VPN to Linux server behind NAT router from XP Home?

I would have thought this was a fairly normal situation but I haven't
found very much useful information on the topic. My searches on the
topic all seem to presume you are dealing with a major organization at
one end or the other and that you are dealing with just M$ or just linux.

A small organization has a private LAN (192.168.0.x addresses) behind a
router and needs to give access to some files on their server (running
Debian Sarge) to an employee working on a Windows XP Home system at home.

Is it possible to do this? If so, can someone point me to a good howto
on the subject?

From looking at my own router, it appears that the VPN/PPTP settings
assume that I am trying to connect to a remote VPN server. I haven't had
a chance to look at the organization's router, but it can be replaced if
different hardware is necessary.

Thanks for any assistance you can provide!

Gary Dale wrote:

> I would have thought this was a fairly normal situation but I haven't
> found very much useful information on the topic. My searches on the
> topic all seem to presume you are dealing with a major organization at
> one end or the other and that you are dealing with just M$ or just linux.

I'm not sure what you're looking for, but you might want to consider
OpenVPN, which comes with some Linux distros and is also available for
Windows. I use it between my notebook computer and home network and it
works fine.

"Gary Dale" <(E-Mail Removed)> wrote in message
news:OvKdnW1V86yhbaveRVn-(E-Mail Removed)...
>I would have thought this was a fairly normal situation but I haven't found
>very much useful information on the topic. My searches on the topic all
>seem to presume you are dealing with a major organization at one end or the
>other and that you are dealing with just M$ or just linux.
>
> A small organization has a private LAN (192.168.0.x addresses) behind a
> router and needs to give access to some files on their server (running
> Debian Sarge) to an employee working on a Windows XP Home system at home.
>
> Is it possible to do this? If so, can someone point me to a good howto on
> the subject?
>
> From looking at my own router, it appears that the VPN/PPTP settings
> assume that I am trying to connect to a remote VPN server. I haven't had a
> chance to look at the organization's router, but it can be replaced if
> different hardware is necessary.
>
> Thanks for any assistance you can provide!

Do it all the time. Try Google for PopTop. This will permit
you to create a VPN, of the PPTP flavor. (compatible with
Microsoft clients). The Windows clients can then connect
to the VPN server (requires passing proto 47 and TCP port 1723
through your firewall) to the Linux PPTP/VPN system.
I've heard that after the Linux 2.6.14 kernel becomes available,
you'll no longer need to patch the system to support MPPE 128 bit
encryption :-)

Enjoy,
Postmaster

Gary Dale wrote:
> I would have thought this was a fairly normal situation but I haven't
> found very much useful information on the topic. My searches on the
> topic all seem to presume you are dealing with a major organization at
> one end or the other and that you are dealing with just M$ or just linux.
>
> A small organization has a private LAN (192.168.0.x addresses) behind a
> router and needs to give access to some files on their server (running
> Debian Sarge) to an employee working on a Windows XP Home system at home.
>
> Is it possible to do this? If so, can someone point me to a good howto
> on the subject?
>
> From looking at my own router, it appears that the VPN/PPTP settings
> assume that I am trying to connect to a remote VPN server. I haven't had
> a chance to look at the organization's router, but it can be replaced if
> different hardware is necessary.
>
> Thanks for any assistance you can provide!

I have done this with openvpn (www.openvpn.net). The hardest part
is creating the certificates. It all uses a single UDP port and
provided you can get this in through the router, it will survive
NAT.

Steve

Steve Horsley wrote:

>> Thanks for any assistance you can provide!
>
> I have done this with openvpn (www.openvpn.net). The hardest part
> is creating the certificates. It all uses a single UDP port and
> provided you can get this in through the router, it will survive
> NAT.
>

A TCP port can also be used, though UDP is preferred.

James Knott wrote:
> Steve Horsley wrote:
>
>
>>>Thanks for any assistance you can provide!
>>
>>I have done this with openvpn (www.openvpn.net). The hardest part
>>is creating the certificates. It all uses a single UDP port and
>>provided you can get this in through the router, it will survive
>>NAT.
>>
>
>
> A TCP port can also be used, though UDP is preferred.
>

I've been trying to follow James Cameron's Debian Howto found through
the poptop.org site. I'm not sure about testing it however. I've set up
a Windows XP box to go through PPTP to my router (which actually means
going out and coming back in through its WAN address). This didn't work
and there is no indication of where the problem actually resides.

My router, an SMC7008ABR, allows PPTP but it appears to assume you are
going out, not coming in. It has fields for PPTP account, PPTP password,
service name, My IP Address, My Subnet Mask and Server IP address, but
doesn't really define them. For example, is "My", the machine I want to
connect to inside my router, the router WAN address, or what?

Similar problems reside in the pptpd.conf file. What is the local IP as
opposed to the remote IP? Is the local IP the actual local IP of my
server and are the remoteip addresses ones that will be assigned to
incoming connections? The documentation I've found doesn't really spell
it out.

Then there's the cryptic 800 error from M$'s VPN connection.

Anyway, I've also tried other settings in the router to open port 1723
for both TCP and UDP. It doesn't allow other protocols. Still no luck.

So, is my testing procedure feasible? Can I go out on one machine and
connect back to my server back through the router?

Can the SMC router allow incoming PPTP connections?

Can anyone explain the various IP addresses to me (which ones are used
for what)?

Sorry for the tall order, but I can't figure this out on my own. ;(

"Gary Dale" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> James Knott wrote:
>> Steve Horsley wrote:
>>
>>
>>>>Thanks for any assistance you can provide!
>>>
>>>I have done this with openvpn (www.openvpn.net). The hardest part
>>>is creating the certificates. It all uses a single UDP port and
>>>provided you can get this in through the router, it will survive
>>>NAT.
>>>
>>
>>
>> A TCP port can also be used, though UDP is preferred.
>>
>
> I've been trying to follow James Cameron's Debian Howto found through the
> poptop.org site. I'm not sure about testing it however. I've set up a
> Windows XP box to go through PPTP to my router (which actually means going
> out and coming back in through its WAN address). This didn't work and
> there is no indication of where the problem actually resides.
>
> My router, an SMC7008ABR, allows PPTP but it appears to assume you are
> going out, not coming in. It has fields for PPTP account, PPTP password,
> service name, My IP Address, My Subnet Mask and Server IP address, but
> doesn't really define them. For example, is "My", the machine I want to
> connect to inside my router, the router WAN address, or what?
>
> Similar problems reside in the pptpd.conf file. What is the local IP as
> opposed to the remote IP? Is the local IP the actual local IP of my server
> and are the remoteip addresses ones that will be assigned to incoming
> connections? The documentation I've found doesn't really spell it out.
>
> Then there's the cryptic 800 error from M$'s VPN connection.
>
> Anyway, I've also tried other settings in the router to open port 1723 for
> both TCP and UDP. It doesn't allow other protocols. Still no luck.
>
> So, is my testing procedure feasible? Can I go out on one machine and
> connect back to my server back through the router?
>
> Can the SMC router allow incoming PPTP connections?
>
> Can anyone explain the various IP addresses to me (which ones are used for
> what)?
>
> Sorry for the tall order, but I can't figure this out on my own. ;(

Gary,

My guess is that you will have to configure the NAT/Router
to forward Proto 47 and TCP port 1723 to your poptop
VPN server. The IP address that external clients will use
will be the IP address of your public side of your router.

The other possibility would be to put the Poptop VPN server
in the DMZ for the router and then close down all ports
accept TCP 1723. ( on the VPN server ) Again, the
public side clients would believe the IP address is the
IP address of the public side of the router.


Enjoy,
Postmaster

Postmaster wrote:
> "Gary Dale" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed).. .
>
>>James Knott wrote:
>>
>>>Steve Horsley wrote:
>>>
>>>
>>>
>>>>>Thanks for any assistance you can provide!
>>>>
>>>>I have done this with openvpn (www.openvpn.net). The hardest part
>>>>is creating the certificates. It all uses a single UDP port and
>>>>provided you can get this in through the router, it will survive
>>>>NAT.
>>>>
>>>
>>>
>>>A TCP port can also be used, though UDP is preferred.
>>>
>>
>>I've been trying to follow James Cameron's Debian Howto found through the
>>poptop.org site. I'm not sure about testing it however. I've set up a
>>Windows XP box to go through PPTP to my router (which actually means going
>>out and coming back in through its WAN address). This didn't work and
>>there is no indication of where the problem actually resides.
>>
>>My router, an SMC7008ABR, allows PPTP but it appears to assume you are
>>going out, not coming in. It has fields for PPTP account, PPTP password,
>>service name, My IP Address, My Subnet Mask and Server IP address, but
>>doesn't really define them. For example, is "My", the machine I want to
>>connect to inside my router, the router WAN address, or what?
>>
>>Similar problems reside in the pptpd.conf file. What is the local IP as
>>opposed to the remote IP? Is the local IP the actual local IP of my server
>>and are the remoteip addresses ones that will be assigned to incoming
>>connections? The documentation I've found doesn't really spell it out.
>>
>>Then there's the cryptic 800 error from M$'s VPN connection.
>>
>>Anyway, I've also tried other settings in the router to open port 1723 for
>>both TCP and UDP. It doesn't allow other protocols. Still no luck.
>>
>>So, is my testing procedure feasible? Can I go out on one machine and
>>connect back to my server back through the router?
>>
>>Can the SMC router allow incoming PPTP connections?
>>
>>Can anyone explain the various IP addresses to me (which ones are used for
>>what)?
>>
>>Sorry for the tall order, but I can't figure this out on my own. ;(
>
>
> Gary,
>
> My guess is that you will have to configure the NAT/Router
> to forward Proto 47 and TCP port 1723 to your poptop
> VPN server. The IP address that external clients will use
> will be the IP address of your public side of your router.
>
> The other possibility would be to put the Poptop VPN server
> in the DMZ for the router and then close down all ports
> accept TCP 1723. ( on the VPN server ) Again, the
> public side clients would believe the IP address is the
> IP address of the public side of the router.
>
>
> Enjoy,
> Postmaster
>
>

That's were it gets confusing. I gather that the SMC7008ABR can forward
protocol 47 but it doesn't explicitly do it. My issue with the settings
is that they seem to be assuming the router is going to connect to an
external PPTP server, rather than having an external client connect to
an internal PPTP server.

My router does offer a DMZ which I just tried. However, this is gave me
the same 800 error again on the XP side. Again, I'm not sure if my
testing procedure can actually work. Can I test a VPN from a local machine?

And I'm still not sure what the pptp.conf is asking for re. the local
and remote IP addresses.

"Gary Dale" <(E-Mail Removed)> wrote in message
news:yP2dnbv9UMTwKqfeRVn-(E-Mail Removed)...
> Postmaster wrote:
>> "Gary Dale" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed).. .
>>
>>>James Knott wrote:
>>>
>>>>Steve Horsley wrote:
>>>>
>>>>
>>>>
>>>>>>Thanks for any assistance you can provide!
>>>>>
>>>>>I have done this with openvpn (www.openvpn.net). The hardest part
>>>>>is creating the certificates. It all uses a single UDP port and
>>>>>provided you can get this in through the router, it will survive
>>>>>NAT.
>>>>>
>>>>
>>>>
>>>>A TCP port can also be used, though UDP is preferred.
>>>>
>>>
>>>I've been trying to follow James Cameron's Debian Howto found through the
>>>poptop.org site. I'm not sure about testing it however. I've set up a
>>>Windows XP box to go through PPTP to my router (which actually means
>>>going out and coming back in through its WAN address). This didn't work
>>>and there is no indication of where the problem actually resides.
>>>
>>>My router, an SMC7008ABR, allows PPTP but it appears to assume you are
>>>going out, not coming in. It has fields for PPTP account, PPTP password,
>>>service name, My IP Address, My Subnet Mask and Server IP address, but
>>>doesn't really define them. For example, is "My", the machine I want to
>>>connect to inside my router, the router WAN address, or what?
>>>
>>>Similar problems reside in the pptpd.conf file. What is the local IP as
>>>opposed to the remote IP? Is the local IP the actual local IP of my
>>>server and are the remoteip addresses ones that will be assigned to
>>>incoming connections? The documentation I've found doesn't really spell
>>>it out.
>>>
>>>Then there's the cryptic 800 error from M$'s VPN connection.
>>>
>>>Anyway, I've also tried other settings in the router to open port 1723
>>>for both TCP and UDP. It doesn't allow other protocols. Still no luck.
>>>
>>>So, is my testing procedure feasible? Can I go out on one machine and
>>>connect back to my server back through the router?
>>>
>>>Can the SMC router allow incoming PPTP connections?
>>>
>>>Can anyone explain the various IP addresses to me (which ones are used
>>>for what)?
>>>
>>>Sorry for the tall order, but I can't figure this out on my own. ;(
>>
>>
>> Gary,
>>
>> My guess is that you will have to configure the NAT/Router
>> to forward Proto 47 and TCP port 1723 to your poptop
>> VPN server. The IP address that external clients will use
>> will be the IP address of your public side of your router.
>>
>> The other possibility would be to put the Poptop VPN server
>> in the DMZ for the router and then close down all ports
>> accept TCP 1723. ( on the VPN server ) Again, the
>> public side clients would believe the IP address is the
>> IP address of the public side of the router.
>>
>>
>> Enjoy,
>> Postmaster
>
> That's were it gets confusing. I gather that the SMC7008ABR can forward
> protocol 47 but it doesn't explicitly do it. My issue with the settings is
> that they seem to be assuming the router is going to connect to an
> external PPTP server, rather than having an external client connect to an
> internal PPTP server.
>
> My router does offer a DMZ which I just tried. However, this is gave me
> the same 800 error again on the XP side. Again, I'm not sure if my testing
> procedure can actually work. Can I test a VPN from a local machine?
>
> And I'm still not sure what the pptp.conf is asking for re. the local and
> remote IP addresses.

Gary,

In /etc/pptpd.conf I have:

localip 172.16.0.1
remoteip 172.16.0.2-99

Where localip is the IP address of the VPN gateway, inside
the VPN, and remoteip is the address range that will
be handed out to VPN clients, for use inside the VPN.

Enjoy
Postmaster

Postmaster wrote:
> "Gary Dale" <(E-Mail Removed)> wrote in message
> news:yP2dnbv9UMTwKqfeRVn-(E-Mail Removed)...
>
>>Postmaster wrote:
>>
>>>"Gary Dale" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed) m...
>>>
>>>
>>>>James Knott wrote:
>>>>
>>>>
>>>>>Steve Horsley wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>Thanks for any assistance you can provide!
>>>>>>
>>>>>>I have done this with openvpn (www.openvpn.net). The hardest part
>>>>>>is creating the certificates. It all uses a single UDP port and
>>>>>>provided you can get this in through the router, it will survive
>>>>>>NAT.
>>>>>>
>>>>>
>>>>>
>>>>>A TCP port can also be used, though UDP is preferred.
>>>>>
>>>>
>>>>I've been trying to follow James Cameron's Debian Howto found through the
>>>>poptop.org site. I'm not sure about testing it however. I've set up a
>>>>Windows XP box to go through PPTP to my router (which actually means
>>>>going out and coming back in through its WAN address). This didn't work
>>>>and there is no indication of where the problem actually resides.
>>>>
>>>>My router, an SMC7008ABR, allows PPTP but it appears to assume you are
>>>>going out, not coming in. It has fields for PPTP account, PPTP password,
>>>>service name, My IP Address, My Subnet Mask and Server IP address, but
>>>>doesn't really define them. For example, is "My", the machine I want to
>>>>connect to inside my router, the router WAN address, or what?
>>>>
>>>>Similar problems reside in the pptpd.conf file. What is the local IP as
>>>>opposed to the remote IP? Is the local IP the actual local IP of my
>>>>server and are the remoteip addresses ones that will be assigned to
>>>>incoming connections? The documentation I've found doesn't really spell
>>>>it out.
>>>>
>>>>Then there's the cryptic 800 error from M$'s VPN connection.
>>>>
>>>>Anyway, I've also tried other settings in the router to open port 1723
>>>>for both TCP and UDP. It doesn't allow other protocols. Still no luck.
>>>>
>>>>So, is my testing procedure feasible? Can I go out on one machine and
>>>>connect back to my server back through the router?
>>>>
>>>>Can the SMC router allow incoming PPTP connections?
>>>>
>>>>Can anyone explain the various IP addresses to me (which ones are used
>>>>for what)?
>>>>
>>>>Sorry for the tall order, but I can't figure this out on my own. ;(
>>>
>>>
>>> Gary,
>>>
>>> My guess is that you will have to configure the NAT/Router
>>> to forward Proto 47 and TCP port 1723 to your poptop
>>> VPN server. The IP address that external clients will use
>>> will be the IP address of your public side of your router.
>>>
>>> The other possibility would be to put the Poptop VPN server
>>> in the DMZ for the router and then close down all ports
>>> accept TCP 1723. ( on the VPN server ) Again, the
>>> public side clients would believe the IP address is the
>>> IP address of the public side of the router.
>>>
>>>
>>>Enjoy,
>>>Postmaster
>>
>>That's were it gets confusing. I gather that the SMC7008ABR can forward
>>protocol 47 but it doesn't explicitly do it. My issue with the settings is
>>that they seem to be assuming the router is going to connect to an
>>external PPTP server, rather than having an external client connect to an
>>internal PPTP server.
>>
>>My router does offer a DMZ which I just tried. However, this is gave me
>>the same 800 error again on the XP side. Again, I'm not sure if my testing
>>procedure can actually work. Can I test a VPN from a local machine?
>>
>>And I'm still not sure what the pptp.conf is asking for re. the local and
>>remote IP addresses.
>
>
> Gary,
>
> In /etc/pptpd.conf I have:
>
> localip 172.16.0.1
> remoteip 172.16.0.2-99
>
> Where localip is the IP address of the VPN gateway, inside
> the VPN, and remoteip is the address range that will
> be handed out to VPN clients, for use inside the VPN.
>
> Enjoy
> Postmaster
>
>


Thanks. It's just not working. I'm still getting an 800 error on the XP
side (can't connect to VPN). I've set the localip to both the local
address of the machine I want to connect to, and to the local address of
the router, restarting pptpd each time, but I get the same result from XP.

I'm going to try to set up the other network's router and see if I can
get through it. Other than recompiling the kernel, the configuration of
a basic tunnel seems straightforward. If I can get it working, making it
secure may be another issue...