Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: DungaBee on December 16, 2006, 03:46:52 PM

Title: Use PPTP in Server Only Mode
Post by: DungaBee on December 16, 2006, 03:46:52 PM

I have a client that has a Sonicwall firewall that needs to stay in place.  They have a need for VPN connectivity in to their LAN.  I am thinking of using SME Server to provide this as I use it in my office as a server and it works great.

I have 2 questions.  One just about SME server and the other a bit more generic about networking.

1.  Can I use SME Server in Server-Only mode and port forward the necessary protocols and ports to the server to allow it to do PPTP behind the Sonicwall?

2.  The client has 2 other IP ranges on their LAN that are connected via tunnels between the Sonicwall units.  the IP ranges are:

192.168.1.x    --> Home Location where SME server will be.
192.168.2.x    --> Remote Office
192.168.3.x    --> Remote Office

Assuming #1 is possible, how do I advertise to the client that when they are connected to 192.168.1.x that also the other subnets are at the other end of that tunnel too.  What I think will happen is that they'll connect to 192.168.1.x but if they request a connection to something on one of the other subnets, their PC will not know to go through the tunnel to get to .2.x and .3.x  Is is possible to tell the client that he main subnet and the other 2 are at the end of the PPTP tunnel once they connect?

Thanks in advance for your help everyone.

Title: Use PPTP in Server Only Mode
Post by: mmccarn on December 16, 2006, 04:25:15 PM

I used to do this with SME 6.

I have a Sonicwall 2040 running SonicOS Enhanced v 3.x, and used to have SME 6.0.1 as server-only on the "LAN" segment.

I could open a PPTP connection to the SME box, then access any system on the "local" network that the Sonicwall would normally have allowed me to access (in this case, an ftp server on the "DMZ" segment, any host on the LAN segment, or the internal interface on the router for my failover internet connection)

[completely_off_topic]
I had to scrub and re-load my Sonicwall around the same time I upgraded to SME 7 and haven't configured pptp support since then; I use putty to create ssh tunnels for everything I need now: access to internal websites, rdp or vnc to any internal host.  

This command, for example:
putty my.sme.server -L 1443:192.168.1:443 -L 3302:192.168.1.2:3389 -L 5905:192.168.1.5:5900

Will let me:

manage my sonicwall at https://localhost:1443
RDP to 192.168.1.2 using "localhost:3302" in "Remote Desktop Connection"
VNC to 192.168.1.5 using "localhost:5905"

Just remember to pick ports that are not already used by local services (on your workstation) on the left side of the "-L ..." section.  I also use some personal shorthand to make it easy to remember how to get to each host:

"1443" goes to ".1" and uses https (default port = 443)
"3302" goes to ".2" and uses RDP (default port = 3389)
"5905" goes to ".5" and uses VNC (default port = 5900)

[/completely_off_topic]

Title: Use PPTP in Server Only Mode
Post by: Boris on December 17, 2006, 12:16:25 AM

DungaBee,

1. It will work in the server-only mode, but you'd need to forwared port 1723 from the firewall to internal SME server.
2.  If office network works already with .2.x and .3.x subnets and they routing between them set up on sonic firewalls it should just work, but why not to use sonicwall's VPN, to connect home clients?

Title: Use PPTP in Server Only Mode
Post by: DungaBee on December 17, 2006, 02:56:52 AM

We do not want to use the Sonicwall VPN because you have to pay for the client licenses, which we do not want to do since I think we can create a good solution for free.

About the routing, the problem I think we will have is that when the client connects from home to the PPTP server, it will 'know' that 192.168.1.x is on the other end of the tunnel.  What I do not think it will 'know' is that .2.x and .3.x are on the other end as well.

Title: Use PPTP in Server Only Mode
Post by: Boris on December 18, 2006, 06:24:37 AM

The VPN adapter's address 192.168.1.xxx will become the default gateway and any packet that are not local will try to go through it.

Title: Use PPTP in Server Only Mode
Post by: mmccarn on December 18, 2006, 01:23:03 PM

Or, if you choose to un-check the box for "Use default gateway on remote network" in the "Advanced" section of the TCP/IP settings for the VPN connection on your remote Windows workstation, you can manually add back the desired routing commands after establishing the VPN using a command like route add 192.168.2.0 mask 255.255.255.0 192.168.1.1

Title: Use PPTP in Server Only Mode
Post by: DungaBee on December 18, 2006, 02:57:05 PM

Thanks for the feedback.  Just a couple of other questions for you.

1.  To have PPTP work properly on the SME box, does it have to be acting as the DHCP server?  Rigth now the Sonicwall does that, but certainly the SME server could take that job over.

2.  To handle the routing, could I somehow tell the PPTP client that the subnet mask for the PPTP connection is really 255.255.0.0 so that anything that is 192.168.x.x will go through the tunnel?

Thanks again for your feeback!

Title: Use PPTP in Server Only Mode
Post by: duncan on December 18, 2006, 04:29:47 PM

Quote from: "DungaBee"

Thanks for the feedback.  Just a couple of other questions for you.
1.  To have PPTP work properly on the SME box, does it have to be acting as the DHCP server?  Rigth now the Sonicwall does that, but certainly the SME server could take that job over.

No

Quote from: "DungaBee"

2.  To handle the routing, could I somehow tell the PPTP client that the subnet mask for the PPTP connection is really 255.255.0.0 so that anything that is 192.168.x.x will go through the tunnel?
Thanks again for your feeback!

Not with your chosen IP addressing scheme. Setting that subnet will do wacky things to your routing tables.

Use openvpn.