Koozali.org: home of the SME Server

SME 9.2 cannot reach PPTP VPN client IPs

Offline apmuthu

  • *
  • 244
  • +0/-0
SME 9.2 cannot reach PPTP VPN client IPs
« on: July 04, 2020, 12:44:43 PM »
As is normal, those on the SME 9.2 and it's LAN can be reached by PPTP users but not vice versa.
In some cases it may be necessary to have access to resources on a PPTP VPN's client IP from the SME / SME LAN IPs.
What is the firewall rule necessary to enable this securely for a specfic IP / subnet of the PPTP VPN client set and how do we make it persistent?

A potential use case is for a NetMeeting (H323) client on the LAN to reach another connected on PPTP VPN. The reverse is however possible for now.

Offline Jean-Philippe Pialasse

  • *
  • 2,721
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #1 on: July 04, 2020, 12:53:18 PM »
do not use pptp vpn it is insecure.

Offline ReetP

  • *
  • 3,713
  • +5/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #2 on: July 04, 2020, 01:52:34 PM »
Use ipsec/l2tpd (slightly more secure) or openvpn routed. More on the wiki.

As indicated PPTP has more holes than a colander and is totally insecure. If you value your or your clients security then do not use it AT ALL. We have said this numerous times.

Please search for something like "PPTP security"

https://www.schneier.com/academic/pptp/faq.html

Quote
3. How bad is it?
Very. Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.

https://mywindowshub.com/why-the-pptp-vpn-protocol-is-not-secure/

And now you know for sure that it is broken, you can no longer plead ignorance when they get hacked.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,713
  • +5/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #3 on: July 05, 2020, 03:38:43 PM »
A potential use case is for a NetMeeting (H323) client on the LAN to reach another connected on PPTP VPN.

You might also consider that Netmeeting was dropped a long time back (Vista) and is unsupported.

There are plenty of other more modern and more secure alternatives.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #4 on: August 04, 2020, 08:48:51 AM »
There is enough literature on why PPTP is insecure. I am aware of this and this request is not a missive for a tutorial.

All I wanted to know is why the SME (or any PPTP VPN Server) cannot reach PPTP Clients and what firewall rules are necessary to achieve it.

Does anyone has any info on why NetMeeting should not be used even though support was stopped as of Vista? OS makers can stop perfectly usable applications simply because they want to make it available as a separate product to sell afresh.

There are many uses for legacy Apps and OSes especially in fully "contained" environments with legacy hardware and for testing. Don't fix it if it ain't broke or just because "consulting entities" want to make money by frightening moneybags / average joe.

The latest is not always the greatest - it is just that their vulnerabilities have either not yet been found or that they haven't been made publicly visible.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #5 on: August 04, 2020, 09:29:58 AM »
apmuthu

You asked:
"All I wanted to know is why the SME (or any PPTP VPN Server) cannot reach PPTP Clients and what firewall rules are necessary to achieve it."

Read this for more info & possible answers/hints:
https://wiki.contribs.org/VPN_practical_tips

Note these comments:
"In any point to point VPN connection, there will be numerous pieces of equipment that the signal passes through eg corporate firewalls, additional routers/firewalls, software firewalls/filters etc. All these steps in the chain must support protocol 47, if any piece of equipment in the chain does not support that protocol then the VPN connection will be unsuccessful. Sometimes these matters are out of the end users control, especially in corporate situations, or home user situations where low end broadband connections are used and ISP's limit functionality.

If you have a modem and a router between your SME server and the Internet, keep in mind that you need to open TCP port 1723 on both devices, and they must both support the protocol 47 (GRE).


You cannot establish a VPN passthrough connection through an SME server to a local machine due to problems with the sme server supporting the passthrough of protocol 47 (GRE)."

Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ReetP

  • *
  • 3,713
  • +5/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #6 on: August 04, 2020, 09:44:30 AM »
That's all.fine. You can ignore all advice and do whatever you want.

But the problem is this stuff is unsupported.

That means you get no support if you want to use it.

If you want to containerise and airgap legacy apps then fine. But what use is pptp and netmeeting containerised?

So you are actually talking about using completely insecure 'encryption' across the net with a completely unsupported app somehow, and we cannot with all good conscience help you with that.

Regarding GRE, anything is possible but you'd need to work out how to do it. SME remote access was designed so you could access server resources, not for passthrough.

But really if you care anything about security, forget it and use a secure option.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #7 on: August 04, 2020, 10:50:44 AM »
apmuthu

Please do a Google search for your questions/answers that are not SME server related.
eg
https://www.sans.org/reading-room/whitepapers/windows/paper/276


"Does anyone has any info on why NetMeeting should not be used even though support was stopped as of Vista? "

also see this FYI
https://en.wikipedia.org/wiki/Microsoft_NetMeeting
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SME 9.2 cannot reach PPTP VPN client IPs
« Reply #8 on: August 05, 2020, 03:45:57 AM »
@janet: Thanks for the links. Very useful.