[ previous ] [ next ] [ threads ]
 From:  "Manuel Kasper" <mk at neon1 dot net>
 To:  <safl at vip dot cybercity dot dk>
 Cc:  <list at m0n0wall dot neon1 dot net>
 Subject:  Re: [m0n0wall] PPTP VPN
 Date:  Sun, 6 Apr 2003 20:49:03 +0200 (CEST)
Hi Simon,

> I was just wandering whats keeping you from implementing a PPTP VPN in
> m0n0wall? I mean you got MPD, so it shouldt be such a big hassle? Is it
> the configuration interface thats the big time consumer?

Yes and no. It's a bit more difficult to build a "one-fits-all" solution
like m0n0wall than it is to manually configure MPD/PPTP. There are many
small but important details to consider, and things are so intertwined...

Configuring MPD to just act as a PPTP server for one concurrent session is
not very difficult. OK. Now I know that everybody would want at least 8 or
16 concurrent sessions, so what do we do - we have to generate 16
different PPTP configurations for MPD. OK, PHP makes it possible, but then

Then there's firewall rules. Since we now have 16 interfaces, we have to
write each firewall rule that deals with PPTP 16 times. And of course, the
firewall has to be opened for TCP 1723 and IP protocol 47, and since the
WAN IP address may be dynamic, we'll have to use an ugly workaround with
ipnat because of shortcomings in ipfilter 3.4 that are only resolved in
4.0 (which is still alpha as of now). And what happens if the user decides
that he wants to use PPPoE (which uses MPD, too) and PPTP VPN at the same

OK, enough of the complaining, I just wanted to give you an idea of how
much things are linked together, and that's what makes it harder to
implement new features like PPTP VPN. I have solutions for the problems
listed above in mind - all that's left is implementing them. :)

However, I've taken a look at it again and decided that I will implement
PPTP before IPsec. Even if the security may not be as good as with IPsec,
it's still much easier to use (especially with Windows clients). I have
some code from the old, never released shell-script version of m0n0wall
that I can use as a starting point (since it worked more or less).