| what's the best way of doing this in your opinion? Hi there,
I'm trying to set up a vpn server at home for my friends and family back home. so that they could bypass the state censorship that forbids them from accessing half the sites on the net.
I have two boxes at home: one with windows 7 n one with xp.
I learned that those OSs don't permit multiple users to connect at the same time.. so started looking into other options:
Cisco:
the client is free, but not the server correct?
plus I wanna make this as pain free and simple as possible for the user..that is, not require them to download/install software (preferably).
after setting it up, would like to create a "Dial-up Phonebook" (.pbk) file and forward it to them. they'd just run it, enter user/pass, hit dial and connect. just like how they it in the file I'm attaching here. I got this long ago from someone who was essentially doing the same thing -vpn between home and office.
Please advise and know that it's for a good cause 
much appreciated! |
|
| @hurdles
The Windows VPN client is about the most pain-free client for Windows, that I can tell anyways.
Point it to the VPN headend address and go.
You may also want to try this thread for a solution from a Windows perspective.
For your Cisco-specific options, it's going to depend on what you're using, or planning to use.
I'm personally more experienced in the big stuff like this and while they're not impossible to configure,
the equipment is most definately NOT free. Also you may have to consider user and licencing
limitations, which is going to be a potential issue with about any other commerical provider
of similar types of gear.
You could look into DIY stuff. Some names of products I can think of are Untangle, OpenVPN,
Astaro, or some other *nix router distro.
Regards |
|
| reply to hurdles
One low-cost (and easy) option is to get a router that is supported by DD-WRT and install DD-WRT on it. The standard DD-WRT build includes a PPTP server that is extremely straightforward to configure, and all versions of MS Windows since 95 have a PPTP client that is even easier to set up and use. |
|
| reply to hurdles
In general I agree w/ Hellfire's idea about the MS PPTP VPN, but there is one caveat when it comes to bypassing state censorship.
Remember, the MS VPN requires the external port 1723 (you can’t just remap it, at least I've never been able to make it work w/ anything but 1723), and given the determination of some states, it's a simple matter to block all access to port 1723. In fact, sometimes ISPs (not even for censorship reasons) block it. Or they might be using older equipment that doesn't support GRE.
So I'm always a bit cautious about depending solely on PPTP. Just too many things can go wrong. If you do use it, it's a good idea to have a backup solution.
What I recommend is to use something based on SSL (port 443), which almost no one is going to block it, if only because a tremendous amount of legitimate traffic depends on it (banking, online shopping, etc., even the government itself). What I do is keep LogMeIn Hamachi installed on all my computers. Now I have a completely secure VPN from which I can do ANYTHING, including file (SMB) and printer sharing, http, telnet, rdp, vnc, etc.). I can even add a proxy server like Privoxy and make that available (so remote users would simply configure their apps to use that proxy).
In fact, it might even be easier to simply make a remote desktop available (e.g., VNC over Hamachi, or LogMeIn), perhaps creating several virtual desktops on a spare server using VirtualBox.
Anyway, there are a lot ways to skin this cat, and some better than others. Whether any given solution is simple enough for your needs, you’ll need to decide. But with that simplicity often comes the simplicity to thwart your efforts by the censors. You have to think a little outside the box to make sure you don’t leave yourself w/ one solution/option that falls apart because you failed to anticipate how it could be defeated. Always have at least one backup solution! |
|
| reply to broccoli
thanks a lot for the helpful comments..
I have a Cisco DPC2325. turns out it doesn't support dd-wrt. going to pick up a router that does tomorrow and continue the battle.
will keep you posted. thanks again |
|
 SoonerAlOld enough to know betterPremium,MVM
join:2002-07-23
Norman, OK
kudos:5 | reply to hurdles
This document may or may not be of interest...
»en.flossmanuals.net/_booki/bypas···ship.pdf
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer |
|
| ok so I picked an Asus RT-N16 today..hooked it up, upgraded the firmware to dd-wrt and followed the instructions online to configure the PPTP..used mainly the one here:
»geekyprojects.com/vpn/remote-acc···-dd-wrt/
adding the dynamic dns to ddns of dd-wrt went fine. then setup the vpn under services just like how it says in the guide above.
Then created a vpn connection on a computer outside my LAN but no luck connecting to it! ps. theoritically speaking should you be able to vpn from a computer within your LAN as well?
then I read somewhere that port 1723 should also be forwarded to the router's ip. so did that as well, but still no luck !
any thoughts?
Thanks |
|
|
|
| said by hurdles :Then created a vpn connection on a computer outside my LAN but no luck connecting to it! ps. theoritically speaking should you be able to vpn from a computer within your LAN as well? No, VPN services are available on the WAN side only.
then I read somewhere that port 1723 should also be forwarded to the router's ip. so did that as well, but still no luck !
|
|
| said by broccoli:Ideally the VPN router would be the edge router, but it appears that your cable modem is also a NAT router, which complicates things. Try putting your new router into the DMZ and see if that helps.
the cable modem is a nat router, but doesn't it help that I disabled its wireless functionality and also told my ISP that I'm using a seperate wireless router, so they disabled the gateway mode of the modem/router?
I'll try DMZ like you said in the meanwhile.
thanks for the reply |
|
| reply to broccoli
said by broccoli:Try putting your new router into the DMZ and see if that helps.
DMZ enabled and DMZ Host IP Address set to ip of the router. still same thing. thoughts pls? |
|
| said by hurdles :DMZ enabled and DMZ Host IP Address set to ip of the router. still same thing. thoughts pls?
Let's take it a step at a time, from the beginning.
First and foremost: you have Internet access from your LAN through the Asus router, right?
In the DD-WRT web-based admin interface, under the 'Security', 'Firewall', uncheck 'Block Anonymous WAN Requests (ping)', then select 'Apply Changes'. You should be able to ping your WAN IP/DDNS address from the outside.
If that's successful, try enabling DD-WRT's 'Web GUI Management' under 'Administration', 'Management'. You should be able to reach the same admin interface from the WAN using http://your_WAN_address:Web_GUI_port (Web GUI port is a couple of lines below the 'Web GUI Mgmt' radio buttons, defaults to 8080.)
BTW, how are you testing connections from the internet? |
|
| said by broccoli:Let's take it a step at a time, from the beginning.
First and foremost: you have Internet access from your LAN through the Asus router, right?
yes. I mean that's how it's set up now. wireless is disabled on the modem and I've set the wireless pass etc on the asus. laptop's wirelessly connected to the asus and my pc's connected through cable.
said by broccoli:In the DD-WRT web-based admin interface, under the 'Security', 'Firewall', uncheck 'Block Anonymous WAN Requests (ping)', then select 'Apply Changes'. You should be able to ping your WAN IP/DDNS address from the outside.
done, but pinging from outside the LAN still failed :/.
said by broccoli:If that's successful, try enabling DD-WRT's 'Web GUI Management' under 'Administration', 'Management'. You should be able to reach the same admin interface from the WAN using http://your_WAN_address:Web_GUI_port (Web GUI port is a couple of lines below the 'Web GUI Mgmt' radio buttons, defaults to 8080.)
I'd changed the port to 8181 cuz I thought 80 and 8080 are common targets? even though ping failed and it was a given that remote web access would fail too, I still gave it a shot again. same result
said by broccoli:BTW, how are you testing connections from the internet?
I tether my cell and get my laptop to connect to it. good enough for testing or no?
I also got my sister -who's in a different country- to ping..same thing |
|
| If you are renting your DPC2325, try getting Rogers to replace it with a plain cable modem, which should also save you a buck or two a month.
My father has Shaw and uses a Moto SB5101 (supplied by Shaw, I think), to which I connect a DD-WRT modded router mainly for its VPN endpoint capabilities. |
|
| Sir you're a rock star !! replaced the modem and it works like a charm
funny thing is everytime i talked to tech support, they were trying to convince me that the problem should be else where. "Since the the router functionality of the modem is turned off, there's essentially no difference between that and a regular modem" (which also makes sense)..
anyway thanks a mil! if you also live in TO, I'd love to buy you a beer sometime |
|
| reply to broccoli
just another q re authentication..I understand if this thread is not appropriate for it, so if that's the case, lemme know and I'll create a new thread for it.
I was wondering I can enter multiple user/passes in the "CHAP-Secrets" field? I tried, but it only works for the first user/pass.
followed the following convention:
user * pass *
user2 * pass *
also tried:
user * pass * user2 * pass *
and can multiple users connect at the same time anyway?
please advise
thanks |
|
| said by hurdles :I was wondering I can enter multiple user/passes in the "CHAP-Secrets" field? I tried, but it only works for the first user/pass.
followed the following convention:
user * pass *
user2 * pass *
I currently have it set up this way and it works for me. Don't know if it matters, but I have one newline character separating each user, and none before the first line and after the last line.
Some VPN clients have arbitrary length limits on usernames and passwords, so make sure you are not running into those limits.
Also, if it's not already obvious, you can't have asterisks in usernames and passwords.
and can multiple users connect at the same time anyway?
|
|
| ah that was just a typo..multiple users works fine now too..just one thing though..can't access it from overseas (and I'm not even talking back home where the vpn ports might be blocked sometimes). My friends in the states and France can't even ping the machine! though I access it no problem from a variety of places in TO. have tried 4 different places already plus using tethering from my cell..
and I was also wondering if there's a better way of handling a large number of users other than the "CHAP-Secrets" field? maybe input in a an xml file or something and tell the router to get them from there? |
|
| said by hurdles :can't access it from overseas (and I'm not even talking back home where the vpn ports might be blocked sometimes). My friends in the states and France can't even ping the machine! That doesn't sound right. Do you still have the router set to accept pings? Please register on this site and send me a PM. |
|
