linux PPTP server relay

Question

I want to create a VPS both has PPTP server and client, and this VPS is used as a relay.

There are two server: VPS1 and VPS2, both install PPTPD, and VPS1 install pptp client.

I want have this:

user ---- PPTP ----> VPS1 ----- PPTP ----> VPS2

user connect to VPS1, and all the network traffic route to VPS2. I'm doing this because user is hard to connect VPS2 directly, need an middle server to work as relay.

How can I config iptable to make it work? Thanks.

Answer 1

Strange usage of PPTP. Your ISP must be Shanghai, China Telecom.

If you route all the network traffic in VPS1 to VPS2, you have to know the IP address of user and setup an exception. Or the user will never receive the reply packets.

Maybe you can use iptables to enable DNAT. Make VPS1 as a router and VPS2 as the internal pptp server.

First of all, you should check if the kernel module ip_nat_pptp and ip_conntrack_pptp is loaded. PPTP use TCP port 1723 to transmit control commands and use GRE to transfer data. Because the GRE has no port, the server has to use the CallID to track the endpoints and implement the NAT. This is called PPTP Passthrough.

# lsmod | grep pptp

If not loaded, then load them.

# modprobe ip_nat_pptp
# modprobe ip_conntrack_pptp

Then you need to enable the IPv4 network forwarding:

# sysctl -w net.ipv4.ip_forward=1

Now you can create iptables rules to accept the incoming and forwarding request:

# iptables -A INPUT -d $VPS1_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A INPUT -d $VPS1_IP_ADDR -p gre -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p gre -j ACCEPT

Finally setup the DNAT rules:

# iptables -A PREROUTING -d $VPS1_IP_ADDR -p tcp --dport 1723 -j DNAT --to-destination $VPS2_IP_ADDR
# iptables -A POSTROUTING -d $VPS2_IP_ADDR -p tcp --dport 1723 -j MASQUERADE

You can connect VPS1 with username/password of the pptpd on VPS2 now.