PPTP IPTables routing issue

linux centos vpn routing pptp

Solution 1:

VPN Client Test

  1. Check you can ping from client to vpn server

    ping 10.0.0.1

  2. Check you can ping google by IP

    ping 8.8.8.8

  3. Check you can ping google by name

    ping google.com

If 1 failed, pptp has issue.

If 1,2 succeeded but 3 failed, it is dns issue. Goto Step 1 in next section.

If 1 succeeded but 2 failed, properly routing issue. Goto Step 2 in next section.

On VPN Server

  1. Check etc/ppp/pptpd-options for following line/option

    ms-dns <dns server IP>

    This will be the dns assigned to VPN client.

    Re-start pptpd, reconnect VPN client, do the VPN Client Test above again.

  2. On vpn server, check output of following

    cat /proc/sys/net/ipv4/ip_forward

  3. If the above out 0, that is the problem, fix as follow

    echo 1 > /proc/sys/net/ipv4/ip_forward

  4. Add or uncomment following line in /etc/sysctl.conf for permanent change 

    net.ipv4.ip_forward=1

    Do the VPN Client Test above again.

Iptables

Try following rules, This include flushing iptables.

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# Allow server and internal network to go anyway
iptables -A INPUT  -s 10.0.0.0/24   -m state --state NEW  -j ACCEPT
iptables -A INPUT  -s 199.101.100.10   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -m state --state NEW  -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

/etc/pptpd.conf

option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100

Please also check you have /etc/ppp/pptpd-options.

/etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp

/etc/ppp/options

Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP

Add or uncomment proxyarp in /etc/ppp/options

dictionary.microsoft

Add following to the end of /etc/radiusclient/dictionary.microsoft

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8

Related

Blocking WhatsApp and other IM traffic
postfix: catch outgoing mail and redirect
Optimal MySQL my.cnf setting for large Magento site on a dedicated server
Finding the first and last address of a block of IP addresses with subnet mask
nginx dynamic virtual hosts
How to setup a proper SFTP user in linux?
HA web cluster setup
How to make ssh based vpn?
Use one NIC to create multiple interfaces for Linux KVM
How do I "duplicate" a server?
Can we update CNAME per request? [closed]
Nginx how to disable multithread downloads