1

I have set up a pptp vpn on windows xp, and added the users. The vpn users can connect to the server, but once they are connected they can't access the internet via the vpn server which should act like a proxy. That's my basic task - to make a vpn server serve as a proxy for the users.

Can someone explain why the users are not able to access the internet via the vpn server OR Point me to some site where this is well explained ?

Thanks in advance.

  • Are you looking for it to serve as a proxy (i.e. all http requests go to it and it then forwards them to the internet and processes the responses before sending them back to the clients), or as a NATing router (it assigns a private IP address to the VPN clients and provides NAT to it's own private IP on the corporate network or possibly even it's very own public IP) or do you want users to be able to access the internet through the default gateway on the remote side of the VPN? – Catherine MacInnes Jul 16 '09 at 14:33

1 Answers1

3

A proxy server is typically an applicaiton-layer function. I believe that when you say "act like a proxy" you're really saying "route their traffic across the VPN to that server which will, in turn, route the traffic to its default gateway and ultimately to the Internet".

I'd start with a "tracert" (or OS equivalent command) from a client while connected to the VPN to an Internet address and see where the traffic is going.

It's fairly commonplace in the Microsoft VPN client for users to untick the "Use default gateway on remote network" (set in the "Advanced" settings of TCP/IP on the VPN connection) which will cause only traffic bound for the remote VPN subnet to cross the VPN. Have you checked to see that no one has unticked that box on the clients?

Typically the Microsoft VPN client will "push down" the DNS and WINS settings from the VPN server to the client computers. If the clients are having an inability to access web sites with a browser, for example, it may be that they are routing traffic down the VPN tunnel but that the DNS server being "pushed down" can't resolve Internet names.

Viewing the routing table on a client while connected with the "route print" command will also help figure out what's going on. There should be two default-gateway (0.0.0.0 with a subnet mask of 0.0.0.0) entries on a client that's configured to route all traffic down the VPN-- one for the client's on-subnet default gateway, and one "pointing" to the VPN tunnel.

Edit:

If you want all the traffic from the VPN clients to cross the VPN and egress to the Internet from the VPN "hub" then leave the "Use default gateway on remote network" checkbox ticked on the client computers.

I would suspect that you're having a name resolution problem. I'd connect a client to the VPN and do the following:

tracert -d (your favorite Internet IP address here)

You can use any IP address you want in that command, so long as it's something that's really reachable. Heck, use the IP address of "star.slashdot.org"-- I've already used it in some examples on here... >smile&lt 216.34.181.48

That will show you the route that packets are taking. It's important to use an IP address in that command so that you aren't relying on DNS.

If that looks okay (i.e. you see the packets cross the VPN and leave through the VPN "hub" Internet connection) then give DNS a shot:

nslookup star.slashdot.org

You should get back something like:

C:\>nslookup star.slashdot.org
Server:  the-name-of-the-VPN-server's-DNS-server
Address:  the-ip-address-of-the-VPN-server's-DNS-server

Non-authoritative answer:
Name:    star.slashdot.org
Address:  216.34.181.48

If you get back something nasty like this then the remote DNS server isn't configured to resolve Internet names.

*** the-name-of-the-VPN-server's-DNS-server can't find star.slashdot.org: Non-existent domain

If you get back something like this then the VPN server doesn't have a valid DNS server specified:

C:\>nslookup star.slashdot.org
Server:  [the-ip-address-of-the-VPN-server's-DNS-server]
Address:  the-ip-address-of-the-VPN-server's-DNS-server

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [the-ip-address-of-the-VPN-server's-DNS-server] timed-out
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • yeah, i was confused at that option too. Should i check it on or off ? or the problem is in the dns servers (IMHO) ? –  Jul 16 '09 at 14:44
  • What unchecking that option does is allow users to use their home default gateway for internet traffic instead of the remote default gateway. It saves you bandwidth, but you lose control over where people are navigating while they are on your VPN. If it is checked you need to make sure that users have access to DNS servers an internet gateway on the remote site, if it is unchecked people will use the DNS servers and gateways from their primary internet connection. – Catherine MacInnes Jul 16 '09 at 14:53
  • As a side note, that's a fairly large security hole. – Dayton Brown Jul 16 '09 at 17:36
  • @Dayton: What's a fairly large security hole? Split tunneling? I don't buy it. Giving untrusted computers unfettered layer 3+ access to your network *is* a "huge security hole". I try to configure VPNs to restrict the types of inbound traffic from clients to a limited set of protocols and destinations. Split tunneling shouldn't be a big deal if you've already buttoned-down the access that VPN clients get to the network. (I find the idea of using untrusted computers as VPN clients to be pretty distasteful. If you do, though, the user can always subert your split tunnel policy anyway.) – Evan Anderson Jul 16 '09 at 18:08
  • What would be the first step if tracert -d 8.8.8.8 wasn't working? – Luke Nov 03 '10 at 04:30