Ok, It goes something like this.
E-smith 5.1.2 in server-gateway mode
Client - Win2000 machine
eth0 - internal lan 10.0.0.5
eth1 - external 10.0.2.5 (adsl-router etc)
wlan0 - 10.0.1.15 (Zoomair pcmcia wireless card)
subnet mask - 255.255.255.224
pptpd uses ports 47 and 1723, so in /etc/rc.d/init.d/masq you would look for the following lines
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 1723 -j ACCEPT
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT
# Accept incoming GRE packets
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT
and add the following so it looks like this
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 1723 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 0/0 -d 10.0.1.15 1723 -j ACCEPT
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains --append input -p 47 -s 0/0 -d 10.0.1.15 -j ACCEPT
# Accept incoming GRE packets
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains --append input -p 47 -s 0/0 -d 10.0.1.15 -j ACCEPT
Then restart masq /etc/rc.d/init.d/masq restart. What i have done is opened the ports on the wireless card to allow pptp connections. (you need to find some way to make this stick ie edit the templates)
Set your machine up to accept pptp connections in the server manager.
I am using a Windows 2000 client machine to connect to the e-smith box. Set your Vpn client to connect to the external ip address of your machine (it will route through and connect fine), in my case 10.0.2.5 (this is the one that it listens on) and you should be able to connect. If you don’t want to open the vpn to the internet you can change the listening port in /etc/pptpd.conf (again, you need to find a way to make this stick)
I have WEP enabled for whatever added security that provides. The above is only suitable for a server-gateway setup as a server only setup does not run a firewall.
I plan on getting another machine up and running with the above method in server only mode and playing with masq to secure the client end. This would allow LAN-to-LAN connections rather than client to LAN connections. Also, bare in mind that the Win2000 machine is the weak link here. Hack that and you have open access to the e-smith box (pretty paranoid though). Running a port scan from the Windows machine shows port 80 and 3128 open which would need to be closed.
Whatever you do, don’t use the local networks function in the server manager (except for testing) as this opens the machine right up. You could i guess use an additional Ethernet card and substitute the wireless card for an AP. Shouldn’t be a problem.
All of this is really untested (got it working today) and could be done more elegantly, but it seems to work pretty well.
Anyway it’s late, I’m tired. If you have any questions or suggestions (criticisms) let me know.
Regards Duncan.
5 Replies
614 Views