# PPTP throu NAT, help

## straks

Hey, 

This is the situation: 

At my work they have a VPN server running (Microsoft, so i guess PPTP). At my home, where i just connect to the internet using a cable connection. I was able to connect to this VPN using these tutorials:

https://forums.gentoo.org/viewtopic.php?t=211334&highlight=pptp+2+6+8 (installing patches and programs)

https://forums.gentoo.org/viewtopic.php?t=194146&highlight=ppp+mppe+install (options.pptp config)

I configed my VPN information using pptp-php-gtk.php, which worked great. I could connect using the client to Lan method and routing the correct IP range to the VPN. 

So at my home it worked perfect.

But now the real problem, at my studentflat, which is connected to the university's network, i can't connect. This is because the university uses a NAT server to connect to the internet. So i started looking for solutions, and some things i came up with were UDP Encapsulation or VPN Masquerading. But i have no idea how to use them with PPTP. 

Can anybody help me out here?

Thanks a lot!

(btw, sorry if the solution can be found here, i did a few searches, but it didn't turn up anything that made a little sence to me, sorry...)

----------

## straks

nobody?

I just can't figure it out and it would be a great help if someone can help me out (i really need it  :Sad: ...)

----------

## straks

Sorry I bump this back to the top. But it is fairly important that i can get this thing fixed. 

I don't know if anybody can give me any tips or pointers. But it would be really nice if i could get some information?

Thanks a lot!

----------

## nightblade

Straks,

I have been told that Windows 2003 supports PPTP+NAT, while Windows 2000 only supports PPTP when no NAT is involved. Do you know what Windows version is used by your company on the VPN endpoint ?

Keep in mind that this just something I heard, and never tested it in person. I will try to get more info on this, tho.

As an extreme solution, what about keeping the PPTP-VPN open from home, and then opening a second VPN (maybe ssh based) from the university to home ?

----------

## straks

Hey Nightblade, 

The server is a Windows 2003 server, so it should support it, but the problem is the server isn't behind a nat, it's me  :Smile: . I need to support it as well, and i have no clue how to  :Sad: 

Your second solution is a posibility (ssh tunneling should work), but my parents are REALLY freaky about there little network. They don't know much of PC's and stuff, but i'm forbidden to replace the linksys router with one of my pc's (which would run as a router using linux off course) because they just go crazy on the idea of changing the stable configuration of there network... (and i do respect their wishes, i'm not going to do that without their permission...)

So that won't happen.

So I have to find a way and it has to be possible i guess, i'm sure some people might know what to do....

----------

## tuxmin

The NAT router must be PPTP aware, otherwise the involved GRE packets are lost. Maybe this router can't handle GRE at all!? Talk to the admins of that NAT router or dump the session output of tethereal here. Might be helpful.

Alex!!!

----------

## straks

tuxmin,

One of the administrators is a friend of mine, so i can talk to him. He said it is possible to use VPN, but i should use 'UDP Encapsulation'. I haven't really figured out how to do this under linux for PPTP (or for something else)...

hmmmz: reply from administrator:

'PPTP is not supported by kotnet our it nat servers...' (kotnet being the internal universities network)

'The only way a VPN is possible is by using a VPN client that supports udp encapsulation, but i doubt this is possible with PPTP, it would be with IPSEC'

And as the VPN of my company is via PPTP (and they do not want to change to IPSEC i assume, just for me..)

----------

## tuxmin

Hi,

OpenVPN uses UDP only for transport... but as your remote gateway ist PPTP I fear you are lost.

PPTP is not meant to be tunneld through UDP. In theory this should be possible, though. But in that case you needed root access to the remote gateway, too.

Alex!!!

----------

## straks

So this is just impossible.

Damn, that really is a big problem  :Sad: . If i didn't life in a studenthome of the university itself, i would immediatly take a subscription with a broadband ISP, it costs me more, but got higher down/up-load limits and the VPN would work perfectly. But as i live in a sudenthome of the university that won't be an option  :Sad: 

thanks for all your help

----------

## straks

Ok, talking to the server/system admins of my work. We came up with a little solution. If it is possible i could use another port for the PPTP connection. A port that the NAT of the university doesn't block. If this is possible, the system admins can make it so that the traffic of a given IP to that port is forwarded to the correct port of the VPN server. This should do the trick i guess.

Does anybody know how (and were) i can change these port settings for my connection/pptp?

----------

## nightblade

I am not following you here... what's exactly the problem with the university router ? That it cannot handle PPTP and NAT ? Or that it blocks PPTP connections (port 1723, if I am not mistaken) ?

----------

## DaveArb

I administer a gateway firewall/router that passes Microsoft VPN inbound. The problem is probably not one of ports (tcp 1723 is what is opened), but one of protocol.

MS VPN, as tuxmin mentioned, uses GRE. This is a -different- protocol than TCP or UDP. In an iptables command, instead of `-p tcp` or `-p udp` being used, `-p 47` is used to refer to GRE.

An example for an inbound connection from my router is:

```
-A PREROUTING -p 47 -i eth0 -j DNAT --to 172.24.0.5
```

Where 172.24.0.5 is the Windows VPN server.

Hope this helps some...

Dave

----------

## straks

Well, basicly, i have no idea what the NAT (of the university) does, it could be it blocks the port, it could be the protocol stuff.

The only thing i know is that the university system administrators don't want to change anything. Which is normal, if they have to change a NAT rule for 1 of there 20000 conected users, it would be an upside-down world I guess.

The system admins of the company i work said that i could try to use the PPTP via another port, to see if the normal port is blocked or something by the universities NAT 

The layout of the connection would be like:

ME (and some 20000 other users) ----- | NAT | ---- INTERNET ---- | Company -NAT | ---- VPN server

The system admins of the company don't have a problem to forward a given port on the NAT to the correct port on the VPN server. So there is absolutly no problem there. 

The problem is that the NAT server of the university does not support PPTP

( the admin said exactly this: 'PPTP is not suported by the NAT servers' ), so probably he's talking about GRE ?

----------

## tuxmin

Buy a bottle of wine, and bribe the admin at your work to install OpenVPN on the port he offers you and you are done.

According to what you've menitoned before you won't get PPTP working over the universitie's net, no matter what port. The point is, the GRE doesn't use any ports! And I bet my right arm that they do not NAT GRE -- and that's it -- no way to get around this unless you dare to hack the router ;P

Alex!!!

----------

## DaveArb

 *straks wrote:*   

> The problem is that the NAT server of the university does not support PPTP ( the admin said exactly this: 'PPTP is not suported by the NAT servers' ), so probably he's talking about GRE ?

 

That would be my guess, GRE is the 'odd' point about MS VPN. Other than that, it runs on TCP 1723.

Dave

----------

## nightblade

 *straks wrote:*   

> Well, basicly, i have no idea what the NAT (of the university) does, it could be it blocks the port, it could be the protocol stuff.
> 
> 

 

As the other guys pointed out already, GRE is most probably the problem. However, just to double check, try to telnet to the 1723 port of the work VPN server. If it connects, then it's GRE, and bribing the university sysad probably remains your only option, unless you convince the sysad at work to set up an additional SSH-based or IPSEC-based server just for you...

----------

## straks

Well, bribing the universitie admins will be hard. But trying to get a supersecure company to set up a more insecure (meaning usage of passwords, not the encryption, but the lifetime and how to get it etc) VPN for 1 person, is harder  :Smile: .

So don't know what to do, i'll try to telnet to the VPN on the normal PPTP port to see if it is GRE, but i'm quite sure it is...

Thanks for all the information!

----------

## tuxmin

Hum hom... The most weak thing about PPTP *is* the password  (besides some other design weaknesses)  :Wink: 

The story goes this: the shorter your password the easier your PPTP  connection can be hacked. So what do people do? They choose 40 char passwords no one can remember thus clicking the "remember password" at the dialin dialog from Windoze thus leaving it to Windoze  to protect your password -- oh my...

What's so bad about a password protected private key? If your company is that security focused as you say, they will get the point...

Living in a Mickeysoftworld...

----------

## straks

 *tuxmin wrote:*   

> Hum hom... The most weak thing about PPTP *is* the password  (besides some other design weaknesses) 
> 
> The story goes this: the shorter your password the easier your PPTP  connection can be hacked. So what do people do? They choose 40 char passwords no one can remember thus clicking the "remember password" at the dialin dialog from Windoze thus leaving it to Windoze  to protect your password -- oh my...
> 
> What's so bad about a password protected private key? If your company is that security focused as you say, they will get the point...
> ...

 

hmmmz, true, but i can say this is a secure firm. Anyway, the admins here have a lot of experience, i know for sure they made it as secure as possible (and well, it is actually). But that is not of mine/our concern. If it isn't they will find out someday. But they have a great experience in internet and internet security, so i'll leave the security policy to them  :Smile: 

----------

