Running PPTP server behind NAT

In order to run a PPTP server on the Network behind WinRoute (including the computer where WinRoute is running) you have to set up two Port Mappings.

Additionally, you must DISABLE NAT from the interface table for the RAS interface handling the VPN connection. This applies to both Dial-In and Dial-out connections and only if the WinRoute computer is hosting the PPTP server/client.

If the PPTP server resides on a computer other than WinRoute you need to add a persistent route on the WinRoute computer so that all IP traffic intended for the VPN will be forwarded to the PPTP server for encapsulation. Example, WinRoute is located at 192.168.1.1, the PPTP server is 192.168.1.2, and the remote network is a range from 10.10.10.1-10.10.10.254. The route would look as follows: "route add -p 10.10.10.0 mask 255.255.255.0 192.168.1.2".

Important: If the VPN server is located on the WinRoute host machine, you must map the destination IP to the public address, not the private. The listen IP should remain unspecified, or you may use the public address specified as the destination.

For the control connection:

For the GRE (PPTP) packets:

After setting up Port Mapping as shown above you will be able to place your PPTP server anywhere behind WinRoute INCLUDING the computer WITH WinRoute. The users will access your PPTP server by "dialing-in" to the external (public) IP address of your network. When the packets reach WinRoute's computer they will automatically be forwarded to the proper computer behind the firewall.