[CentOS] Pptp vpn server

Ross Walker rswwalker at gmail.com
Wed Nov 3 14:04:52 UTC 2010 

On Nov 3, 2010, at 9:07 AM, Les Mikesell <lesmikesell at gmail.com> wrote:

> On 11/3/10 7:48 AM, Adam Tauno Williams wrote:
>> On Wed, 2010-11-03 at 12:49 +0000, John Hodrien wrote:
>>> On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
>>> 
>>>> On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
>>>>> 2010/11/3 mattias<mj at mjw.se>:
>>>>>> How to setup a vpn server on centos?
>>>>>> I can't find the pptpd in any repo
>>>>> PopTop is possibly solution that you are looking for:
>>>>> http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much
>>>>> better solution (works correctly with any firewalls)
>>>> PoPTP works very well. Also known as pptpd.
>>> Although as has already pointed out, GRE and NAT issues make PPTP a somewhat
>>> odd choice given the alternatives.
>> 
>> I agree;  but its issues verses the issues of the other alternatives....
>> seems almost a wash to me.
> 
> Errr, what issues does openvpn have?

I'm no fan of any type of VPN as I think it's a way of extending your trusted LAN to an untrusted endpoint compromising internal trust levels, but if you are going to implement a VPN the type is of very little consequence (account/password is more likely to be compromised then traffic intercepted and decrypted) then the authenticating domain is. As always it's better to use internally generated certificates that are password protected then either passwords or certificates alone. Having said that these password protected certificates are a PITA to distribute to users and to support remotely.

I would suggest only providing VPN access to administrators and for users providing a combination of SSL gateway to web-mail and some type of terminal service that either authenticates with a separate domain or is only accessible after successfully authenticating to the SSL gateway.

You could have the gateway server use a separate database of users and passwords for those users allowed remote access, they authenticate with the gateway, then their IP address is added to a table of authorized clients to connect to the terminal services. As long as the gateway does HTTP TCP keepalive the IP is kept in the table, when the connection is dropped the IP is removed.

This would allow full control of what traffic traverses the gateway/firewall while still allowing users to access the services they need.

-Ross

More information about the CentOS mailing list