Configuring PPTP VPN server on two interfaces?

[Bosse_B]

As described in another thread I have tried getting my Pi B+ wireless using a Realtec WiFi micro adapter.
I managed to configure it to actually connect to the WEP WiFi but now I have found a different problem:
The Pi is running a PPTP VPN server and in this case it works fine when using the wired Ethernet interface but not with the WiFi interface.

When the WiFi is running I can connect fine using PuTTY both through the wired and wifi addresses, so I didn't really understand why the VPN won't connect.

After some thought I realized that the actual IP address on which the traffic flows is entered into the /etc/pptpd.conf file:

Code: Select all

localip 192.168.0.151
remoteip 192.168.0.80-89

The local ip as well as the physical interface are also mentioned in /etc/rc.local:

Code: Select all

#Added when configuring PPTP VPN:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -o eth0 -j SNAT --to 192.168.0.151
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Question:
How could I make the pptpd service listen and operate on more than one interface?
It uses eth0 now but I would like it to also use wlan0, which is on a different address.
I guess that I could add a localip in pptpd.conf but how do I handle the rc.local file entries?
It seems a lot more difficult.....

I am doing this on a RASPBIAN distribution downloaded as an image just a few days ago.

[elatllat]

first:
rc.local should not be used for iptables, and definitely not sudo.
Do this instead:

Code: Select all

apt-get install iptables-persistent
iptables -L
iptables-save > /etc/iptables/rules.v4

then try this

Code: Select all

localip 192.168.0.151,192.168.0.152
iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -i eth0 -o eth0 -j SNAT --to 192.168.0.151
iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -i wlan0 -o eth0 -j SNAT --to 192.168.0.152

[Bosse_B]

Thanks for your input!
I have additional questions since I have messed up iptables by mixing up the IP addresses of my three Pi:s....

Q1: Editing backup?
If I use iptables-save as you describe the result is a text file with the rules.
Can I edit this file and remove the lines with the wrong IP addresses and then use that as a restore source?

Q2: Flush?
Will iptables-restore flush any existing entries before applying what is in the source file?
I guess it would, but I like to be sure....

Q3: Default rules?
Since I have not used the save command until now I am not sure what is in iptables from the start in a RASPBIAN machine.
I know for instance that RASPBMC has a default set of rules that make the system difficult to use as a VPN server. I had to buy myself a new Pi to use as VPN server running RASPBIAN in order to succeed.
So is the RASPBIAN base state an empty iptables or are there some rules that should be kept?

Q4: SNAT addresses?
You suggest that I should use the following:

Code: Select all

localip 192.168.0.151,192.168.0.152
iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -i eth0 -o eth0 -j SNAT --to 192.168.0.151
iptables -t nat -A POSTROUTING -s 192.168.0.80/24 -i wlan0 -o eth0 -j SNAT --to 192.168.0.152

I think I understand the workings of this except the two addresses at the end.
Is it like this?:
- If input is from eth0 then output to eth0 using address 151 as the sourrce
- If input is from wlan0 then output to eth0 using address 152 as the source
So the addresses would be 151 = the eth0 address from DHCP and 152 = wlan0 address from DHCP?
Does this mean that incoming traffic on the tunnel gets routed out to eth0 no matter where it comes from?

That is not really the situation, I want to configure my Pi such that it can run the VPN traffic to the router using either eth0 or wlan0 depending on which network connection is in use. There will be either a wired network (preferred) or if that is not possible then the WiFi dongle will be used. But now that I am configuring it I don't know what will be possible at the target site (my daughter's house).
The best would be if the handling is somewhat automatic such that if the router is set up to forward the VPN port to eth0 then that would work, but if we reconfigure the router to use the wlan0 address for forwarding, that will also work.
If I have the wired possibility I will not plug in the WiFi dongle and if I use WiFi I will not plug in the network cable.