Make my NAT computer do PPTP VPN pass through

[zooounds]

My Ubuntu Edgy computer is a NAT server. How does I make it possible for at least one (but possible many) LAN clients to use a PPTP VPN?

Which kernel modules must I insert? Iptables rules?

Getting panic here ...

Regards
Fredrik

[koenn]

pptp passes through nat transparently, i.e. if you allow everything out, and established in, it should work. If you want it more secure, you can specify ip addresses of servers you want to connect to, and port numbers (look up what ports pptp uses).

[zooounds]

Quote:

Originally Posted by koenn pptp passes through nat transparently, i.e. if you allow everything out, and established in, it should work. If you want it more secure, you can specify ip addresses of servers you want to connect to, and port numbers (look up what ports pptp uses).

That does not work for me.

The VPN works fine if I'm not behind NAT.

Are you sure there are no kernel modules (conntrack etc) that are needed?

[koenn]

According to the documentation, al you need is to allow traffic towards the vpn you're connecting to (tcp port 1743) + allow the replies ('established') and it will be NATed no problem.

I checked my NAT box and it does have contrack installed - i probably included it when first installing iptables, so I can't verify if it would work without. I think you only need contrack if your iptables uses 'state' such as 'related'.

[zooounds]

Quote:

Originally Posted by koenn According to the documentation, al you need is to allow traffic towards the vpn you're connecting to (tcp port 1743) + allow the replies ('established') and it will be NATed no problem. I checked my NAT box and it does have contrack installed - i probably included it when first installing iptables, so I can't verify if it would work without. I think you only need contrack if your iptables uses 'state' such as 'related'.

So none of these are needed?

ip_conntrack_pptp
ip_conntrack_proto_gre
ip_nat_pptp
ip_nat_proto_gre

I still can't get it to work

[koenn]

I only have these, and a working pptp :

Code:

stargate:~# lsmod
Module                  Size  Used by    Not tainted
ipt_MASQUERADE          1216   1
ipt_state                608   2
iptable_filter          1728   1
iptable_nat            12628   3  [ip_nat_ftp ip_nat_irc ipt_MASQUERADE ipt_REDIRECT]
ip_conntrack           12652   4  [ip_conntrack_ftp ip_conntrack_irc ip_nat_ftp ip_nat_irc ipt_MASQUERADE ipt_REDIRECT ipt_state iptable_nat]
ip_tables              10432  21  [ipt_LOG ipt_MARK ipt_MASQUERADE  ....

what else can I say ?

[zooounds]

I'm just curious; where comes GRE into the picture?

[koenn]

GRE does the encaptulation of packages that are send after the pptp connection is established.

Quote:

After the PPTP control session has been established, GRE is used to encapsulate the data or payload in a secure manner

this explains it further : http://support.microsoft.com/kb/241251. On the diagram you'll see that the IP header sits on top of the GRE packer. The IP header holds source and destination address, which is changed during the NAT proces. So NAT doesn't affect it - unless you're running multiple pptp sessions. In that case, the NAT may get confused about which package belongs to what session - I think the contrack pptp and contrack gre modules are meant to handle that.

[koenn]

Quote:

My Ubuntu Edgy computer is a NAT server. How does I make it possible for at least one (but possible many) LAN clients to use a PPTP VPN?

I understood this correctly that the Ubuntu Edgy computer acts as a router and uses NAT to provide internet access or some other form of connectivity to 1 (or more) hosts (computers) on your LAN - and that these hosts will set up pptp sessions with servers elsewhere through the Ubuntu Edgy machine. So they do not setup pptp vpn with that ubuntu machine, right ?

[zooounds]

Quote:

Originally Posted by koenn I understood this correctly that the Ubuntu Edgy computer acts as a router and uses NAT to provide internet access or some other form of connectivity to 1 (or more) hosts (computers) on your LAN - and that these hosts will set up pptp sessions with servers elsewhere through the Ubuntu Edgy machine. So they do not setup pptp vpn with that ubuntu machine, right ?

Correct.

Actually, the hosts on the "LAN" is virutal machines running on the Edgy computer. But the behave like they are sitting on a LAN.

But what could go wrong then? I have no firewall rules at all. Si there any way to se what happens when the client connects to the VPN?