|
Home > Archive > VPN > October 2005 > PPTP VPN Startup Connect
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PPTP VPN Startup Connect
|
|
|
| I have a Microsoft Windows 2000 PPTP VPN Client that I use to connect
to a remote server. I have a RoadRunner Cable connection that is
available all the time.
As the VPN is configured now, I have to make the Client connection
manually after I start my computer.
How do I make the connection on my end happen automatically when I
start my computer?
| |
|
| > From: Bob (Sun, 16 Oct 2005 15:55:32 GMT)
> MsgId: <43527717.1757312@news-server.houston.rr.com>
>
> I have a Microsoft Windows 2000 PPTP VPN Client that I use to connect
> to a remote server. I have a RoadRunner Cable connection that is
> available all the time.
>
> As the VPN is configured now, I have to make the Client connection
> manually after I start my computer.
>
> How do I make the connection on my end happen automatically when I
> start my computer?
If you do that, you won't be able to use your connection for anything else
unless you use split tunneling, which is considered a security risk.
Normally when VPN is up, all other internet connectivity is down. That's by
design.
| |
|
| On Tue, 18 Oct 2005 15:16:06 GMT, mikah <mikah@nospam4me.invalid>
wrote:
[vbcol=seagreen]
>If you do that, you won't be able to use your connection for anything else
>unless you use split tunneling, which is considered a security risk.
>Normally when VPN is up, all other internet connectivity is down. That's by
>design.
Then the design is flawed because I am able to access the Internet and
connect to the VPN at the same time. And I am not using any "split
tunnelling". I am using MS PPTP VPN, the one that comes with Windows
2000.
Where did you get this bizarre notion that "Normally when VPN is up,
all other internet connectivity is down. That's by design."
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Bob schrieb:
> Where did you get this bizarre notion that "Normally when VPN is up,
> all other internet connectivity is down. That's by design."
Just think about it:
You use your VPN connection to access a remote network.
If you have - at the same time - an open internet connection you open
that remote computer to the internet (not easily, agreed, but possibly).
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| On Wed, 19 Oct 2005 15:35:47 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> wrote:
[vbcol=seagreen]
>You use your VPN connection to access a remote network.
>If you have - at the same time - an open internet connection you open
>that remote computer to the internet (not easily, agreed, but possibly).
The remote computer is already connected to the Internet, otherwise I
could not connect to it.
Anyway, the MS PPTP VPN connection allows you to choose where your
Internet access is - on your machine or on the remote machine.
Obviously you would choose to have your Internet connection on your
machine since you use the Internet connection on your machine to
establish the VPN connection to the remote machine.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Bob schrieb:
> On Wed, 19 Oct 2005 15:35:47 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> wrote:
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
> The remote computer is already connected to the Internet, otherwise I
> could not connect to it.
You are missing the point:
The remote computer certainly is connected to the internet using *its
own* security access policy.
> Anyway, the MS PPTP VPN connection allows you to choose where your
> Internet access is - on your machine or on the remote machine.
> Obviously you would choose to have your Internet connection on your
> machine since you use the Internet connection on your machine to
> establish the VPN connection to the remote machine.
Off course you open the vpn connection through the internet. But once
the vpn connection is open you should not be able to bypass the vpn
connection. You should *only* be able to access the remote machine (and
maybe the internet through that remote machine depending on that
machine's security policy). Otherwise you open the remot to the internet
using *your* internet connection and notthe *remote* computer's...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| Martin Bodenstedt wrote:
> Bob schrieb:
>
>
>
>
>
>
>
>
>
>
>
> You are missing the point:
>
> The remote computer certainly is connected to the internet using *its
> own* security access policy.
>
>
>
> Off course you open the vpn connection through the internet. But once
> the vpn connection is open you should not be able to bypass the vpn
> connection. You should *only* be able to access the remote machine (and
> maybe the internet through that remote machine depending on that
> machine's security policy). Otherwise you open the remot to the internet
> using *your* internet connection and notthe *remote* computer's...
>
>
True, it's good security to do this, however with the windows client
it's easy to bypass this.
Anyway nobody answered the original question, my suggestion would be to
look at the rasdial command (cmd prompt) you can launch vpn connections
from there so perphaps a batch file in the startup folder would do it.
I'm sure there's a much more elegant way though 
Simon
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-10-24, 9:35 am |
| Bob wrote:
> On Tue, 18 Oct 2005 15:16:06 GMT, mikah <mikah@nospam4me.invalid>
> wrote:
>
>
>
>
>
>
> Then the design is flawed because I am able to access the Internet and
> connect to the VPN at the same time. And I am not using any "split
> tunnelling". I am using MS PPTP VPN, the one that comes with Windows
> 2000.
>
> Where did you get this bizarre notion that "Normally when VPN is up,
> all other internet connectivity is down. That's by design."
>
>
> --
>
> If you build a man a fire and he will be warm for a day. If you
> set a man on fire, he will be warm for the rest of his life.
He incorrectly implied that you loose internet connectivity in the
default settings. What is actually happening is your computer will send
all internet traffic over the VPN. If the remote VPN endpoint is
configured to allow this traffic access to the internet through their
connection then your internet will still appear to work though all your
traffic will now appear to be coming through the remote sides
connection. Many VPN endpoints are configured by default to deny all
vpn sourced traffic access to the internet so that it appears that while
you are on the VPN the internet will not work. If the administrator
choose to allow VPN users access to the internet through that connection
they would need to change the settings (likely the NAT mappings or a
firewall rule) to explicitly allow VPN users access through the gateway
to the internet.
The idea behind this is that on the remote side they already have a
firewall configured to their policy on security. On your local side,
your firewall is not controlled by them so you could allow all inbound
access to your machine for example and if you have some trojan on your
computer a hacker can control your machine and by doing so have access
to the networks that your machine is connected to including the remote
VPN network. There was a well publicised case of exactly this happening
to a Microsoft employee allowing the hacker access to the internal
Microsoft network through his home computer.
In the microsoft PPTP client you can turn off the setting that sends all
your internet traffic to the vpn. In many clients for different vpn
routers there is a setting that the administrator can use to prevent
users from disabling this split tunnelling feature in their own clients
for the reason I just stated.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
|
| On Wed, 19 Oct 2005 16:55:35 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> wrote:
>Off course you open the vpn connection through the internet. But once
>the vpn connection is open you should not be able to bypass the vpn
>connection. You should *only* be able to access the remote machine (and
>maybe the internet through that remote machine depending on that
>machine's security policy). Otherwise you open the remot to the internet
>using *your* internet connection and notthe *remote* computer's...
MS PPTP VPN has an option whether you want your Internet connection to
be on your machine or on the remote machine. Of course you choose to
keep the Internet connection on your machine. There is no reason to
use the remote to access the Internet when access is provided by your
machine.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
|
| Bob wrote:
> On Wed, 19 Oct 2005 16:55:35 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> wrote:
>
>
>
>
> MS PPTP VPN has an option whether you want your Internet connection to
> be on your machine or on the remote machine. Of course you choose to
> keep the Internet connection on your machine. There is no reason to
> use the remote to access the Internet when access is provided by your
> machine.
>
>
> --
>
> If you build a man a fire and he will be warm for a day. If you
> set a man on fire, he will be warm for the rest of his life.
Microsoft is hiring security experts.
You sound like a perfect candidate.
| |
|
| On Wed, 19 Oct 2005 16:06:23 GMT, Simon <simon@not-here.com> wrote:
>look at the rasdial command (cmd prompt) you can launch vpn connections
>from there so perphaps a batch file in the startup folder would do it.
>I'm sure there's a much more elegant way though
Windows 2K Help has the following statement:
"You can also automate the connection process for any Microsoft client
by using a simple batch file and the rasdial command or by using a
custom, Windows NT and Windows 2000 application that recognizes remote
access."
Since I do not have any "custom, Windows NT and Windows 2000
application that recognizes remote access.", I am stuck with a "a
simple batch file and the rasdial command".
So I suppose I would use
rasdial "connection name" username password
Hot Damn! It actually works. This calls for celebration. Imagine that
- a Microsoft command that works the very first time. Unbelievable,
incredible, astronomical, a miracle.
Thanks for the answer to my query. Now I have another question.
Does the MS PPTP VPN Client connection time out? I notice that after a
while the connection drops for some reason. I want to keep it on all
the time so my son can get into my machine when he wants.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
|
| On Wed, 19 Oct 2005 16:21:59 GMT, Mike Drechsler - SPAM PROTECTED
EMAIL <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote:
>He incorrectly implied that you loose internet connectivity in the
>default settings. What is actually happening is your computer will send
>all internet traffic over the VPN.
Not if I configure the VPN not to do that.
There is a checkbox in the setup that asks if you want the Internet
connection to come from the remote (as it would if it were an ISP) or
from your machine. I told it my machine, so my machine gets its
Internet connectivity from my Internet connection, not the remote one.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
|
| On Wed, 19 Oct 2005 16:33:02 GMT, Snak
<Snak_Snak@[notformail].invalid> wrote:
>Microsoft is hiring security experts.
>You sound like a perfect candidate.
I would be privileged to work for Microsoft. Please send me an
application.
Who do you work for? The federal govt. <g>
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Bob schrieb:
> MS PPTP VPN has an option whether you want your Internet connection to
> be on your machine or on the remote machine. Of course you choose to
> keep the Internet connection on your machine. There is no reason to
> use the remote to access the Internet when access is provided by your
> machine.
You're still not getting the point:
By doing it the way you suggest you're compromising the remote machine
by opening the remote machine to the internet via _your_ machine
bypassing any internet access guidelines imposed on the remote machine
by its admin.
If I were the admin of the remote machine (or network), I'd kick you out
the minute I become aware of you doing split tunneling...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Bob schrieb:
> On Wed, 19 Oct 2005 16:21:59 GMT, Mike Drechsler - SPAM PROTECTED
> EMAIL <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote:
[vbcol=seagreen]
> Not if I configure the VPN not to do that.
Exactly.
And that's why we're restricting VPN access to our network to VPN
software solutions that lock down the configuration on the client side
to prevent split tunneling while the VPN link is open. All our VPN
clients have full internet access through our corporate internet
firewall (implementing virus scanning, spam discovery, trojan blocking,
spy ware blocking and the like)
>
> There is a checkbox in the setup that asks if you want the Internet
> connection to come from the remote (as it would if it were an ISP) or
> from your machine. I told it my machine, so my machine gets its
> Internet connectivity from my Internet connection, not the remote one.
Please don't forget that doing it your way not only opens your PC to the
internet but also the remote one.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| On Thu, 20 Oct 2005 08:08:04 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> wrote:
[vbcol=seagreen]
>Please don't forget that doing it your way not only opens your PC to the
>internet but also the remote one.
What do you mean by "opens your PC to the
internet"? My PC is always open to the Internet when I am connected to
the Internet.
That's why I have a NAT router, Kerio Personal Firewall, Computer
Associates Anti Virus.
The only whole thru the firewall I know about is port 1723 and that is
socketed to the VPN, which listens for encrypted data.
If you had my WAN IP, how would you break into my PC even if I were
connected to a VPN?
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
|
| On Thu, 20 Oct 2005 08:00:39 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> wrote:
[vbcol=seagreen]
>By doing it the way you suggest you're compromising the remote machine
>by opening the remote machine to the internet via _your_ machine
>bypassing any internet access guidelines imposed on the remote machine
>by its admin.
>If I were the admin of the remote machine (or network), I'd kick you out
This connection is between my son's computer and my computer. Before
he bought his own house he and I shared files on our LAN. But now that
he is in a different location we had to set up the VPN to share files.
I see no reason for him to kick me off his machine. He has the same
NAT router, the same firewall and the same antivirus s/w that I have
so we are identically configured.
>the minute I become aware of you doing split tunneling...
What "split tunneling"? He told his machine to use his Internet
connection and not use mine. I told my machine to use my Internet
connection and not use his. Why would the VPN s/w ignore those
instructions and set up any "split tunnel" in the first place.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Bob schrieb:
> On Thu, 20 Oct 2005 08:08:04 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> wrote:
> What do you mean by "opens your PC to the
> internet"? My PC is always open to the Internet when I am connected to
> the Internet.
OK.
You don't _want_ to see my (and not only my) point.
Bye then (and good luck)...
:-(
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| Martin Bodenstedt wrote:
> Bob schrieb:
>
>
>
>
>
> OK.
>
> You don't _want_ to see my (and not only my) point.
>
> Bye then (and good luck)...
>
> :-(
Like talking to a sack of hammers isn't it?
| |
|
| On Thu, 20 Oct 2005 16:47:34 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> wrote:
[vbcol=seagreen]
>OK.
>You don't _want_ to see my (and not only my) point.
Actually I do or I would not keep replying.
But I can't see your point because it is hidden behind jargon I do not
understand.
I have an Internet connection at my house. My son has an Internet
connection at his house. I connect to his network over the Internet
using the MS PPTP VPN supplied with Win2K/XP. I use my Internet
connection for my Internet access and he uses his. There is no "split
tunnel" that I am aware of. Actually I do not understand that term, so
I can't say for certain that I do not have any.
How does this expose him or me any more than we are exposed by being
connected to the Internet? What does the VPN do that causes this
special kind of exposure? The only port that is open thru both NAT
routers (his and mine) is port 1723 and it is socketed to the VPN
software which expects encrypted traffic. With the MS PPTP VPN, there
can only be one connection at a time.
How is someone going to hack into my system when I am connected to his
network?
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
| |
|
| On Thu, 20 Oct 2005 18:04:12 GMT, Snak
<Snak_Snak@[notformail].invalid> wrote:
[vbcol=seagreen]
>Like talking to a sack of hammers isn't it?
That's exactly what he sounds like with his obscure jargon.
--
If you build a man a fire and he will be warm for a day. If you
set a man on fire, he will be warm for the rest of his life.
|
|
|
|
|