Why Multiple VPN Connections To The Same IP Fail
August 9, 2011 5 Comments
In a previous article I explained what PPTP passthrough is and how it works. In this article I will explain why multiple VPN connections fail with certain routers. This issue only affects PPTP connections and it is directly related to PPTP passthrough.
Here is a brief comparison of how NAT handles PPTP VPN connections differently to normal connections. Read the PPTP passthrough link above for more details:
- When computers make normal outbound connections the source IP address is NATed to the public IP. Source ports are used to uniquely identify the multiple connections.
- When PPTP clients make outbound connections the same thing happens but the call ID AND destination IP is used instead of source ports to uniquely identify the VPN connections.
If a computer connects to IP address 4.57.7.8 using source port 6758 and another computer connects to the same IP using port 8755 NAT uses the port numbers to uniquely identify the connections. If for any reason both computers connect using the same source port NAT can no longer identify each connection. To prevent this NAT changes the source ports to randomly unique ones, thus keeping the multiple connections unique.
PPTP passthrough works in the same manner but uses call IDs as a replacement to source ports. The difference here though is that if multiple PPTP clients try to use the same call ID certain routers won’t change the call IDs to be unique like it does with ports. This isn’t a problem when multiple VPN connections connect to different IP addresses; since the destination IP is unique NAT can use this to identify each VPN. If however they connect to the same IP and use the same call ID the multiple connections are no longer unique so only the first connection works. It is for this reason why certain NAT/Routers fail when multiple VPNs connect to the same IP address. Because the call ID and destination IP are the same the NAT thinks that all VPN connections are one connection.
The Solution
Some NATs can detect the call ID “conflict” and will modify them to keep the multiple VPN connections unique. The NAT must have a PPTP editor to allow this. This of course isn’t something router manufacturers generally advertise on their spec sheets. You will need to go digging around on their website to find it like here for example on the Netgears routers VPN support page. As you will see some Netgear routers only support one VPN connection; this will be where they can’t modify the call ID’s. Routers that support multiple VPN connections will have a PPTP editor built into the NAT portion of the device. One such device that supports this is a Microsoft RRAS server.
Ok, the title says “not possible”, but then a solution is offered. can you please point toward more about how to implement that solution? I am using DD-WRT, and hoping this will let me edit the PTPP as you suggested here. I just need to know more about the process
Take a look here http://serverfault.com/questions/167485/pptp-gre-multi-forwarding-nat-iptables-example
Netgear N150 router will operate correctly with multiple connections to and from the same IP
I have tested with 3 concurrent connections and can use them all at once.
I am an IT engineer and have also experienced the problems decribed.
It will NOT work with the DG834 (even the latest model).
Jim
Thanks for your input and advice Jim.
I hope this related. I am temporarily outside the US and can’t hide from some streaming sources with just one vpn. But if I start one, and then go through a second, the sources stream… they don’t know I’m outside the US with two services, layered, neither of which work just by themselves! Thanks for the help.