OpenVPN and PPTP on XEN VPS
Posted
by
amiv
on Server Fault
See other posts from Server Fault
or by amiv
Published on 2012-07-09T18:59:57Z
Indexed on
2012/07/09
21:17 UTC
Read the original article
Hit count: 294
I have Debian based system (Ubuntu 11.10) on XEN VPS. I've installed OpenVPN and works great. I need to install PPTP too, so did it and clients can connect, but they have no internet on client side. If I connect to VPN over PPTP I can ping and access to only my VPS by its IP, but ony that. There's no "internet" on client side. It looks it's not DNS problems (I'm using 8.8.8.8) because I can't ping known IPs. I bet the solution is simple, but don't have any idea. Any guess?
/etc/pptpd.conf
option /etc/ppp/pptpd-options
logwtmp
localip 46.38.xx.xx
remoteip 10.1.0.1-10
/etc/ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp
/etc/ppp/ip-up
[...]
ifconfig ppp0 mtu 1400
/etc/sysctl.conf
[...]
net.ipv4.ip_forward=1
Command which I run:
iptables -t nat -A POSTROUTING -j SNAT --to-source 46.38.xx.xx (IP of my VPS)
The client can connect, first one gets IP 10.1.0.1 and DNS from Google. I bet it's iptables problem, am I right? I'm iptables noob and I don't have idea what's wrong.
And here's the ifconfig and route command before client connect via PPTP:
root@vps3780:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xx.xx.tel.ru 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
46.38.xx.0 * 255.255.255.0 U 0 0 0 eth0
root@vps3780:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:56:xx:xx
inet addr:46.38.xx.xx Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::216:xx:xx:dfb6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22671 errors:0 dropped:81 overruns:0 frame:0
TX packets:2266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1813358 (1.8 MB) TX bytes:667626 (667.6 KB)
Interrupt:24
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:100 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10778 (10.7 KB) TX bytes:10778 (10.7 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:602 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:90850 (90.8 KB) TX bytes:418904 (418.9 KB)
And here's the ifconfig and route command after client connect via PPTP:
root@vps3780:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xx.xx.tel.ru 0.0.0.0 UG 100 0 0 eth0
10.1.0.1 * 255.255.255.255 UH 0 0 0 ppp0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
46.38.xx.0 * 255.255.255.0 U 0 0 0 eth0
root@vps3780:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:56:xx:xx
inet addr:46.38.xx.xx Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::216:xx:xx:dfb6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22989 errors:0 dropped:82 overruns:0 frame:0
TX packets:2352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1841310 (1.8 MB) TX bytes:678456 (678.4 KB)
Interrupt:24
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:112 errors:0 dropped:0 overruns:0 frame:0
TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12102 (12.1 KB) TX bytes:12102 (12.1 KB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:46.38.xx.xx P-t-P:10.1.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:66 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:10028 (10.0 KB) TX bytes:660 (660.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:602 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:90850 (90.8 KB) TX bytes:418904 (418.9 KB)
And ugly iptables --list output:
root@vps3780:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- 10.1.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.1.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
And ugly iptables -t nat -L output:
root@vps3780:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 anywhere to:46.38.xx.xx
MASQUERADE all -- 10.1.0.0/24 anywhere
SNAT all -- 10.1.0.0/24 anywhere to:46.38.xx.xx
SNAT all -- 10.8.0.0/24 anywhere to:46.38.xx.xx
SNAT all -- 10.1.0.0/24 anywhere to:46.38.xx.xx
MASQUERADE all -- anywhere anywhere
SNAT all -- anywhere anywhere to:46.38.xx.xx
SNAT all -- 10.8.0.0/24 anywhere to:46.38.xx.xx
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- 10.1.0.0/24 anywhere
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- 10.1.0.0/24 anywhere
As I said - OpenVPN works very good. 10.8.0.0/24 for OpenVPN (on tun0). PPTP won't work. 10.1.0.0/24 for PPTP (on ppp0). Clients can connect, but they haven't "internet". Any suggestions will be appreciated. Second whole day fighting with no results.
EDIT: iptables -t filter -F - it resolved my problem :-)
© Server Fault or respective owner