Hi

I have a small network of computers where we share an internet account.

We have a problem people steal internet by changing their mac and ip addres which is used to authenticate.

I installed pptpd (Poptop) to permit authentication based on username/password but I don't know what to do in order to provide internet access for the people who authenticate in this VPN.

What should I do ? should I modify something in firewall, routing policies? What exactly?

I'm using a Debian stable, kernel 2.6.10.

Thank you in advance!

Well what you need to do is turn of IP forwarding (NAT) on the server then when someone tries to access a resource not on the LAN, like msn.com the only route for it to travel outside your LAN is through the PPTP Connection.

If I may suggest something though...if all these users are authorized why not use SSH with tunneling. Disable the NAT masquerading and then let the users logon with an SSH client like PUTTY then when they wat to access a resource they can simply use 127.0.0.1ort or in the case of a web browser they setup a proxy server config where traffic proceeds through the 127.0.0.1 which is actually being tunneled through ssh then from there to the outside world. It is your choice.

From an admin standpoint ssh probably is the better solution, from the user standpoint PPTP is probably better though. If you are looking for end user ease PPTP is the way to go, because all the user has to do is logon via pptp, as opposed to setting up tunnels and proxies etc...

Alex

For authentication, use the modules for squid..

If people are smart enough to sniff the network for logins etc, you may have a problem passing credentials..

There are documents for this at http://www.comfsm.fm/computing/squid/FAQ-23.html

Using pptpd, users would login to the proxy server and be given a 2nd ip number via dhcp. If the proxy for the internet connection is blocked for access only via the pptpd interface pppx, you can specify the server's 2nd ip number as the proxy address for clients.

pptpd allocates an individual number for the client and can also keep a separate server ip number for that connection. You can also specify the client ip number in the /etc/ppp/chap-secrets file, in the 4th column

You can also run the pptp connection without compression or encryption to keep the speed up. Logins can be specified as mschapV2 to ensure they are encrypted..

Thank you scheidel21, and thank you peter_robb.

As you said I disabled the FORWARD for the static IP range of the computers from my network, and then I FORWARD-ed the IP-s from the VPN, I made the NAT, and it worked . Thank you. Of course I let people access the server with the INPUT chain.

/sbin/iptables -A INPUT -i ppp+ -j ACCEPT

/sbin/iptables -A FORWARD -s 10.168.109.0/24 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -s 10.168.109.0/24 -o eth1 -j SNAT --to-source 999.999.999.999


I used the pptp approach because the people accessing internet are newbies, so I couldn't use the SSH approach (thank you for this suggestion).

Pptp is very good, also because you don't need clients on windows workstation, and is working even on win 98

Also because I wanted to pass all trafic (even p2p - kazaa, emule, ftp, ssh) without restriction not only http I couldn't use squid, which is another possibility to authenticated login as you kindly suggested.

For the sake of information in this field, because there are people who are interested in ways of protecting their server from Internet theft, I will write what I did found during my small research. Please excuse me for any errors, and please correct them.

Squid (a proxy) it's good for http authentication if you don't have the need to pass other forms of traffic.

Pptp, poptop is relatively easy to install. This protocol can be encripted, but it's less secure than openvpn. You also should give a user and a pass to each client in a secure manner.

openvpn it's another vpn server (free), uses ssl encription with keys and certificates. It has very good documentation, and relatively easy to set up. It is working also with windows clients but you need to install a piece of software to each client, and to give them a pair of a key and a certificate in a secure manner. It's not working with Win 98. There are graphical tools on clients also.

Another form of authentication is pppoe (point to point protocol over ethernet), but it's documentation is very thin. It is used by ISP-s. It doesn't require the instalation of software clients on windows stations. It has a free server and client for linux.

The last form of authentication - but I'm not sure is using IPSEC. I'm not sure, maybe this is mainly for big institutions, requires more resources. Excuse me if I'm wrong (google should help here )

The problem with VPN-s for this aim of authentication, is that they consume computing power. This consume depends if the protocol is encripted, and if it is compressed. You can choose theese. Depends on the situation = if you have a slow server and newbies it's ok without encription , otherwise you shoud upgrade the hardware.
For the resource consume - I was said that the most important factor is not how many people do you have in your VPN, but how many are using the internet in the same time. One example was with a Pentium 200 with 20 people using the vpn. Unfortunately I don't know if they were all using it in the same time, and if the protocol was encripted.

Kind regards!