I IT manage a small to mid Office with about 70 users. Fore some years now I use a PFSense box for all my network needs, VLANs, VPNs, etc.
Since most of my colleagues give IT support to remote systems, unfortunately a few of our clients still use PPTP VPN Gateways which make about the only problems I can’t resolve with the PFSense FW. For those who don’t know, and correct me if I’m wrong, you “can’t have” more than one workstation dial a PPTP VPN to the same destination server behind the same NAT. I used “” just now because you can have a 1:1 outgoing NAT using multiple public IP’s, which I really can’t use on my case.
Since I don’t control the IT of our clients, PPTP VPNs will be a reality for me for a while.
I created this post to maybe find a workaround for this behind a PFSense FW, something like using a different router for all the outgoing PPTP VPNs? (don’t make fun of me, I’m using some LAN cables right now spread through the office that go to a small home Thompson Router, this way I can have at least two colleagues connected to the same PPTP server)
Without either switching to a different VPN protocol, or using different public IP addresses for different workstations, you are limited to one connection at a time.
You can’t have multiple workstations behind the same NAT firewall, open multiple PPTP tunnels to the same PPTP server. This is because PPTP uses GRE instead of TCP or UDP for the actual traffic. GRE doesn’t have the concept of port numbers, and the traffic itself is encrypted so pfSense (or any other firewall) has no way of knowing what inbound traffic should be forwarded to what workstation.
It’s possible to create a site-to-site PPTP VPN, which allows multiple workstations to use the same tunnel, but it requires configuration on both ends and if you were going to that trouble you should switch a more robust VPN solution like IPSec or OpenVPN instead.
People often setup PPTP because it’s simple to configure and widely supported. But it’s also be shown to be very broken fo a while now and shouldn’t be used when there are so many better options available.
PPTP has been cracked for decades, tell your clients due to security concerns you will no longer support broken protocols and after April 15, 2019 your company will no longer use them. Then help them move to OpenVPN or IPSec. Software company do it all the time (i.e. this update requires Windows 10 or greater - leaving Windows 8.x and Windows 7 in the dust).
As has been mentioned already, that isn’t possible due to how GRE works. pf doesn’t support tracking per-user sessions in GRE, and it won’t be fixed because PPTP is dead.
Since most of my colleagues give IT support to remote systems, unfortunately a few of our clients still use PPTP VPN
Since I don’t control the IT of our clients, PPTP VPNs will be a reality for me for a while.
So which is it? They need to ditch PPTP ASAP. It has been completely broken for over 6 years and dead before that. I know corporate IT moves slow, but this is a serious security concern that they need to address.
You could setup a separate local router if you have another IP address or Internet connection it can use, and route the remote network(s) using PPTP over that somehow (local static routes, etc) but the PPTP traffic can’t pass through pfSense so things like policy routing on pfSense won’t help.
I mean that I fully control my network and my workstations. “Clients” it’s me referring to who we give support, and on this case as they are External Companies I really don’t have the “Authority” to make them change anything…
Your policy route ideia looks good, too bad we can’t do this…
I really don’t have the “Authority” to make them change anything…
I’m pretty sure when they try to connect to your PPTP tunnel that no longer exists they’ll get the hint. If not, make them sign a “acceptance of liability” contract that states they will pay whatever damages are caused by using a cracked protocol. If you don’t have the authority, you really need to run this up the food chain, you’re risking your company’s cyber integrity just because you don’t want to put your foot down and do what you know is right (that NEVER looks good on your resume).