Netgate SG-1000 microFirewall

Author Topic: PPTP server as package?  (Read 6823 times)

0 Members and 1 Guest are viewing this topic.

Offline mesb

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
PPTP server as package?
« on: April 16, 2016, 01:43:30 am »
Hi.
As we know new version of pf, removed pptp server.
We still have lot's of mobile, pc users and want use features and be up to date.

Is it hard to made pptp as package for pf 2.3 and above?

P.S.
We understand responsibility and let us keep freedom of choise!

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: PPTP server as package?
« Reply #1 on: April 16, 2016, 02:54:58 pm »
No, we will not add the PPTP server back as a package. Time to move on.

The underlying mpd components are still there, so you could run it manually if desired. No, I will not post instructions.  :)

Offline Josh H

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: PPTP server as package?
« Reply #2 on: April 20, 2016, 01:14:33 pm »
OpenVPN is glorious and they've made it very easy to use since pfSense version 2.0 with the OpenVPN Client Export package.

  • It has support for every major operating system
  • Works on a single TCP/UDP port, which is much easier for supporting connections behind a firewall as it doesn't rely on GRE
  • It's security hasn't been broken for over 20 years


If you've every had to troubleshoot multiple PPTP clients behind a single firewall, OpenVPN will be a welcome godsend.

Offline mesb

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: PPTP server as package?
« Reply #3 on: April 30, 2016, 03:19:40 am »
OpenVPN is glorious and they've made it very easy to use since pfSense version 2.0 with the OpenVPN Client Export package.

Yes, ofcource, on new installations.

Quote
  • It has support for every major operating system
  • Works on a single TCP/UDP port, which is much easier for supporting connections behind a firewall as it doesn't rely on GRE
  • It's security hasn't been broken for over 20 years

I take few smartphones, notebooks, there is nothing _installed_.
About security, there is sense to think before project realization, sometimes there is just no matter.


All this situation is sad, i just want my freedom.

It looks like when i just want my old fashion car fixed and asking where is good specialists, guys from inernet tells me: just by new car that is so cool and awesome and anybody use it and must be happy with it.
Guys it's not that i want. I know that it not so safe, not so fast or anything else.
But i'am happy with it and just not need what everybody else think.

Thanks for attention and answers. :)


Offline jdillard

  • Administrator
  • Sr. Member
  • *****
  • Posts: 534
  • Karma: +124/-1
  • Web Dude
    • View Profile
    • Personal Website
Re: PPTP server as package?
« Reply #4 on: May 04, 2016, 05:16:33 pm »

All this situation is sad, i just want my freedom.


As cmb said, all the underlying mpd components are still there, so you could run it manually if desired. What you lack isn't freedom, what you lack is will power.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14458
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PPTP server as package?
« Reply #5 on: July 15, 2016, 05:50:17 am »
the openvpn connect app is free for both android and ios phones and tablets.  Its 2 seconds to install if your phones are being managed it would be a simple push of that app to your devices.  All done.

If you want to stay back and use nonsecure protocols have at it.  Nobody is stopping you, but its time to move on pptp has been deprecated for years and years.  Its not like pfsense jumped the gun here.. It should of been removed years ago!!

Let me guess still use DH for your kex on ssh I take it as well ;) 

As an example here is a article from 2012 that goes over how trivial it is to hack a pptp connection..
http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html

But sure you just keep letting your people login using pptp from who knows where, airport hotspots, coffee shops, etc. etc..

It been dead for years - do yourself a favor, your users a favor and your company a favor and move on!!
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Soyokaze

  • Full Member
  • ***
  • Posts: 174
  • Karma: +20/-2
    • View Profile
Re: PPTP server as package?
« Reply #6 on: July 20, 2016, 07:57:23 pm »
To add some fuel to the fire, if you don't want OpenVPN (for any reason) - almost ANY network device with VPN capability now supports IPSec.
(and this is from me, who pretty loves PPTP for dumb and quick config, specifically in pfSense)
Need full pfSense in a cloud? PM for details!

Offline eshwayri

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: PPTP server as package?
« Reply #7 on: August 02, 2016, 05:58:52 pm »
So I have a simple question...  From the "modern" VPN options you say we should use instead of PPTP, which one will create a bridged (not routed) VPN connection that passes through broadcasts and IGMP traffic such that all the devices on both sides think they are physically in the same location?  Oh, and it needs to work with iOS 9.  I use PPTP so the TiVo app on my iphone will download shows from my TiVo when I am away from home.  The app will not allow downloads if it doesn't "see" the TiVo and think it is physically on the same broadcast network.  I assume it is sending broadcasts or listening for IGMP style packets to verify this.  This works just fine with PPTP.  And yes, I am well aware of the security risk which is why I placed the PPTP server and the Tivo into their own tagged VLAN.  I run OpenVPN for the access from my laptop to the secure side of my network already.

So, you want me to switch.  I would love to switch.  What are my options?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14458
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PPTP server as package?
« Reply #8 on: August 02, 2016, 06:16:03 pm »
openvpn tap is bridged setup.. tun is a routed setup..

You don't even understand how your application works you just know it works on pptp so you don't want to move.. Even though its a security nightmare for years..

I don't think ios openvpn app allows for tap.. But you sure you could not just use something like ahavi for your tivo download?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1434/-26
    • View Profile
Re: PPTP server as package?
« Reply #9 on: August 02, 2016, 10:10:52 pm »
PPTP was never really bridged to the LAN. It worked that way because it essentially added a proxy ARP VIP for the PPTP client IP addresses.  The same effect may be possible by adding a proxy ARP VIP for an OpenVPN tunnel network that overlaps the LAN, but I've never tried it because it's ugly.

OpenVPN tap VPNs would be nice, but IIRC neither Android nor iOS will do tap.

From https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
Quote
Q: Why doesn't the app support tap-style tunnels?

A: The iOS VPN API supports only tun-style tunnels at the moment. This is a limitation of the iOS platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported.

Q: Are there any OpenVPN directives not supported by the app?

A: While most OpenVPN client directives are supported by the app, we have made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at ios@openvpn.net if you believe that a specific directive that is not included should be reconsidered for inclusion.

Here is a partial list of directives not currently supported:
[...]
    dev tap This directive is not supported because the underlying iOS VPN API doesn't support tap-style tunnels.
[...]

The Android OpenVPN connect app says the same ( https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-android-faq.html ) but support may vary with other clients, may require root, etc.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline eshwayri

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: PPTP server as package?
« Reply #10 on: August 03, 2016, 05:30:10 pm »
openvpn tap is bridged setup.. tun is a routed setup..

You don't even understand how your application works you just know it works on pptp so you don't want to move.. Even though its a security nightmare for years..

I don't think ios openvpn app allows for tap.. But you sure you could not just use something like ahavi for your tivo download?

As I said, I already run OpenVPN for 4 x tunnels coming into the secure side of my network, so I am not averse to changing; I just need something that works for my particular use case.  tap is out because it isn't supported on iOS9 (I had already checked that before using PPTP).  Knowing the inherent flaws with PPTP/GRE, I was willing to accept the risk by moving the PPTP server and the TiVo to their own network.  It wasn't perfect, but to me it was an acceptable risk.  I am more than willing to move this to OpenVPN if I can get it to work.

The TiVo app is implementing this as a security check to prevent people from downloading shows when they aren't local to the device.  It is looking for the TiVo on its broadcast network.  You are right in that I haven't setup a packet sniffer to see the exact nature of the probe, but it is almost certainly a broadcast or IGMP packet.  In either case I need to get the remote and local networks bridged.

The suggestions in the next post look very interesting.  Now I just need to understand it :-)

Offline eshwayri

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: PPTP server as package?
« Reply #11 on: August 03, 2016, 05:46:50 pm »
PPTP was never really bridged to the LAN. It worked that way because it essentially added a proxy ARP VIP for the PPTP client IP addresses.  The same effect may be possible by adding a proxy ARP VIP for an OpenVPN tunnel network that overlaps the LAN, but I've never tried it because it's ugly.

This looks very interesting.  Can you expand on this a bit?  This is what it sounds like to me:

[1] Create an OpenVPN server that serves up IP addresses in a sub-net of the currently assigned network I use for the TiVo locally.  So for example give the local stuff the lower half of a /24 and then have OpenVPN serve up the upper half.

[2] In Firewall->Virtual IPs create a proxy network ARP on the local network interface with the upper sub-net range that OpenVPN is assigning.

Am I reading your statement right?  Would the local network need to be defined as /25 or /24 with intentional over-lap?  And what would I need on the NAT/Firewall side to make it work?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1434/-26
    • View Profile
Re: PPTP server as package?
« Reply #12 on: August 03, 2016, 06:13:18 pm »
You're on the right track, but I'd rather not offer up too much info there. I don't want to encourage that practice. :-)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline apmuthu

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-1
    • View Profile
Re: PPTP server as package?
« Reply #13 on: January 24, 2017, 04:37:08 pm »
For those who want to re-instate the PPTP into pfSense v2.3, the commits that removed it on 2015-09-16 are here:
21 files affected
1 file updated

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14458
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PPTP server as package?
« Reply #14 on: January 25, 2017, 08:50:22 am »
" tap is out because it isn't supported on iOS9"

in iOS10 they removed pptp as well..  Just sayin..

Nobody should be running a pptp at this stage..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)