Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Help configuring PPPT VPN to access Internet
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Help configuring PPPT VPN to access Internet

sandrosandro Member
edited January 2013 in General

Hello,
I'm trying to configure pppt to forward internet data but it doesn't work, when I connect I only get access in the "LAN" between the machine and my computer.
I tried every possible tutorial I could find online, what could it be?

http://www.larmeir.com/2010/03/setting-up-a-pptp-vpn-server-on-debian-and-ubuntu/ this seems to suggest all things I tried but still no luck:(

Comments

  • The most obvious thing wrong with that tutorial is it doesn't tell you to run 'sysctl -p' (as root) to re-read sysctl.conf after you've modified it.

    Also the first iptables line should be unnecessary, and you'll need to pop the 2nd one in /etc/rc.local (or somewhere else where it will get re-run at startup) if you want your VPN to run after a reboot.

  • I did run sysctl -p but won't work (i also changed the file directly). Also tried to use "venet0" as interface since eth0 doesn't exist but still no luck!

    I really don't get why it doesn't work

  • That seems as if you're using OpenVZ as virtualisation. Keep in mind that MASQUERADE in iptables does not work there, so you should use SNAT instead. The iptables-rules provided in the tutorial are therefore not working in your set-up.

  • tehdantehdan Member
    edited January 2013

    ah openvz requires slightly different iptables command because masquerade doesn't work

    flush your existing rules with iptables -t nat -F then try

    iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4
    (replace 1.2.3.4 with your public IP)

  • still not working :|

  • sandrosandro Member
    edited January 2013

    I uninstalled everything, ran the script from this link...still NOT working. WTF?
    It is not a DNS problem cause I can't ping IPs either, only the VPS's

  • mikhomikho Member, Host Rep

    @mitgib
    +1 simplest 'tutorial' there is

  • okay so you can ping local and remote vpn IPs?
    you've configured your VPN client to route all traffic through the VPN ?

    double check the default gateway with your OS's route command

    and post the output of

    iptables -t nat -L
    cat /proc/sys/net/ipv4/ip_forward

  • sandrosandro Member
    edited January 2013

    Yes I can ping both IPs

    root@server1:~# iptables -t nat -L

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT all -- anywhere anywhere to:VPS_IP
    SNAT all -- anywhere anywhere to:VPS_IP
    SNAT all -- anywhere anywhere to:VPS_IP
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    root@server1:~# cat /proc/sys/net/ipv4/ip_forward
    1

    this is the debug log before it starts not forwarding packages

    Jan 4 21:20:50 server1 pppd[1702]: peer from calling number PC_IP authorized

    Jan 4 21:20:50 server1 pppd[1702]: sent [CCP ConfReq id=0x1 ]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #8
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [IPV6CP ConfReq id=0x5 ]
    Jan 4 21:20:51 server1 pppd[1702]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
    Jan 4 21:20:51 server1 pppd[1702]: sent [LCP ProtRej id=0x2 80 57 01 05 00 0e 01 0a 08 31 67 c2 13 80 02 61]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #9
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [CCP ConfReq id=0x6 ]
    Jan 4 21:20:51 server1 pppd[1702]: sent [CCP ConfAck id=0x6 ]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #10
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [IPCP ConfReq id=0x7 ]
    Jan 4 21:20:51 server1 pppd[1702]: sent [IPCP TermAck id=0x7]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #11
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [CCP ConfAck id=0x1 ]
    Jan 4 21:20:51 server1 pppd[1702]: MPPE 128-bit stateless compression enabled
    Jan 4 21:20:51 server1 pppd[1702]: sent [IPCP ConfReq id=0x1 ]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #12
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [IPCP ConfRej id=0x1 ]
    Jan 4 21:20:51 server1 pppd[1702]: sent [IPCP ConfReq id=0x2 ]
    Jan 4 21:20:51 server1 pptpd[1701]: GRE: accepting packet #13
    Jan 4 21:20:51 server1 pppd[1702]: rcvd [IPCP ConfAck id=0x2 ]
    Jan 4 21:20:52 server1 pptpd[1701]: GRE: accepting packet #14
    Jan 4 21:20:52 server1 pppd[1702]: rcvd [IPCP ConfReq id=0x8 ]
    Jan 4 21:20:52 server1 pppd[1702]: sent [IPCP ConfRej id=0x8 ]
    Jan 4 21:20:53 server1 pptpd[1701]: GRE: accepting packet #15
    Jan 4 21:20:53 server1 pppd[1702]: rcvd [IPCP ConfReq id=0x9 ]
    Jan 4 21:20:53 server1 pppd[1702]: sent [IPCP ConfNak id=0x9 ]
    Jan 4 21:20:53 server1 pptpd[1701]: GRE: accepting packet #16
    Jan 4 21:20:53 server1 pppd[1702]: rcvd [IPCP ConfReq id=0xa ]
    Jan 4 21:20:53 server1 pppd[1702]: sent [IPCP ConfAck id=0xa ]
    Jan 4 21:20:53 server1 pppd[1702]: Cannot determine ethernet address for proxy ARP
    Jan 4 21:20:53 server1 pppd[1702]: local IP address VPS_IP
    Jan 4 21:20:53 server1 pppd[1702]: remote IP address 10.1.0.1
    Jan 4 21:20:53 server1 pppd[1702]: pptpd-logwtmp.so ip-up ppp0 sandro PC_IP
    Jan 4 21:20:53 server1 pppd[1702]: Script /etc/ppp/ip-up started (pid 1703)
    Jan 4 21:20:54 server1 pptpd[1701]: GRE: accepting packet #17
    Jan 4 21:20:54 server1 pptpd[1701]: GRE: accepting packet #18
    Jan 4 21:20:54 server1 pptpd[1701]: GRE: accepting packet #19
    Jan 4 21:20:54 server1 pptpd[1701]: GRE: accepting packet #20
    Jan 4 21:20:54 server1 pptpd[1701]: GRE: accepting packet #21

    Note: I changed the VPS IP and my IP with VPS_IP and PC_IP

  • curious. you're not using the same IP range on your home network and vpn are you?

    perhaps someone else can spot it, but I can't see anything obvious wrong here. The duplicate iptables rules might cause some weirdness with openvz - try flushing them (iptables -t nat -F) and re-entering it once.

    also you are using your VPS's public IP in the iptables command, right - not the VPN IP.

  • sandrosandro Member
    edited January 2013

    I'm not using the same IP range at all. Yes I'm using the public IP :)
    Could it OpenVPN causing problems? It was using 10.8.0.0 while PPPT is using 10.1.0.0 even though openvpn is not running and I disabled TUN/TAP but I still have these rules

    root@server1:~# iptables -L

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:5360
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- 10.8.0.0/24 anywhere
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    At this point I'm just gonna ask...could it be something with the host? It's the URPAD $12/y

  • first thing to figure out it to do a fresh reinstall of the os for the vps. Then to figure out if it is openvpn is to use the open vpn access server package. install the the deb or rpm and change the passwd for openvpn and then try using openvpn for ur vpn connection to see if it works!!!

  • I "can't" reinstall the OS again... I have websites running and it's all configured :(
    I wish there was a way to debug this, is there some king of "network" logging? To see what happens to the traffic not forwarded to the Internet?

  • lol well do this then lol uninstall openvpn then install the openvpn access server package lol

  • I'm sorry why do I need to change openvpn password to check if it's the cause of pppt not working? it doesn't even have one, it has certificates

  • If nothing helps...
    Install a http proxy listeing on your pptp network only...

    sudo apt-get install tinyproxy
    nano /etc/tinyproxy.conf

    And edit/add following lines:

    Port 8080
    Listen 10.1.0.1
    Allow 10.1.0.0/16
    ConnectPort 443 (for SSL)

    Additional information:

    man tinyproxy tinyproxy.conf

    On Browser or System level add the Proxy: 10.1.0.1:8080.

  • flush all those openvpn iptables rules and it'll probably spring to life.

  • Have you try this?

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to x.x.x.x

    And also save the iptables as example :

    iptables-save > /etc/iptables.conf
    nano /etc/network/if-pre-up.d/iptables
    #!/bin/sh
    iptables-restore < /etc/iptables.conf

    Restart the openvpn and try again

  • tehdantehdan Member
    edited January 2013

    @ErawanArifNugroho he's already posted output that shows he's done the first two steps, also you've used his OpenVPN IP range rather than the PPTP one he's struggling with...

  • edited January 2013

    @tehdan, right :( my mistake.

    At some provider, I've tried to make the value of /proc/sys/net/ipv4/ip_forward to 1, but everytime I restarted the vps, it's always returned to 0. So I just reformat the os, if that doesn't fix the problem, I just cancel it.

    And also, sometimes I just mistaken about the ethernet device, which is eth/venet/something while I just using the pptp script from putdispenserhere without modifying it.

    Also, I noticed this :

    Jan 4 21:20:51 server1 pppd[1702]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received

    and

    Jan 4 21:20:53 server1 pppd[1702]: Cannot determine ethernet address for proxy ARP

    So, what is the ethernet device available? And also, have he disabled the ipv6?

  • @tehdan said: flush all those openvpn iptables rules and it'll probably spring to life.

    that fixed it :| THANK YOU.

    Do you know what was the problem with the opevpn rules?

  • Have any idea why the upload speed (my computer to vps) is capped at around 5KB/s via PPPT while the download has not limits?

  • Your OpenVPN setup prevented your system from forwarding packets originating from networks other than the 10.8.0.0/24 it was set up for:

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- 10.8.0.0/24 anywhere
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    You could fiddle these rules to only accept packets from 10.8.0.0/24 and 10.1.0.1/24 - but I don't bother with these for a simple setup - your host shouldn't pass you random packets to route.

    As for your performance issues - is it slow client -> vpn or just client -> outside world - usual suspects are MTU / MSS take a look at the pptp documentation which is pretty good, lowering the MTU of your PPP link is a good first place to start. Its also possible your ISP is rate-limiting PPTP / GRE traffic so maybe also try from another location.

  • sandrosandro Member
    edited January 2013

    Hi,
    it's only slow client->outside world, client->vpn upload is at full speed.

    And no my ISP is not limiting cause another PPPT VPN I have is fast.

    Can in this case be the MTU as well?

    @tehdan said: but I don't bother with these for a simple setup - your host shouldn't pass you random packets to route.

    Can you elaborate? I didn't get it :P

  • Yes, MTU seems likely issue then. Try 1400 and see if it speeds up.

    By default when you set ip_forward to 1, your linux box will forward any packet it receives if it knows how to route it. This might sound bad, but in practice you'll only get sent packets destined for your VPS on your public IP, or from your VPN clients on tun/ppp interfaces. You won't get packets from google and be expected to pass them onto microsoft (for example), except perhaps in the case of your host making some crazy networking error.

    For extra security, your OpenVPN setup had set it to only forward packets coming from 10.8.0.0/24 - which is unnecessary and caused your problem - the 10.1.0.0/24 packets from your PPTP network were dropped.

    However - since you have 2 VPNs, you might want to use iptables rules to stop your less secure PPTP clients sending packets to your OpenVPN or something like that.

  • Do i have to play with the mtu at /etc/ppp/pptpd-options ?

    Cause I see mtu in 3 places in ppp

Sign In or Register to comment.