Hi All,
Can anyone please help me with the issue.
I am unable to access the internet when I am connected via PPTP.
I can SSH my local LAN but could not use the internet.
Please help-
1 Like
Without your configuration it is not easy to give you any advice.
Here is the config:
set vpn pptp remote-access authentication local-users username ABC password âXXXXXXâ
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start âxxxxxâ
set vpn pptp remote-access client-ip-pool stop âxxxxxâ
set vpn pptp remote-access dns-servers server-1 '8.8.8.8'
set vpn pptp remote-access dns-servers server-2 '8.8.4.4'
set vpn pptp remote-access outside-address âxxxxxâ
set zone-policy zone Local interface 'pptp+'
Please let me know if anything else is required.
1st of all: How about split tunneling?
Do you want to access the internet through the pptp VPN, or without VPN?
On windows client, checkbox âUse Default Gateway on Remote Networkâ controls how traffic flows.
But to have internet via the VPN, requires proper vyos configâŠand we only see a (too small) snippet
hi @16again
much thanks for your reply.
I want to access the internet through vpn pptp.
I have allowed pptp ports as well in firewell.
set firewall name WAN-to-ANY rule 45 action âacceptâ
set firewall name WAN-to-ANY rule 45 description âAllow PPTP accessâ
set firewall name WAN-to-ANY rule 45 destination port â1723â
set firewall name WAN-to-ANY rule 45 protocol âtcpâ
set firewall name WAN-to-ANY rule 46 action âacceptâ
set firewall name WAN-to-ANY rule 46 description âAllow PPTP accessâ
set firewall name WAN-to-ANY rule 46 protocol âgreâ
Please let me know if any further config is required.
Hello, do you have any NAT(network address translation) rules?
like:
set nat source rule 100 outbound-interface eth0
set nat source rule 100 translation address masquerade
Hi,
I tried NAT as well, but that didnât resolve the issue,
Could you suggest if that will be the Source NAT or destination NAT that needs to be applied.
Regards
I think you need exactly source NAT. Try next rules, but donât forget replace outbound-interface eth0 and source 100.64.0.0/24
set nat source rule 100 outbound-interface eth0
set nat source rule 100 translation address masquerade
set nat source rule 100 source 100.64.0.0/24
Then try check from client PC with traceroute or tracert command to any hosts on the internet like traceroute 8.8.8.8
Hi @Dmitry
Implemented the NAT.
Still the same issue.
I observed a behaviour here. The clients get to the internet, but it is once in ten times. That is, is I connect and disconnect 10 times, I get the internet once during the process.
Hi, I canât see gw-ip-address in your pptp config. Try
set vpn pptp remote-access gateway-address 192.168.155.1
Explain: 192.168.155.1 is any ip address which will automatically configured on local ppp interface, and clients will use it as own gw
Hi @Dmitry
Not getting the option to configure gateway:
rituka@vyos# set vpn pptp remote-access
Possible completions:
authentication
Authentication for remote access PPTP VPN
client-ip-pool
Pool of client IP address (must be within a /24)
dhcp-interface
DHCP interface to listen on
dns-servers Domain Name Service (DNS) server
mtu Maximum Transmission Unit (MTU)
outside-address
Outside IP address to which VPN clients will connect
wins-servers Windows Internet Name Service (WINS) server settings
Hi @Dmitry
Sharing the pptp logs when I initiate a connection:
Jul 3 15:23:13 vyos pppd[21782]: pppd 2.4.4 started by root, uid 0
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 index 1743 <POINTOPOINT,NOARP,MULTICAST> added.
Jul 3 15:23:13 vyos pppd[21782]: Connect: ppp2 <â> /dev/pts/3
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 mtu changed from 1500 to 1350
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 mtu changed from 1350 to 1346
Jul 3 15:23:13 vyos pppd[21782]: MPPE 128-bit stateless compression enabled
Jul 3 15:23:13 vyos zebra[2355]: warning: PtP interface ppp2 with addr 10.255.254.0/32 needs a peer address
Jul 3 15:23:13 vyos zebra[2355]: interface index 1743 was renamed from ppp2 to pptp2
Jul 3 15:23:13 vyos ripd[2360]: interface delete ppp2 index 1743 flags 0x1090 metric 1 mtu 1346
Jul 3 15:23:13 vyos ripngd[2362]: interface delete ppp2 index 1743 flags 0x1090 metric 1 mtu 1346
Jul 3 15:23:13 vyos pppd[21782]: Cannot determine ethernet address for proxy ARP
Jul 3 15:23:13 vyos pppd[21782]: local IP address 10.255.254.0
Jul 3 15:23:13 vyos pppd[21782]: remote IP address x.x.0.4
10.255.254.0 --> What IP address is this?
Hi,
rituka@gurgaon-vyos:~$ sh ver
Version: VyOS 1.1.7
Description: VyOS 1.1.7 (helium)
Copyright: 2016 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Wed Feb 17 09:57:31 UTC 2016
Build ID: 1602170957-4459750
System type: x86 64-bit
Boot via: image
HW S/N: 0123456789
Uptime: 15:36:07 up 190 days, 10:14, 1 user, load average: 0.00, 0.01, 0.05
1.1 is EOL, please try 1.2 and see if the issue still persists. thx
WAN-to-ANY rules shouldnât be needed for GRE /tcp1723, as the pptp connection terminates on vyos.
Those rules are only needed on WAN_LOCAL
Make sure masquerade rule matches traffic from pptp-client going out to the internet, to get valid source IP.
Also, use tcpdump to find out how far packets go
@16again I took the dump and see that the packet drops at the vyos router, I see a suspicious IP as well if I do traceroute to internet. (10.255.254.0â> traceroute stops here).
It just does not work.
Hi guys. Just hit this very old thread today, therefore Iâm not sure that my sharing is still useful to you or not. However, I just share my experience on this matter anyway.
There are 2 points that you have to consider:
- If your LAN subnets and VPN subnets are in different classes, e.g. your LAN subnets are 10.x.x.x. and your VPN class is 192.168.x.x, you can fix the issue by changing your PPTP client from full tunneling to split tunneling as specified in Eyonic Systems: How to Enable VPN Split Tunneling in Windows 10. More information about full tunneling vs split tunneling is as below
- if your VPN client subnet is sitting in the same class with your LAN subnets, you should have NAT rules to redirect traffics from your VPN clients with destination to internet should be out on internet interface. See an example:
I hope this will be useful for you
Cheers
An