Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: robwellesley on April 13, 2018, 12:18:01 AM

Title: Restict PPTP access to remote IP number
Post by: robwellesley on April 13, 2018, 12:18:01 AM

Hi Guys

How would one Restrict PPTP access to connections from just one remote IP number (or numbers)?
Thanks in advance for any advice on this.

Rob

Title: Re: Restict PPTP access to remote IP number
Post by: ReetP on April 13, 2018, 12:54:34 AM

I'd have a look at allowhosts/denyhosts

https://wiki.contribs.org/DB_Variables_Configuration

Something like:

config setprop pptp Allowhosts 1.2.3.4

I'm not sure if you need to set Denyhosts to 0.0.0.0 as well.

HOWEVER, saying all that I presume you are aware PPTP is pretty well worse than useless for security? It has been broken for years. Apple have dropped it entirely.

You really should use ipsec or openvpn if you care about your data.

If you are in a country where GDPR applies, or are dealing with one, then that advice should be considered mandatory.

Here endeth the lesson :-)

Title: Re: Restict PPTP access to remote IP number
Post by: robwellesley on April 13, 2018, 03:49:10 AM

Cheers,
Looks simpler than IP Tables seeing as PPTP is already an SME service.

Yes, point taken - so convenient though :)

OpenVPN seems to not be 'free' however?

Title: Re: Restict PPTP access to remote IP number
Post by: ReetP on April 13, 2018, 10:05:44 AM

Quote from: robwellesley on April 13, 2018, 03:49:10 AM

Cheers,
Looks simpler than IP Tables seeing as PPTP is already an SME service.

No...  those keys add iptables rules for you all done by magic :-)

Quote

Yes, point taken - so convenient though :)

But worse than useless!! And remember GPDR. If that applies, and you KNOW data transfer is insecure you may have a problem.....

Quote

OpenVPN seems to not be 'free' however?

Not sure where you get that? I don't pay anything for it?

Title: Re: Restict PPTP access to remote IP number
Post by: DanB35 on April 13, 2018, 12:00:16 PM

Quote from: robwellesley on April 13, 2018, 03:49:10 AM

OpenVPN seems to not be 'free' however?

OpenVPN is free, open source software, released under the GPL.

Title: Re: Restict PPTP access to remote IP number
Post by: mmccarn on April 13, 2018, 01:20:49 PM

I think the recommendation is that you use the OpenVPN_Bridge (https://wiki.contribs.org/OpenVPN_Bridge) contrib.

Title: Re: Restict PPTP access to remote IP number
Post by: janet on April 13, 2018, 03:57:10 PM

robwellesley

Also see
https://wiki.contribs.org/Firewall

Follow the command
config setprop pptp Allowhosts 1.2.3.4
with
signal-event remoteaccess-update

Title: Re: Restict PPTP access to remote IP number
Post by: Jean-Philippe Pialasse on April 13, 2018, 04:17:44 PM

 I can understand the idea that open vpn is not free. If you seek the client for windows and go straight to download, they will guide you to the services where they get money to keep the project alive.

To get what you want for the client computer , go to  openvpn.net then click community then download/community to end there: https://openvpn.net/index.php/download/community-downloads.html

To equip your SME all is on the wiki as already pointed.