allowing someone to continue to use it is wrong advice.
Bill: so my doctor told me to lower my salt intake
Kim: oh bill your salt shaker is low, let me refill that for you.. -
@pacomillan "Block private networks and loopback addresses" has nothing to do with a double NAT.
Some VPN protocols have the IP address in the payload of the packet and header, NAT would change the IP address in the header and not the payload.
https://packetlife.net/captures/protocol/pptp/
Frame 21: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) Ethernet II, Src: MinervaK_00:02:00 (00:14:00:00:02:00), Dst: Cisco_55:c0:1c (00:09:e9:55:c0:1c) Destination: Cisco_55:c0:1c (00:09:e9:55:c0:1c) Source: MinervaK_00:02:00 (00:14:00:00:02:00) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 20.0.0.2 (20.0.0.2), Dst: 20.0.0.1 (20.0.0.1) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 50 Identification: 0x18d5 (6357) Flags: 0x00 ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 64 Protocol: Generic Routing Encapsulation (47) Header Checksum: 0x39c6 [validation disabled] [Header checksum status: Unverified] Source Address: 20.0.0.2 (20.0.0.2) Destination Address: 20.0.0.1 (20.0.0.1) Generic Routing Encapsulation (PPP) Flags and Version: 0x3081 Protocol Type: PPP (0x880b) Payload Length: 14 Call ID: 24 Sequence Number: 5 Acknowledgment Number: 4 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP Address IP Address Type: IP Address (3) Length: 6 IP Address: 17.1.1.118 (17.1.1.118) -
the problem is:
THE REMOTE PPTP VPN SERVER IS NOT PROPERTY OF MY CLIENT.
then, he is thinking to say hello again to his old ISP router
-
@pacomillan While I understand your frustration - when technology becomes antiquated and no longer secured or supported. The solution is not to continue to use old tech, but move on - even if there is going pains.
PPTP has been dead, should of migrated away from it 10+ years ago, slow to change ok 8 years ;)
Maybe you could facilitate with your client on getting with who runs this server, could be a new client for you.
That being said the problem is GRE which used in outbound pptp connection via some client behind pfsense doesn't actually use a port. The tracking of the GRE connection unless you have multiple public IPs to use would be problematic. Not sure if pfsense ever was able to do that.
I can not be sure - its been 10 some years since did anything with it, again because its been dead for that long - and should of been migrated away from way before then.
