Connect to a remote PPTP server with the pfSense PPTP server enabled

From pfSense Documentation
Jump to: navigation, search
Important30.png WARNING Important30.png
PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.

More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

This article is part of the How-To series.

Summary

Connecting to a remote PPTP server (outbound) while using the same IP for incoming PPTP connections currently does not work due to NAT limitations in pf. The only currently working choice is to NAT the outbound PPTP connection to an additional WAN IP address.

Reroute traffic for remote PPTP servers out an additional IP

Map outbound GRE and tcp/1723 traffic to another VIP using the protocol option on manual outbound NAT rules. This allows an outbound NAT rule to move outgoing GRE traffic to a VIP instead of the WAN IP address.

Reroute traffic for a specific PPTP server out an additional IP

This works by the directing all traffic destined for the remote PPTP server's IP address out another VIP instead of the WAN IP.

Add Virtual IP for additional public IP to use for outbound PPTP

  1. Navigate to Firewall > Virtual IPs
  2. Click "+" to add
    1. Choose Type: Proxy ARP
    2. Interface: WAN
    3. IP Address Type: Single Address
    4. IP Address: <additional public IP>
    5. Description: Whatever desired, e.g. VIP for outbound PPTP
  3. Click Save
  4. Click Apply Changes

Enable Manual Outbound NAT rules

  1. Navigate to Firewall > NAT, Outbound tab
  2. Select Manual Outbound NAT rule generation
  3. Click Save

Setup Outbound NAT rule for single remote PPTP server

  1. Click "+" at the top of the list of NAT rules
    1. Interface: WAN
    2. Source Type: Network
    3. Source Address: <LAN subnet>/<LAN subnet mask> (e.g. 192.168.1.1 / 24 )
    4. Destination Type: Network
    5. Destination Address: <IP of the remote PPTP server>/32
    6. Translation Address: Pick the newly added VIP from the list
    7. Description: Whatever desired, e.g. Outbound PPTP
  2. Click Save
  3. Click Apply Changes
  4. Double check that the newly added rule is at the top of the list. If it is not, move it up.