Iptables – Network remapping with iptables and PPTP VPN

iptablesmasqueradenetworkingpptpvpn

I have two different networks:

Home network 192.168.1.0/24
A – Home PC (192.168.1.100)
B – Home Router (192.168.1.1 lan ip – x.x.x.x public ip)
Office network 192.168.1.0/24
C – File Server (192.168.1.200)
D – Office Router (192.168.1.1 lan ip – x.x.x.x public ip)

Both networks have same ip rage and cannot be changed.
I set up pptp server in D (Office Router).

I set up pptp client in A (Home PC), getting a second ip for tunnel 172.19.0.1

I want to access from A (192.168.1.100) to C (192.168.1.200) but i only can reach D because of the same ip range.

I want to masquerade or remap network 2 so i can access from A (192.168.1.100) to C (172.19.0.200) thus D router could translate ip 172.19.0.200 to 192.168.1.200.

Router D is linux based so the solution think must me set up with iptables.

Anyone could help or give a clue about how to configure this?

Best Answer

It is generally accepted that you can not form a VPN tunnel between two sites with the same network range for good reason. However, some notes and suggestions to help you along your way:

Did you typo your public IPs? 192.168.0.0/16 are private, non-routable IPs. If those are indeed the public IPs of each of your routers, then your routers are not edge devices and additional configurations will need to be made on your edge routers (possibly your modems) to forward the appropriate traffic to your routers. Your routers may also need to be able to support NAT-T with this configurations as well.

Aside from that, if I understand what you have setup so far:

Client A --(vpn)-- Router D -- Server C

Client A: 172.19.0.1/24 Router D external: ?? (see note above) Router D internal: ?? (see note above) Server C: 172.19.0.200/24 (desired)

I could see connectivity being achieved by installing a second network card into your server (assuming it doesn't already have an extra one) and setting that card up as 172.19.0.200/24, this would require you to be able to add a second network onto Router D (your criteria was that the 192.168.1.0 network would remain unchanged). Server C routing table would need to reflect that traffic destined for the 172.19.0.0/24 network should be going out that second card with the router's IP on the second network being the gateway.

It is not the cleanest solution, its really just avoids the same-network issue by creating a second network and putting the server on both networks at the same time, but it should work. You would definitely want to look into device limitations before allocating serious amount of time or funds.

EDIT Regarding OP's comment. Typically speaking, you cannot NAT incoming VPN traffic because it is still encrypted at the point of the router's firewall. VPNs work because their traffic has NONAT specified in the VPN traffic selectors. Unless your office router hardware is unique in this respect and that you can perform NAT past the firewall, then I do not believe what you want to do is possible. I apologize that I am unable to assist further.

Good luck :)

Related Solutions

Windows – How to Route Traffic in Case PPTP Remote Client is on Same Subnet as Server

I'm afraid not. If you were able to route somewhere else traffic directed to (what appears to be) your local subnet, you wouldn't be able to reach your gateway which is sitting exactly in that subnet, so routing would just cease to work.

Your only option here is to change the subnet you're using on your home network to something a little more unusual, hoping you'll never find a network which uses the same one.

Luckily, network administrators really don't have a lot of imagination when it comes to defining subnets: there are some of them which are by far the most common ones and 192.168.0.0/24 is a prime example of that (alongside with 192.168.1., 192.168.42. and various subnettings of 10.), but you can safely bet 192.168.247.0/24 will not be used on 99% of the networks you encounter (unless someone else reads this answer, of course). For some reasons, also 172.16-based subnets seem to be quite unpopular.

Debian server + PPTP VPN – connection not working

It's not entirely clear to me how you got PPTP working to the Windows XP server when you have forwarded all port 1723 traffic to the Debian Squeeze server. You likely can only "VPN" to the WinXP server from within your local LAN, which seems to be of limited usefulness.

Regardless, PPTP requires not only TCP port 1723 traffic, but also GRE protocol. Is your router capable of handling GRE tunnels correctly? If it's an ordinary consumer-grade router, then I suspect not. And even if it is, GRE is esoteric enough that finding help may be difficult.

In your case I recommend trying a VPN solution that uses only TCP and/or UDP transports, since those protocols are ubiquitous and well-known. OpenVPN is one such VPN solution, and it is available for all the major OSes (Win, Mac, Linux, *BSD).

Depending on what you're trying to accomplish, another possibility is to run sshd on the Debian server, e.g.:

apt-get install openssh-server

All the major OSes have free ssh clients capable of creating tunnels over an ssh connection.

Best Answer

Related Solutions

Windows – How to Route Traffic in Case PPTP Remote Client is on Same Subnet as Server

Debian server + PPTP VPN – connection not working

Related Topic