OpenVPN and PPTP on XEN VPS

Posted by amiv on Server Fault See other posts from Server Fault or by amiv
Published on 2012-07-09T18:59:57Z Indexed on 2012/07/09 21:17 UTC
Read the original article Hit count: 294

Filed under:
|
|
|
|

I have Debian based system (Ubuntu 11.10) on XEN VPS. I've installed OpenVPN and works great. I need to install PPTP too, so did it and clients can connect, but they have no internet on client side. If I connect to VPN over PPTP I can ping and access to only my VPS by its IP, but ony that. There's no "internet" on client side. It looks it's not DNS problems (I'm using 8.8.8.8) because I can't ping known IPs. I bet the solution is simple, but don't have any idea. Any guess?

/etc/pptpd.conf

option /etc/ppp/pptpd-options
logwtmp
localip 46.38.xx.xx
remoteip 10.1.0.1-10

/etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp

/etc/ppp/ip-up

[...]
ifconfig ppp0 mtu 1400

/etc/sysctl.conf

[...]
net.ipv4.ip_forward=1

Command which I run:

 iptables -t nat -A POSTROUTING -j SNAT --to-source 46.38.xx.xx (IP of my VPS)

The client can connect, first one gets IP 10.1.0.1 and DNS from Google. I bet it's iptables problem, am I right? I'm iptables noob and I don't have idea what's wrong.

And here's the ifconfig and route command before client connect via PPTP:

root@vps3780:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.tel.ru   0.0.0.0         UG    100    0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
46.38.xx.0      *               255.255.255.0   U     0      0        0 eth0

root@vps3780:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:56:xx:xx
          inet addr:46.38.xx.xx  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::216:xx:xx:dfb6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22671 errors:0 dropped:81 overruns:0 frame:0
          TX packets:2266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1813358 (1.8 MB)  TX bytes:667626 (667.6 KB)
          Interrupt:24

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10778 (10.7 KB)  TX bytes:10778 (10.7 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:602 errors:0 dropped:0 overruns:0 frame:0
          TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:90850 (90.8 KB)  TX bytes:418904 (418.9 KB)

And here's the ifconfig and route command after client connect via PPTP:

root@vps3780:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.tel.ru    0.0.0.0         UG    100    0        0 eth0
10.1.0.1        *               255.255.255.255 UH    0      0        0 ppp0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
46.38.xx.0      *               255.255.255.0   U     0      0        0 eth0

root@vps3780:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:56:xx:xx
          inet addr:46.38.xx.xx  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::216:xx:xx:dfb6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22989 errors:0 dropped:82 overruns:0 frame:0
          TX packets:2352 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1841310 (1.8 MB)  TX bytes:678456 (678.4 KB)
          Interrupt:24

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12102 (12.1 KB)  TX bytes:12102 (12.1 KB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:46.38.xx.xx  P-t-P:10.1.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:10028 (10.0 KB)  TX bytes:660 (660.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:602 errors:0 dropped:0 overruns:0 frame:0
          TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:90850 (90.8 KB)  TX bytes:418904 (418.9 KB)

And ugly iptables --list output:

root@vps3780:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  10.1.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.1.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

And ugly iptables -t nat -L output:

root@vps3780:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          anywhere            to:46.38.xx.xx
MASQUERADE  all  --  10.1.0.0/24          anywhere
SNAT       all  --  10.1.0.0/24          anywhere            to:46.38.xx.xx
SNAT       all  --  10.8.0.0/24          anywhere            to:46.38.xx.xx
SNAT       all  --  10.1.0.0/24          anywhere            to:46.38.xx.xx
MASQUERADE  all  --  anywhere             anywhere
SNAT       all  --  anywhere             anywhere            to:46.38.xx.xx
SNAT       all  --  10.8.0.0/24          anywhere            to:46.38.xx.xx
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  10.1.0.0/24          anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  10.1.0.0/24          anywhere

As I said - OpenVPN works very good. 10.8.0.0/24 for OpenVPN (on tun0). PPTP won't work. 10.1.0.0/24 for PPTP (on ppp0). Clients can connect, but they haven't "internet". Any suggestions will be appreciated. Second whole day fighting with no results.

EDIT: iptables -t filter -F - it resolved my problem :-)

© Server Fault or respective owner

Related posts about vpn

Related posts about vps