PPTP VPN - users cannot access internet via the server

vpn

A proxy server is typically an applicaiton-layer function. I believe that when you say "act like a proxy" you're really saying "route their traffic across the VPN to that server which will, in turn, route the traffic to its default gateway and ultimately to the Internet".

I'd start with a "tracert" (or OS equivalent command) from a client while connected to the VPN to an Internet address and see where the traffic is going.

It's fairly commonplace in the Microsoft VPN client for users to untick the "Use default gateway on remote network" (set in the "Advanced" settings of TCP/IP on the VPN connection) which will cause only traffic bound for the remote VPN subnet to cross the VPN. Have you checked to see that no one has unticked that box on the clients?

Typically the Microsoft VPN client will "push down" the DNS and WINS settings from the VPN server to the client computers. If the clients are having an inability to access web sites with a browser, for example, it may be that they are routing traffic down the VPN tunnel but that the DNS server being "pushed down" can't resolve Internet names.

Viewing the routing table on a client while connected with the "route print" command will also help figure out what's going on. There should be two default-gateway (0.0.0.0 with a subnet mask of 0.0.0.0) entries on a client that's configured to route all traffic down the VPN-- one for the client's on-subnet default gateway, and one "pointing" to the VPN tunnel.

Edit:

If you want all the traffic from the VPN clients to cross the VPN and egress to the Internet from the VPN "hub" then leave the "Use default gateway on remote network" checkbox ticked on the client computers.

I would suspect that you're having a name resolution problem. I'd connect a client to the VPN and do the following:

tracert -d (your favorite Internet IP address here)

You can use any IP address you want in that command, so long as it's something that's really reachable. Heck, use the IP address of "star.slashdot.org"-- I've already used it in some examples on here... >smile&lt 216.34.181.48

That will show you the route that packets are taking. It's important to use an IP address in that command so that you aren't relying on DNS.

If that looks okay (i.e. you see the packets cross the VPN and leave through the VPN "hub" Internet connection) then give DNS a shot:

nslookup star.slashdot.org

You should get back something like:

C:\>nslookup star.slashdot.org
Server:  the-name-of-the-VPN-server's-DNS-server
Address:  the-ip-address-of-the-VPN-server's-DNS-server

Non-authoritative answer:
Name:    star.slashdot.org
Address:  216.34.181.48

If you get back something nasty like this then the remote DNS server isn't configured to resolve Internet names.

*** the-name-of-the-VPN-server's-DNS-server can't find star.slashdot.org: Non-existent domain

If you get back something like this then the VPN server doesn't have a valid DNS server specified:

C:\>nslookup star.slashdot.org
Server:  [the-ip-address-of-the-VPN-server's-DNS-server]
Address:  the-ip-address-of-the-VPN-server's-DNS-server

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [the-ip-address-of-the-VPN-server's-DNS-server] timed-out

Related

crontab to run bash script (ssh command in it) not working
ESXi 5.1 crashing
How to determine a disk consuming service in Windows 2008 server?
"Can't contact LDAP server (-1)" error for LDAPS to Server 2012
NS list does not match list from parent zone
Deploying distributed apps with Puppet - advice?
Proxmox - single public ip with multiple vms, openvz containers work, kvm's don't have a route
Centos: multiple IP addresses
Is minimum latency fixed by the speed of light? [closed]
Postfix acting like an open relay for domain mailboxes
ProFTPd server behind firewall returns internal IP address for WAN and LAN connections
Accidentally deleted symlink libc.so.6 in CentOS 6.4. How to get sudo privilege to re-create it?