Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: ntblade on January 15, 2008, 03:36:14 PM
-
Hi all,
I'm trying to estable a PPTP VPN to a Microsoft Small Business Server behind an SME 7.3 server in server/gateway mode.
After trying all sorts of things, a search here and in the bugtracker reveals that SME doesn't support forwarding GRE protocol (or "VPN passthru"). :-(
Now, I really want to use the SME server as the firewall and Anti Spam/Virus scanner before passing mail the the SBS so has anyone been able connect to the Windows VPN in this way?
Am I right in saying that SBS insists on being the network DHCP Server?
Thanks
N
-
Your SBS network will be happier (and easier to manage) if DHCP is served by the SBS box itself.
You should still be able to configure your SME to act as a VPN server - unless you want users to authenticate using their Active Directory usernames & passwords (you could make an argument that it's more secure to have the VPN connections using different login credentials than the network / email system - or vice versa).
If you really want / need to VPN directly to your SBS box then you'll need to customize the templates for masq to allow in-bound PPTP pass-thru. You'd be looking at learning enough about iptables to create a rule to forward traffic on protocol 47, and enough about SME templating to create a custom template...
One 'feature' common to many home routers is that if you forward TCP port 1723 to an internal host, IP Protocol 47 is forwarded to the same host (PPTP uses TCP port 1723 and 'IP Protocol' 47). If you're really ambitious could copy and customize the existing masq port-forwarding templates to do this...
You might raise a 'New Feature Request' in the bug tracker to have IP Protocol 47 follow the forwarding setting of TCP port 1723 - I don't know what the official opinion on this behavior would be...
-
Thanks for the reply.
How do I configure SME as the VPN server if the SBS box doing DHCP?
Thanks
-
Server:
- Secondary SME server
- 'server only' configuration
- DHCP NOT enabled
When I enabled PPTP with 2 remote connections, my /etc/pptpd.conf file includes:
remoteip 192.168.x.249-250
Looking at /etc/e-smith/templates/etc/pptpd.conf/remoteip:...
# Calculate pptpd start and end addresses
my $endIP = $dhcpd{end};
my $end_addr = esmith::util::IPquadToAddr($endIP);
my $start_addr = $end_addr - $sessions + 1;
my $startIP = esmith::util::IPaddrToQuad($start_addr);
my @start = split(/\./, $startIP);
my @end = split(/\./, $endIP);
...it looks as though:
a) PPTPD doesn't use DHCP to assign IPs, it uses its own internal settings
b) The default settings assign <number of sessions> addresses, ending with the end address configured for DHCPD
c) Even with DHCP disabled on your server, you can specify the PPTP range by assigning a specific "end" address to your DHCPD range using config setprop dhcpd end a.b.c.d
expand-template /etc/pptpd.confd) if this doesn't work for you, you could create a custom template fragment for 'remoteip' usingmkdir -p /etc/e-smith/templates-custom/etc/pptpd.conf
echo remoteip a.b.c.d-e >> /etc/e-smith/templates-custom/etc/pptpd.conf/remoteip
expand-template /etc/pptpd.conf(Be sure to replace 'a.b.c.d' with an IP address on your network, and 'e' with another final octet that is higher than 'd', like: 192.168.1.5-10)
You may also need to adjust the settings that end up in /etc/ppp/options.pptpd to optimize the behavior for your remote Windows users. This file contains settings for the DNS servers that will be fed to pptp clients, for example.
-
try this to assign an IP to a VPN user
db accounts setprop james PPTPIP 192.168.1.249
signal-event remoteaccess-update
-
Thanks for your help guys, that worked!
Is there a way to point the VPN dhcp clients to the WINS server? At the moment I've put this in manually in the XPClients.
ta
N