PPTP Tunnel from Windows 10 (11.x)

Security Gateway Articles and How to's
Post Reply
jono
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

PPTP Tunnel from Windows 10 (11.x)

Post by jono » 12 May 2008, 14:38

This How-to applies to:

Clavister Security Gateway 11.x
Microsoft Windows 10

This document assumes that you already got the Security Gateway up and running. If not, please consult the proper documentation for this.

Topics covered in this document

• Clavister - Preparing objects used by the gateway
• Clavister - Setting up the PPTP Tunnel
• Clavister - Setting up the User Authentication Rule
• Clavister - Setting up the Policies
• Windows 10 - Setting up the new network connection

Clavister - Preparing objects used by the gateway
First of all we need to create all needed objects.

Preparing the Host & Networks
The first thing to do is to add all objects needed by the PPTP tunnel, that is the network, the IP range that is going to be assigned to the PPTP clients and the IP used by the PPTP Server.

When this is done, we should have three new object in the Host & Networks, it should look something like this:
PPTP_Addressess.png
PPTP_Addressess.png (9.08 KiB) Viewed 2159 times
Preparing a new Local User Database
To be able to authenticate the users using the PPTP tunnel a local user database will be used, this can of course also be a RADIUS server. Create a new database under System -> Users -> Local Databases.
In this How-to a user database named LocalUsers will be used.
LocalUser.png
LocalUser.png (16.89 KiB) Viewed 2159 times
NOTE:There is no need to define groups to get PPTP up and running. But groups could later be used in the rules to setup different policies based on group membership.

Clavister - Setting up the PPTP Tunnel
Now it's time to setup the PPTP Server, this is done in the PPTP/L2TP Servers section located under: Network -> VPN and Tunnels -> PPTP/L2TP Servers.

General
PPTP_Tunnel.png
PPTP_Tunnel.png (20.8 KiB) Viewed 2159 times
Name
First of all, a name is needed for the PPTP interface. This virtual interface will be used later in the rules and user authentication rules sections.
In this example, the name PPTP_Tunnel is being used.

Inner IP Address
This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be PPTP_IP (192.168.0.1).

Tunnel Protocol
As we are setting up a PPTP Server, PPTP is selected as Tunnel Protocol.

Outer Interface Filter
This is the interface that the PPTP server will accept connections on, in this scenario any or ext has to be selected.

Server IP
This is the IP that the PPTP server is accepting connections on. Normally this is the same as the IP of the Outer Interface, i.e. Wan_ip.

PPTP_Paramters
PPTP_Parameters.png
PPTP_Parameters.png (42.72 KiB) Viewed 2159 times
Authentication
Should be enabled, and a rule needs to be configured, (see further down).

Microsoft Point-to-Point Encryption
Select the encryption strength the server should allow.

IP Pool
Specify the addresses that are to be assigned to the clients. In this case use the pool created earlier, PPTP_pool. Also specify up to two DNS and WINS servers.

ProxyARP
connection_information.png
connection_information.png (29.91 KiB) Viewed 2227 times
A ProxyARP needs to be configured for the IP's used by the PPTP Clients. What we do is publish the IP's from the PPTP_pool on int and the PPTP server will automatically route them over the PPTP_tunnel interface.

Virtual Routing
pptp_auth.png
pptp_auth.png (26.1 KiB) Viewed 2227 times
The PPTP Server will automatically add routes to the PPTP Clients and route them over the PPTP_tunnel interface. Select which routing table those routes should be added to. In this guide we will use main which is the ordinary routing table.

Clavister - Setting up the User Authentication Rules
A user authentication rule needs to be configured as below:
Name: PPTP_Auth
  • Authentication Agent: L2TP/PPTP/SSL VPN (Since we are using an PPTP Tunnel)
    Authentication Source: Local(As we're using a Local User Database)
    Interface: PPTP_Tunnel
    Originator IP: all-nets (as the clients are roaming)
    Terminator IP: Wan_ip( should be the same as the Outer IP)
    Local User DB: LocalUsers(This Option is found under the Authentication Options tab, Select the DB we created earlier)
The rule should look like this:
pptp_virtual_routing.png
pptp_virtual_routing.png (41.03 KiB) Viewed 2227 times
Clavister - Setting up the Policies
When the other parts are done, all that is left is the policies. To let traffic trough from the tunnel to the Lan_net and to the internet two policies should be added with the following characteristics:

Name: PPTP_Allow
  • Action:Allow
    Source Interface: PPTP_Tunnel
    Source Network: PPTP_pool
    Destination Interface: any
    Destination Network: Lan_net
    Service: all-services (We might want to select a different service for more security)
Name: PPTP_Nat
  • Action:Allow
    Source Interface: PPTP_Tunnel
    Source Network: PPTP_pool
    Destination Interface: Wan
    Destination Network: all-net
    Service: all-services (We might want to select a different service for more security)
    Source Address Translation: Nat
PPTP_Policies.png
PPTP_Policies.png (16.66 KiB) Viewed 2159 times
Windows 10 - Setting up the VPN connection
To setup the new PPTP network connection in Windows 10, in Settings press Network & Internet -> VPN -> Add a VPN connection, then enter the information for the PPTP connection.

VPN provider
Choose “Windows (built in)”.

Connection name
Give the VPN connection a name.

Server name or address

Type in the hostname or IP of the Clavister Security Gateway you are connecting to.

VPN type
Since we want to set up a PPTP connection we choose “Point to Point Tunneling Protocol (PPTP)”.

Type of sign-in info
Since we want to authenticate with the local users we created, choose Username and password.

Username (optional)
Here you enter the Username of the user you want to connect as, in this example we use the user we created earlier, LocalUser1. This is optional, if you don’t fill this in you will get a pop-up asking for your username and password.

Password (optional)
Here you enter the password matching with the user you want to connect as. This is also optional, in the same way as the username.
pptp_addroute.png
pptp_addroute.png (33.2 KiB) Viewed 2227 times
Click save and you should now be able to connect to your Clavister Security Gateway with PPTP.

mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Re: PPTP Tunnel from Windows 10 (11.x)

Post by mape » 27 Oct 2016, 15:40

Updated 2016-10-19
Now updated to work with newer versions of cOS Core and Windows 10.

Post Reply