PPTP w/ Separate Gateway

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
jNimble
DD-WRT Novice


Joined: 08 Jul 2012
Posts: 2

PostPosted: Sun Jul 08, 2012 7:48    Post subject: PPTP w/ Separate Gateway Reply with quote
I have been combing the forums here for a long time looking for a hint of the solution to this problem, but have finally decided to post and ask if anyone has any suggestions. My setup is as follows--I have two principle networking devices running the following services.

Linksys E3000 (running stock firmware)
Gateway
Wireless AP
NAT
Firewall and Port forwarding

Netgear WNR3500L (running a v25-sp2 Mega build)
PPTP Server
DHCP Server
DNSMasq (for DNS and DHCP)

The problem: the PPTP server doesn't consistently accept clients. About 1 in every 50 or so attempts will connect and it appears random (though slightly more likely after a reboot). When connecting from windows it hangs on the "Verifying Username and Password" step. When connection from the iphone it hangs on "Starting..." step and gives an error that says "You were disconnected by the communication device. Try reconnecting. If the problem continues, verify your settings."

My LAN works fine and all DNS and gateway settings are properly served by the DHCP server and properly received by the clients. (Interesting note: when it does actually connect through the VPN it gets the correct DNS servers but they are all out of order. Any reason for that?)

I have the proper ports (pptp 1723) forwarded on the linksys to the netgear. I even tried a DMZ pointed at the netgear with the same results.

I am currently using the startup script located here
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration
because it supposedly fixes iPhone connection issues. (I used the gui to save it as a startup script.) No effect (still 1 in 50)

I also ran the command just below the script that is supposed to require encryption because encryption is good. (right?) (still 1 in 50)

I have the WAN port connect to the switch (on the basic setup page) because this device is not a gateway. Additionally I have the 'Server IP' of the pptp server set to the local IP address of the netgear. (though I have tried various suggestions from various wikis where I changed that to 0.0.0.0 and a free unassigned IP--to no effect)

The purpose of this setup is, or at least was at the beginning, that I believe (and correct me if I am wrong) that there is some additional security in a separation of devices. (For example an attack on my VPN will not bring my firewall down.) In addition to that, now, I want to see if it can be done and to understand why it can't if that is the case.

If there is any other information that you need don't hesitate to ask. Thank you in advance for your assistance.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 2024

PostPosted: Sun Jul 08, 2012 16:41    Post subject: Reply with quote
You’ve hit on several different issues, so here’s my two cents worth, and in no particular order.

It’s important to realize that PPTP is a bit flakey even under the best of circumstances. Frankly, getting a winner 98% of the time is an amazing accomplishment! There are so many things that can and do go wrong. Every router that your VPN client has navigate to get to your VPN server must support the necessary protocols (e.g., GRE 7) and do so w/ complete compatibility. And as you’ve seen, different OSes and devices have their own idiosyncrasies (which shouldn’t be the case for a supposed “standard”). Some vpn client/server combinations won’t accept stateful encryption, some do. Some are sensitive to timing issues (which is why you see attempts to set parameters like lcp-echo-interval, lcp-echo-failure , lcp-max-failure, etc.).

None of this nonsense should be necessary, yet here we are. PPTP is, in a word, a MESS. I find the fact I’m able to use it as well and as often as I do utterly amazing. Then again, knowing its “quirkiness”, I tend to restrict my usage to situations where success is highly likely. For example, I know w/ almost 100% certainty a PPTP client connection to my router-based PPTP server will never work from McDonalds (of all places), yet will work EVERY TIME from my favorite hotel, Quality Inns! LOL Yet if I setup a Microsoft PPTP server, it almost always works, from almost anywhere. It’s just amazing to me how “reliably unreliable” PPTP can be, esp on Linux.

I know that’s not a particularly satisfying response for anyone technically inclined, including myself. But it is what it is, and being pretty much a deprecated protocol, I don’t expect things to get any better.

The only thing I will say is that I’ve found using a tomato router and installing a PPTP server as Optware (since tomato doesn’t support PPTP client/server natively, although perhaps more recent builds do, like Shibby and Toastman, haven’t checked lately) seems to give me less trouble. At least I have more control over matters and don’t rely so heavily on the GUI getting things right under the covers. It’s also made me more knowledgeable about the whole process generally.

So again, 1 in 50 failures is pretty damn good for PPTP in my book, particularly if those failures are from different client locations, and not just the same location.

As far as using different hardware for the PPTP server, certainly doesn’t hurt. But how much of a security benefit it really represents is questionable. I suppose it just depends on the extent to which you believe the pptpd daemon might have exploitable vulnerabilities. Personally I don’t bother. I just use my primary tomato router. And simply forwarding port 1723 should suffice, there’s no need for the DMZ. Just remember, like any other time you’re using two chained routers, make sure each is using DIFFERENT networks (e.g., 192.168.1.x and 10.0.0.x).

And yes, encryption is good, but iirc, encryption is on by default. What those scripts are really doing is “softening” the encryption (for lack of a better term) for more compatibility. For example, the preferred encryption would be STATEFUL (where each packet was encrypted using the prior packet as salt to the next packet), creating a chain of encrypted packets, and thus much harder to crack. But (as usual), we have compatibility issues here. So what’s often suggested is to use STATELESS encryption, which just encrypts each packet independently (no salt).

Again and again, the issue w/ PPTP is the sad state of compatibility. And no one configuration seems to cover all cases. And given that PPTP is less than ideal from a security perspective when compared to newer options (e.g., OpenVPN), it’s a bit discomforting to be forced to make yet more compromises in security for the sake of compatibility. But again, here we are, it is what it is. Sad
jNimble
DD-WRT Novice


Joined: 08 Jul 2012
Posts: 2

PostPosted: Sat Jul 14, 2012 15:36    Post subject: Thank You Reply with quote
Thank you for your quick response. (I have been out of town this last week and have tried to connect several times--some worked others did not.) I do not have any experience in setting up a OpenVPN to allow for IPSEC connections, but would that be a better, more reliable, alternative? If so, do you know of any references that would be of assistance in setting it up. I am trying to stick with do everything through the provided GUI but I am not sure if that is possible, especially if I want users to log in using a preshared key and a username and password. Any advice you could give would be greatly appreciated.

Thank You
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum