1

I have a PPTP VPN running on 'MachineA' (set up in Routing and Remote Access) to connect to a customer site.

I have tried to create a permanent route from MachineB with MachineA as the gateway, but I'm unable to ping any servers at the customer site. Should this work?

The customer servers are on 10.0.0.x range and I have added:

route add 10.0.0.0 mask 225.255.255.0 192.168.0.17 metric 1

...but I still can't ping any machiens on 10.0.0.x range.

NickG
  • 654
  • 6
  • 12
  • 28
  • 1
    no that won't just work, both systems need to know the path to the other system or you must mangle the source IP (NAT) to be something the remote network has a path to. Generally easier to do with firewalls as they're they default gateway on both ends, but you could do it with dedicated vpn appliances, windows R&RA isn't very flexible for these scenarios, you'd be better off with something like pfsense and then pick ipsec or openvpn pending your situation. – Jacob Evans Mar 11 '20 at 14:46
  • This may help you, youtube.com/watch?v=m-sakEbVDQ4 – Jacob Evans Mar 11 '20 at 14:50

1 Answers1

1

This can't work unless you also tell the machines on the other side of the VPN that they can reach your network through the VPN connection.

You need to add a static route on the machines on the remote network, such as:

route add 192.168.0.0 mask 225.255.255.0 10.x.y.z

Where 10.x.y.z is the router/firewall managing the VPN in the remote network.

Or, better, just add the route on the router/firewall itself.

If you don't manage the remote network, you'll need to ask whoever manages it to do this (assuming it's ok for them).

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Thanks. Is that true even I only make outbound connections? – NickG Mar 11 '20 at 16:45
  • Yes, the reply packets to your outbound connections need some way to get back to you. – Massimo Mar 11 '20 at 16:51
  • Unless they're NATTING on the RRAS Server, so packets from Site-A appear to come from RRAS-B, and RRAS-B maintains the NAT table. – Jacob Evans Mar 16 '20 at 14:14
  • @JacobEvans That *could* work, but it's a completely different configuration. I don't know if RRAS can perform NAT on a VPN connection... when NAT is used in RRAS, it's usually done on an Internet connection (either dial-up or permanent). – Massimo Mar 16 '20 at 15:13
  • @Massimo oh agreed, didn't post an answer because I simply do not know RRAS well enough (not to mention RRAS isn't as good as other opensource options) – Jacob Evans Mar 16 '20 at 15:27