VPN PPTP

Rico · Aug 19, 2022, 10:36 AM

https://forum.netgate.com/topic/150260/vpn-pptp-connection-through-pfsense

-Rico

Cool_Corona · Aug 19, 2022, 10:39 AM

@pacomillan Its your connectiing server that has issues.

Can you describe how you setup pptp ?

pacomillan · Aug 19, 2022, 10:57 AM

@rico ok

johnpoz · Aug 19, 2022, 11:51 AM

@pacomillan you need to tell you client they need to find another solution, or let know where they are connecting they need to find another solution - say pfsense. If he is running pfsense he has multiple options for running vpn server on pfsense.

PPTP has been dead for 10 some years.. It is not secure at all..

That being said, passing pptp through pfsense there is nothing pfsense would do to block such traffic - unless you were running maybe IPS package. And its set to block it - because again its been dead for 10 years.

NogBadTheBad · Aug 19, 2022, 11:51 AM

@pacomillan also looking at https://forum.netgate.com/topic/173587/sql-rules?_=1660909737405 your issue could be down to the double NAT occuring.

Cool_Corona · Aug 19, 2022, 12:01 PM

@johnpoz Security aside... its by far the easiest Point to Point tunneling setup and if you only need that, its fine.

You run your encrypted trffic inside a PPTP tunnel and then its fine.

I have never ever seen a PPTP connection beeing haked in the wild..... just because a lab rat says so.

Thats why so many are using it still.

pacomillan · Aug 19, 2022, 12:03 PM

@nogbadthebad @nogbadthebad

No. I uncheck "Block private networks and loopback addresses" in Wan interface and all works

johnpoz · Aug 19, 2022, 12:19 PM

@cool_corona said in VPN PPTP:

You run your encrypted trffic inside a PPTP tunnel and then its fine.

Not really.. Its not that your traffic flowing through the vpn is at risk, its that anyone could connect to your vpn and have access to your network is the risk.

If this remote site has pfsense, then they have many options they could use to allow remote access vpn. ipsec, openvpn, wireguard or even the tailscale package which uses wireguard. Which is pretty no brainer setup to be honest. Took all of like 5 minutes to get that setup and have my phone using it.

There is zero reason to still be using a vpn tech that has been dead and compromised for over 10 years when there are other viable options that have no cost other then setup.

And continued support, or even help in allowing someone to continue to use it is wrong advice.

Bill: so my doctor told me to lower my salt intake
Kim: oh bill your salt shaker is low, let me refill that for you..

NogBadTheBad · Aug 19, 2022, 12:26 PM

@pacomillan "Block private networks and loopback addresses" has nothing to do with a double NAT.

Some VPN protocols have the IP address in the payload of the packet and header, NAT would change the IP address in the header and not the payload.

https://packetlife.net/captures/protocol/pptp/

Frame 21: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
Ethernet II, Src: MinervaK_00:02:00 (00:14:00:00:02:00), Dst: Cisco_55:c0:1c (00:09:e9:55:c0:1c)
    Destination: Cisco_55:c0:1c (00:09:e9:55:c0:1c)
    Source: MinervaK_00:02:00 (00:14:00:00:02:00)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 20.0.0.2 (20.0.0.2), Dst: 20.0.0.1 (20.0.0.1)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 50
    Identification: 0x18d5 (6357)
    Flags: 0x00
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: Generic Routing Encapsulation (47)
    Header Checksum: 0x39c6 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 20.0.0.2 (20.0.0.2)
    Destination Address: 20.0.0.1 (20.0.0.1)
Generic Routing Encapsulation (PPP)
    Flags and Version: 0x3081
    Protocol Type: PPP (0x880b)
    Payload Length: 14
    Call ID: 24
    Sequence Number: 5
    Acknowledgment Number: 4
Point-to-Point Protocol
    Address: 0xff
    Control: 0x03
    Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
    Code: Configuration Ack (2)
    Identifier: 1 (0x01)
    Length: 10
    Options: (6 bytes), IP Address
        IP Address
            Type: IP Address (3)
            Length: 6
            IP Address: 17.1.1.118 (17.1.1.118)

pacomillan · Aug 19, 2022, 2:13 PM

the problem is:

THE REMOTE PPTP VPN SERVER IS NOT PROPERTY OF MY CLIENT.

then, he is thinking to say hello again to his old ISP router

johnpoz · Aug 19, 2022, 2:32 PM

@pacomillan While I understand your frustration - when technology becomes antiquated and no longer secured or supported. The solution is not to continue to use old tech, but move on - even if there is going pains.

PPTP has been dead, should of migrated away from it 10+ years ago, slow to change ok 8 years ;)

Maybe you could facilitate with your client on getting with who runs this server, could be a new client for you.

That being said the problem is GRE which used in outbound pptp connection via some client behind pfsense doesn't actually use a port. The tracking of the GRE connection unless you have multiple public IPs to use would be problematic. Not sure if pfsense ever was able to do that.

I can not be sure - its been 10 some years since did anything with it, again because its been dead for that long - and should of been migrated away from way before then.