pptpd VPN: No internet access after connecting

Question

I've followed the instructions in this tutorial to set up a vpn server, so that I can connect to that and surf the internet virtually from another location. So far from windows, I can connect to it but there is no internet access.

The ip addresses that I used in the conf file is exactly the same as in the tutorial

localip 192.168.0.1
remoteip 192.168.0.100-200

Same for the DNS which is 8.8.8.8.

(Everything you need to know about what I've done is already in that link)

What do you think could be the problem ?

Answer 1

If your main purpose of setting up the VPN server is to access website, So traffic has to be forwarded out of the VPN server’s public network interface.Thus, kindly enable port forwarding by editing the sysctl.conf file. I assume “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file:

nano /etc/sysctl.conf

Add or find and comment out the following line

net.ipv4.ip_forward=1

Save, close the file and run the following command to make the changes take effect.

sysctl -p

The following iptables firewall rules allow port 1723, GRE and perform NAT

iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

In the last rule replace “eth0″ with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

Replace 172.20.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation.

Hope it could help.

Answer 2

The following command solved my problem (No internet) using PPTPD on Ubuntu 14.x

iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.0.0.0/24 -j TCPMSS  --clamp-mss-to-pmtu
sudo iptables-save

sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables-save

Please note: I used this IP address range 10.0.0.0/24 in my /etc/pptpd.conf use the range that matches your config as well.

Answer 3

We had identical symptoms, but all the Iptables where set as above. It was possible to connect, the connection was stable, it did allow to login to the pptp server via ssh and, in the remote machine, even to resolve DNS (noticeable via browers and ping -- as it did resolve correctly the IP), but webpages did not load, neither was possible to connect to other severs via ssh. This made clear that the tunnel was ok to the pptp server.

The problem was the fact that I had in this machine two independent up-links exposed to internet (ie. mainInf and support), both configured via netplan (no problem with that) but, despite connecting to the pptp server using the IP address of the 1st up-link (i-face called mainInf), my default gateway was running in the seccond up-link (support).

The solution was to adjust the NAT to the correct output gateway and that allowed packets to reach other servers it was initially (not working)

iptables -t nat -I POSTROUTING -o mainInf -j MASQUERADE

(have in your mind that, in our case, the connection to the pptp server is via an IP allocated in the mainInf adapter/uplink) and after changing to the same adapter/uplink as the default gateway (support), it worked:

iptables -t nat -I POSTROUTING -o support -j MASQUERADE

Hence, if you can stability the VPN connection, ping or connect the pptp server (via ssh in our case), but cannot reach any IP that is not in that server, you probably have a routing/forwarding issue.

4 helpful commands for troubleshoting:

1. watch iptables -t nat -L -nv
2. watch iptables -L -nv
3. route -n
4. tcpdump -i -s 0 tcp port 1723 or proto 47 (read more here)