OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: ghowey on January 18, 2016, 03:30:26 pm

Title: pptp passthrough
Post by: ghowey on January 18, 2016, 03:30:26 pm

Good Morning! Just a quick question concerning OPNsense. And please don't beat me up about pptp, I realize it is a compromised protocol. I manage a network for a NPO with several sites, and have happily used pfSense with OpenVPN site-to-site for years, and it is great! However, the pptp limitations are very painful. We have a very important "Guest" that uses our facilities a couple of times a year, and this "Guest" still uses multiple pptp client connections to a single server with one public IP. Therefore only one outgoing connection is possible. Are multiple pptp connections behind OPNsense possible? I apologize if this question has already been asked, but I found no reference while searching the forum.

Thanks, Greg.

Title: Re: pptp passthrough
Post by: franco on January 18, 2016, 04:16:12 pm

Hi Greg,

We're not here to judge. :)

Problem with PPTP is that it uses a port-less transport channel which means that only one per IP is allowed:

http://think-like-a-computer.com/2011/08/09/multiple-vpn-connections/

I think this can be solved by NAT 1:1 mappings (you'll need more than one public IP in order to run multiple servers for your clients). PPTP is set up as a single service currently so you'd need multiple (virtual) machines in your network to do the actual PPTP connections. In theory it's possible to rewrite the code to support multiple instances, but I don't know if this is something we'd consider doing with our limited resources.

How many is multiple? Can you solve the public IP issue on your end?


Cheers,
Franco

PS: Did you know that pfSense 2.3 will remove support for PPTP?

Title: Re: pptp passthrough
Post by: ghowey on January 18, 2016, 04:39:27 pm

Thank you for not judging! I was not aware that pfSense had removed support for PPTP, but I am not surprised. I myself use OpenVPN for all my connections. I was aware that NAT 1:1 mappings with multiple public IP's would make this possible, but honestly we spend quiet a bit of money with our ISP for one IP per location, and of course multiple IP's are not free! I am bound by budget constraints, more so being a NPO. Our "Guest" uses four clients per location when there. I was just curious if a resolution had been considered or possible with OPNsense. Although PPTP is no longer secure, I can see in the pfSense forums there are quiet a bit of users that would welcome such a resolution! Irregardless, I will be taking OPNsense on a "test drive" as soon as feasible! I feel sure you have expanded on pfSense!

Thanks, Greg.