[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] pptp over openvpn

  • Subject: Re: [Openvpn-users] pptp over openvpn
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 27 Jan 2005 03:28:07 +0100 (CET)

On Wed, 26 Jan 2005, Aaron P. Martinez wrote:

I'm not sure if this is completely absurd but i thought i'd ask the

I have 2 openvpn machines running as a p-t-p between two offices using
tls instead of shared key and am happy/not concerned at all with this.
I also need to allow roaming internet users to vpn to the machines at
the central office and then go out to the lan at this location.
Currently i have planned to put this machine on the DMZ and just allow
traffic from the vpn to cross freely.  I'm pushing back a wins server
address so that they can browse the network after they are through the

I will be using tun devices because my current lan is almost out of IPs
(class c network and using about 200 of them currently)  making tap not
an option (unless of course I don't understand the tap scenario).  all
of the remote clients are currently using pptp to connect with allows
them perfect integration with the W2K ras server using active directory
and doesn't take up any ip's on my lan.

Now what i was thinking is that instead of putting my vpn server on the
dmz, i move it to the lan and let the remote users establish a
connection using openvpn and then have them run their pptp connection
over that.  They would maintain the windows integration and at the same
time have an extra level of security as well.  Since i'm allowing the
traffic from openvpn to pass freely onto the lan anyway, is there any
additional security risk here?

Will this scenario slow the connections down to an unusable level?  As i
asked before, is this just absurd?

I think it surely would be possible to run pptp over the OpenVPN tunnel, the question is just why?

Maybe we can help you solve the real problems instead. Adding an extra protocol layer is just a waist of both bandwidth and CPU as well as adding complexity, so try to stay away from such a solution as long as you can.

What are the accual problem you're trying to solve?

You say you are pushing a WINS server to the clients, so I assume you are already able to reach your MS servers?

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list