Thursday, February 27, 2020

Re: PPTP NAT passthrough

On 2020-02-26, Edgar Pettijohn <edgar@pettijohn-web.com> wrote:
> This appears to be actively maintained.
>
> https://sourceforge.net/projects/pptpclient/

Gábor is looking a proxy / "nat helper" not a client.

> On 02/25/20 12:15, Szél Gábor wrote:
>> Dear @misc
>>
>> Our customer need more parallel outgoing PPTP session.
>> I know PPTP is no security VPN, but our client not have any options.
>> (our customer remote partner accept only PPTP VPN ...)
>>
>> OpenBSD PF can't use parallel PPTP session. First session is NAT-ed,
>> but second session is broken.
>> I know OpenBSD not supported PPTP NAT passthrough.
>>
>> I found two, very old PPTP proxy for openbsd:
>>
>>  * https://github.com/crvv/pptp-proxy
>>    This is ftp-proxy fork(?)
>>  * https://sourceforge.net/projects/frickin/
>>
>> frickin 1.x working only fix remote PPTP address, not good for me.
>> frickin 2.x (beta) not compiled on oBSD 6.6.
>>
>> pptp-proxy is compiled, and started, but not working.
>> We tested very simple pf.conf (NAT, and some rules)
>>
>> pass in quick log on $int_if proto gre from any to ! $int_if:0 rdr-to
>> 127.0.0.1
>> pass in quick log on $int_if proto tcp from any to ! $int_if:0 port
>> 1723 rdr-to 127.0.0.1 port 2317
>>
>> pptp-proxy is accepted session, but not working.
>> (in tcpdump only 2 outgoing, 1 inbound packet found)
>>
>> Does anyone know a working solution for PPTP NAT passthrough?

I haven't heard of other implementations for PF.

There was one named pptp-proxy discussed on tech@ about 10 years ago
which needed kernel patches as well, this might be some modified version
of that but it may have been converted to userland-only as well, I haven't
looked closely. It doesn't appear to rewrite call-id so it wouldn't work
for connections from multiple natted clients going to the same server.

>> In openbsd based securityrouter.org firewall a found PPTP-Proxy support:
>> https://securityrouter.org/wiki/Comparison
>> But I don't know what to use.

Likely some variant of this same pptp-proxy .. A lot of securityrouter.org
things are closed source afaik.

If you want to run this on OpenBSD then probably you will need to either
write code or fix code.

No comments:

Post a Comment