Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Paul Smedshammer
September 18, 2003, 10:52 pm
rate this thread
based clients for quite some time now. It gives me a very good feeling to
make that encrypted, keyed and pass-phrase secured connection to tunnel
everything from POP3 to Terminal Services.
As much as a VPN connection offers, using Microsoft's pptp makes very nervous.
All somebody needs to hack in is the correct address, username and password
(or some other hole) and they have full VPN access to the network and server.
I know there are more secure methods for VPN however, they all require either
expensive hardware and/or a direct connection from the VPN server to the
internet. Reading the newsgroups I can see that I'm not alone in the wish to
have a Windows VPN Client -> Putty SSH -> Linux SSHd (or equiv.) -> Windows
VPN Server connection. Only this is not possible as IP Protocol 47 cannot be
forward by SSH.
OK, here is my wacky idea for a solution. Set up the firewall to forward IP
Protocol 47 to the Windows VPN Server but NOT port 1723. So with this setup
there is no way anybody can make a PPTP VPN connection to the Windows VPN
Server. Now the wacky part. Set up Putty or some other SSH client to connect
to the SSH server and port forward 1723. Now set up the Windows VPN Client to
connect to localhost. I know what you are thinking, this won't work… I know.
But what if there was another configuration parameter in Putty or another SSH
client where you put in two values, IP Protocol 47 and IP address (which would
be the actual internet firewall address). Now, basically, Putty (or equiv.)
would let the VPN connection occur by connecting to localhost for the 1723
port forwarding part and redirecting any IP Protocol calls to 47 directly to
the firewall router end up at the VPN Server. So you have two paths set up
that give you your VPN connection. SSH for port 1723 and direct for Protocol
47. The combination giving you your secured connection only allowed through
an authorized SSH connection not relying solely on Microsoft security.
Not knowing enough about the IP Protocol situation, Putty (or equiv.) would
have to be able to intercept any IP Protocol 47 traffic and redirect it.
Seems like this should be doable.
Is this possible? I would be using right now if I could do it along with
countless others I would imagine.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum