Unable to access Internet when connected via PPTP

Hi All,

Can anyone please help me with the issue.
I am unable to access the internet when I am connected via PPTP.

I can SSH my local LAN but could not use the internet.

Please help-

1 Like

Without your configuration it is not easy to give you any advice.

@ArneO

Here is the config:

set vpn pptp remote-access authentication local-users username ABC password ‘XXXXXX’
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start ‘xxxxx’
set vpn pptp remote-access client-ip-pool stop ‘xxxxx’
set vpn pptp remote-access dns-servers server-1 '8.8.8.8'
set vpn pptp remote-access dns-servers server-2 '8.8.4.4'
set vpn pptp remote-access outside-address ‘xxxxx’
set zone-policy zone Local interface 'pptp+' 

Please let me know if anything else is required.

1st of all: How about split tunneling?

Do you want to access the internet through the pptp VPN, or without VPN?

On windows client, checkbox “Use Default Gateway on Remote Network” controls how traffic flows.
But to have internet via the VPN, requires proper vyos config…and we only see a (too small) snippet

hi @16again

much thanks for your reply.
I want to access the internet through vpn pptp.

I have allowed pptp ports as well in firewell.

set firewall name WAN-to-ANY rule 45 action ‘accept’

set firewall name WAN-to-ANY rule 45 description ‘Allow PPTP access’

set firewall name WAN-to-ANY rule 45 destination port ‘1723’

set firewall name WAN-to-ANY rule 45 protocol ‘tcp’

set firewall name WAN-to-ANY rule 46 action ‘accept’

set firewall name WAN-to-ANY rule 46 description ‘Allow PPTP access’

set firewall name WAN-to-ANY rule 46 protocol ‘gre’

Please let me know if any further config is required.

Hello, do you have any NAT(network address translation) rules?
like:
set nat source rule 100 outbound-interface eth0
set nat source rule 100 translation address masquerade

Hi,

I tried NAT as well, but that didn’t resolve the issue,

Could you suggest if that will be the Source NAT or destination NAT that needs to be applied.

Regards

I think you need exactly source NAT. Try next rules, but don’t forget replace outbound-interface eth0 and source 100.64.0.0/24
set nat source rule 100 outbound-interface eth0
set nat source rule 100 translation address masquerade
set nat source rule 100 source 100.64.0.0/24
Then try check from client PC with traceroute or tracert command to any hosts on the internet like traceroute 8.8.8.8

Hi @Dmitry

Implemented the NAT.
Still the same issue.

I observed a behaviour here. The clients get to the internet, but it is once in ten times. That is, is I connect and disconnect 10 times, I get the internet once during the process.

Hi, I can’t see gw-ip-address in your pptp config. Try
set vpn pptp remote-access gateway-address 192.168.155.1
Explain: 192.168.155.1 is any ip address which will automatically configured on local ppp interface, and clients will use it as own gw

Hi @Dmitry

Not getting the option to configure gateway:

rituka@vyos# set vpn pptp remote-access
Possible completions:

authentication
Authentication for remote access PPTP VPN
client-ip-pool
Pool of client IP address (must be within a /24)
dhcp-interface
DHCP interface to listen on
dns-servers Domain Name Service (DNS) server
mtu Maximum Transmission Unit (MTU)
outside-address
Outside IP address to which VPN clients will connect
wins-servers Windows Internet Name Service (WINS) server settings

Hi @Dmitry

Sharing the pptp logs when I initiate a connection:

Jul 3 15:23:13 vyos pppd[21782]: pppd 2.4.4 started by root, uid 0
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 index 1743 <POINTOPOINT,NOARP,MULTICAST> added.
Jul 3 15:23:13 vyos pppd[21782]: Connect: ppp2 <–> /dev/pts/3
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 mtu changed from 1500 to 1350
Jul 3 15:23:13 vyos zebra[2355]: interface ppp2 mtu changed from 1350 to 1346
Jul 3 15:23:13 vyos pppd[21782]: MPPE 128-bit stateless compression enabled
Jul 3 15:23:13 vyos zebra[2355]: warning: PtP interface ppp2 with addr 10.255.254.0/32 needs a peer address
Jul 3 15:23:13 vyos zebra[2355]: interface index 1743 was renamed from ppp2 to pptp2
Jul 3 15:23:13 vyos ripd[2360]: interface delete ppp2 index 1743 flags 0x1090 metric 1 mtu 1346
Jul 3 15:23:13 vyos ripngd[2362]: interface delete ppp2 index 1743 flags 0x1090 metric 1 mtu 1346
Jul 3 15:23:13 vyos pppd[21782]: Cannot determine ethernet address for proxy ARP
Jul 3 15:23:13 vyos pppd[21782]: local IP address 10.255.254.0
Jul 3 15:23:13 vyos pppd[21782]: remote IP address x.x.0.4

10.255.254.0 --> What IP address is this?

Hi @rituka

Can you provide me output of command show version

Hi,

rituka@gurgaon-vyos:~$ sh ver
Version: VyOS 1.1.7
Description: VyOS 1.1.7 (helium)
Copyright: 2016 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Wed Feb 17 09:57:31 UTC 2016
Build ID: 1602170957-4459750
System type: x86 64-bit
Boot via: image
HW S/N: 0123456789
Uptime: 15:36:07 up 190 days, 10:14, 1 user, load average: 0.00, 0.01, 0.05

1.1 is EOL, please try 1.2 and see if the issue still persists. thx

WAN-to-ANY rules shouldn’t be needed for GRE /tcp1723, as the pptp connection terminates on vyos.
Those rules are only needed on WAN_LOCAL

Make sure masquerade rule matches traffic from pptp-client going out to the internet, to get valid source IP.

Also, use tcpdump to find out how far packets go

@16again I took the dump and see that the packet drops at the vyos router, I see a suspicious IP as well if I do traceroute to internet. (10.255.254.0–> traceroute stops here).
It just does not work.