Re: PPTP thru SUSEfirewall

On Jul 5, 6:30 pm, Bob Bob <bob3b...@xxxxxxxxxxxxxx> wrote:
Hi Les

I opted for OpenVPN mainly because I was joining Linux servers over
Internet and also had some remote W32 clients. I put the VPN interface
on the firewall itself and had quite a few firewall/routing tuning
problems. In my case it was more understanding how the SuSE setup
worked. I am still pretty close to dumping it all and creating my own
firewall script! OpenVPN does require an extra install on the W32 boxes
and you do have to go through certificate generation. It isn't difficult
the second time but before that lots of brain activity takes place! The
PPTP solution is nice if you have standard windows boxes.

Ok so you want the firewall to pass 1723 TCP and protocol 47 (gre). You
want to port forward both these ports at the firewall to the internal
server. The firewall also has to let these packets in from the Internet
as well. If your firewall log shows them being dropped then you have a
problem!

This shows the gist;http://www.shorewall.net/2.0/PPTP.htm#ServerBehind

This isn't SuSE of course but you can see what has to be done under
iptables. The trick is how to do a 47 port forward from the public
interface to the internal network

You can rely on normal masquerading for outbound packets. (I hope! There
may be another kernel module that needs loading here - I haven't checked)

So where to find it exactly in SuSE's firewall setup? You may have to
edit /etc/sysconfig/scripts/SuSEfirewall2-custom if all else fails.

The SuSE firewall has an allowance for 47/gre but I see it says
something like "for VPN services that stop at the firewall". It cant
hurt to try! It doesn't seem to have a port forward though.

# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
---
## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing which END at the firewall
#
# Example: "esp"
#
FW_SERVICES_EXT_IP="gre esp"

So in summary. (assuming your internal server is 192.168.0.1)

FW_SERVICES_EXT_TCP - 1726 handles the input accept for that TCP port
FW_SERVICES_EXT_IP="gre esp" - looks like it will input accept 47

Dont forget to set these so internal masquerade actually works
FW_ROUTE="yes"
FW_MASQUERADE="yes"

FW_FORWARD_MASQ="0/0,192.168.0.1,tcp,1726 0/0,192.168.0.1,47"

I'll admit I don't know if FW_FORWARD_MASQ will do 47's. There is no
example of its use...

Hope this all helps. (I hope I got it right!) If you get real stuck feel
free to send me your firewall logs and firewall settings to my direct
address.

Cheers Bob

Leslie.E.Zeigler wrote:

Bob,

Well, I am not sure what I missed in all of this but after some more
trial and error I am still stuck with the same problem. It now looks
like OpneVPN is my only solution but I just can't believe I cant find
what I am missing here. It really irks me to have to be "forced" to
quit over some oversight. Grrrr!!
You seem to be very well versed in this sort of thing so please let me
run this by you once more....

- small lan. mostly Win32 but a few Linux computers and a network
printer.
- Opensuse 10.x firewall/router with TCP port 1723 forwarded to
internal VPN server and protocol 47 open.
- My friend trying to connect from Internet gets to verifying username
and password but then receives error of "computer did not respond". I
can see her hitting the VPN server directly from the server itself,
but it never lets her in unless I connect DSL modem directly to the
VPN server. So, it's 100% something with the router/firewall.

Any thoughts or ideas? Anything?

What can I be missing that is preventing the firewall/router from
correctly managing this VPN traffic? I have read and re-read countless
"help pages" online but none seem to help with this particular
problem.
Please let me know if you can think of something I have missed or am
missing.

Thanks again, Bob.

-Les

Thank you so much, Bob. I will most definitely try this and though it
may take me a day or so to do this, please don't forget about this
thread.

Thanks again,
-Les

.

Relevant Pages

  • Re: PPTP thru SUSEfirewall
    ... on the firewall itself and had quite a few firewall/routing tuning ... The firewall also has to let these packets in from the Internet ... something like "for VPN services that stop at the firewall". ... (assuming your internal server is 192.168.0.1) ...
    (alt.os.linux.suse)
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: More on Remote Desktop
    ... Chances are good, though, that he's already got VPN capabilities on his ... firewall to do it for $100. ... > server at home...or purchase additional/new hardware... ... >> my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • RE: VPN Issue
    ... 317025 You Cannot Connect to the Internet After You Connect to a VPN Server ... | first done with a standard usb broadband modem on XP Professional. ...
    (microsoft.public.windows.server.sbs)
  • Re: More on Remote Desktop
    ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... ... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or ... > firewall to get between your clients and server on your own LAN. ... > setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
Loading