PPTP IPTables routing issue

Question

PPTP connects just fine to the radius server
PPTP modules are loaded into the kernel
PPTP connects fine to the pptp service

Question: How do I get the PPTP to connect to the internet?

IPTables:

#!/bin/sh
#openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x

#pptp
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

Guide: http://safesrv.net/setup-pptp-and-freeradius-on-centos-5/

ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3E:AC:F3:C4
          inet addr:199.101.x.x  Bcast:199.101.x.x  Mask:255.255.255.192
          inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0
          TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:144280558 (137.5 MiB)  TX bytes:83158009 (79.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1417 (1.3 KiB)  TX bytes:1417 (1.3 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.0.0.1  P-t-P:10.0.0.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:142 (142.0 b)  TX bytes:94 (94.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:76887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:11624030 (11.0 MiB)  TX bytes:55299615 (52.7 MiB)

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.0.0.11       0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
199.101.100.192 0.0.0.0         255.255.255.192 U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         199.101.100.193 0.0.0.0         UG    0      0        0 eth0

the 199.101.100.192/193 is not my server ip.

PPTP won't route correctly to where you can browse the web. However, openvpn works fine. — Tiffany Walker, Jan 12 '13 at 07:44
Even that is a statement, not a question. Perhaps you should edit your post to make it clear what you're asking. Just telling us what symptoms you're seeing doesn't tell us what you want. — John Gardeniers, Jan 12 '13 at 07:49
Alright. I'll do that first thing tomorrow as it is 3am just about. but the question is, for some reason you can't access anything with PPTP. not even the local network — Tiffany Walker, Jan 12 '13 at 07:50
If OpenVPN is working I would strongly suggest you stick with it. [PPTP has potential security flaws](http://en.wikipedia.org/wiki/Pptp#Security) that make it dangerous to consider or implement anymore. — Brent Pabst, Jan 14 '13 at 16:04

John Siu · Accepted Answer · 2013-01-12T07:55:47.333

5

VPN Client Test

Check you can ping from client to vpn server
```
ping 10.0.0.1
```
Check you can ping google by IP
```
ping 8.8.8.8
```
Check you can ping google by name
```
ping google.com
```

If 1 failed, pptp has issue.

If 1,2 succeeded but 3 failed, it is dns issue. Goto Step 1 in next section.

If 1 succeeded but 2 failed, properly routing issue. Goto Step 2 in next section.

On VPN Server

Check etc/ppp/pptpd-options for following line/option
```
ms-dns <dns server IP>
```
This will be the dns assigned to VPN client.

Re-start pptpd, reconnect VPN client, do the VPN Client Test above again.
On vpn server, check output of following
```
cat /proc/sys/net/ipv4/ip_forward
```
If the above out 0, that is the problem, fix as follow
```
echo 1 > /proc/sys/net/ipv4/ip_forward
```
Add or uncomment following line in /etc/sysctl.conf for permanent change
```
net.ipv4.ip_forward=1
```
Do the VPN Client Test above again.

Iptables

Try following rules, This include flushing iptables.

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# Allow server and internal network to go anyway
iptables -A INPUT  -s 10.0.0.0/24   -m state --state NEW  -j ACCEPT
iptables -A INPUT  -s 199.101.100.10   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -m state --state NEW  -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

/etc/pptpd.conf

option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100

Please also check you have /etc/ppp/pptpd-options.

/etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp

/etc/ppp/options

Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP

Add or uncomment proxyarp in /etc/ppp/options

dictionary.microsoft

Add following to the end of /etc/radiusclient/dictionary.microsoft

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8

edited Jan 12 '13 at 07:55

answered Jan 11 '13 at 05:41

John Siu

3,577
2
15
23

ip_forward is set. can't ping the ip. – Tiffany Walker Jan 11 '13 at 05:54
Try adding iptables rules. – John Siu Jan 11 '13 at 06:04
nothing. i wonder if it could be because my iptables are a mess from previous stuff? – Tiffany Walker Jan 11 '13 at 06:07
Full iptables. Additional question, can you ping 10.0.0.1 before? – John Siu Jan 11 '13 at 06:18
ran the script, nothing. no ping either – Tiffany Walker Jan 11 '13 at 06:30
(1) Which cannot ping which IP? (2) What is your client running(Linux/Windows)? – John Siu Jan 11 '13 at 06:31
10.0.0.1. Windows. i'll add the iptables i've used to connect fine with openvpn. – Tiffany Walker Jan 11 '13 at 06:34
Try only running the "flush" part. It will disable the iptables. Then do the test, let make sure pptp work by itself. Only test ping 10.0.0.1 – John Siu Jan 11 '13 at 06:40
files match. and ran just flush commands no luck. here is the guide i was following: http://safesrv.net/setup-pptp-and-freeradius-on-centos-5/ – Tiffany Walker Jan 11 '13 at 16:11
(1) Is it possible to reboot the pptp box? (2) After pptp connection, post output of `ipconfig /all` (3) Check pptpd log on server, post new one if different. – John Siu Jan 11 '13 at 16:29
1) rebooted 2) posted 3) updating from /var/log/messages – Tiffany Walker Jan 11 '13 at 16:41
What is your client LAN ip? Is it 10.0.0.x also? – John Siu Jan 11 '13 at 17:02
for the local box? 192.168.x.x – Tiffany Walker Jan 11 '13 at 17:07
Remove `require-mppe-128` from `/etc/ppp/pptpd-options`, restart pptpd service, then test again. – John Siu Jan 11 '13 at 17:10
then it decided to not connect. weird. had this all working on an openvz box ;/ – Tiffany Walker Jan 11 '13 at 17:18
(1) OK, put that back. (2) Are you using radius for authentication? – John Siu Jan 11 '13 at 17:24
Yes, using radius. – Tiffany Walker Jan 11 '13 at 17:36
On server, stop radius service, then run `radiusd -X` or `freeradius -X`, then connect pptp, observe if authentication is getting through at all. – John Siu Jan 11 '13 at 17:47
yea, it got by the authenticaion – Tiffany Walker Jan 11 '13 at 17:53
This is the problem: `pptpd[1131]: CTRL: Session timed out, ending call`. pptpd hangup/timeout very fast for some reason. Add the line `debug` to `/etc/pptpd.conf`. Connect client, then check log. – John Siu Jan 11 '13 at 17:58
Any news? progess? – John Siu Jan 12 '13 at 06:27
no luck getting anything else in the logs with debug or turning off arp. I'm pretty sure the issue might be IPTables. I might try mimicing the ones that openvpn uses that work. – Tiffany Walker Jan 12 '13 at 07:42
Turnning off iptables you lost the NAT, but should at least able to ping 10.0.0.1. If ping 10.0.0.1 failed, the pptp connection has problem itself. – John Siu Jan 12 '13 at 07:44
iptables off. no ping. – Tiffany Walker Jan 12 '13 at 07:46
Lets continue in chat : http://chat.stackexchange.com/rooms/7062/discussion-between-john-siu-and-tiffany-walker – John Siu Jan 12 '13 at 07:57
On a random note, would I need to recompile the kernel with PPP support or maybe i missed a module with modeprobe? – Tiffany Walker Jan 14 '13 at 14:54
You can check module with `lsmod`. On a Ubuntu box, I am seeing `ppp_mppe` and `ppp_async`. – John Siu Jan 14 '13 at 15:25
modules were loaded and i updated the question. – Tiffany Walker Jan 14 '13 at 15:45
Do you have firewall on your client box? Maybe turn it off. – John Siu Jan 14 '13 at 15:51
no firewall on the client box ;/ – Tiffany Walker Jan 14 '13 at 15:57
did you check out messages I left in chat regarding dictionary.microsoft? – John Siu Jan 15 '13 at 05:20
(1) Check your router if there are any option for vpn pass through. (2) Test with `/etc/ppp/chap-secrets` and disable radius to pin-point the issue. I setup pptp so many times and never saw this problem. – John Siu Jan 15 '13 at 17:04