I have a client that has a PPTP-based VPN solution in place. While I prefer a more robust SSL or IPSec VPN– this isn’t about me. That’s what they have, and it works for them. I needed to make my tools work with that situation.

On my end, though, I run a Linux desktop with virtualized (ask me later) instances of client servers or development environments. In this case, I had a Windows XP guest system running, but I needed to be able to access my Linux system as well on their network. So, while Linux’s NetworkManager would happily make a connection to their relatively oldish VPN server device, I couldn’t make another from the XP client at the same time.

What’s more, their VPN server device was having no part of routing my network’s traffic. (Note: I am not specifying the parts involved here because I don’t want to start a ‘you should have done THIS!’ discussion. I’m very much a ‘get it working and move on’ person.)

OK, so, I had a couple of choices. I could go into their network and see if I could reroute all the traffic that looked like it came from me back through the VPN (I actually tried that, and it didn’t work, but it was no good anyway since it was too invasive). Worse, I could reconfigure their VPN device to route my traffic, but again, that’s their machine, and I wasn’t going to spend all day figuring out how to accomplish that– on a device that isn’t even made anymore.

That’s all a long build-up to what turned out to work, not require anything on their side, and take me all of about 5 minutes. The answer was to NAT the traffic from my guest OS to the Linux box. (NAT = network address translation. That’s when you wrap all the traffic from your network in your exposed single address, so that routers treat it like it came from that machine. That’s how you can have a bunch of computers in your house running on that one IP address that comes with your DSL.)

192.168.1.X = Linux box with actual VPN connection
10.0.0.131 = The assigned VPN address for that machine on the client network
192.168.1.Y = XP virtual instance
10.0.0.0/24 = client network

Step 1) Route the traffic from the XP client.

route add 10.0.0.0 mask 255.255.255.0 192.168.1.X

Step 2) Make sure the Linux box is routing traffic.

echo 1 > /proc/sys/net/ipv4/ip_forward

(set it permanently in /etc/sysctl.conf as net.ipv4.conf.default.forwarding=1)

Step 3) Setup iptables to NAT the traffic. (Connect to VPN first, of course.)

iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -o ppp0 -j SNAT --to 10.0.0.131

What you see there is my adding a rule to iptables that tells it that the last thing to do with any packets going to my client’s network is to wrap them in the aforementioned outer envelope with a return address of the Linux box’s assigned IP address in the client’s network.

If all goes well, the receiving end recognizes that this is a NATed packet, unwraps it, does whatever with it, and responds to the source with another packet wrapped similarly in an envelope that delivers it to the Linux box, where it’s unwrapped and passed back to the originating XP machine.

And, for what it’s worth, it did go well. I was able to route both machines’ traffic over the same connection without having to noodle with the client’s internal routing at all.

“I love it when a plan comes together.” — Hannibal Smith, The A-Team