PPTP and GRE Protocol passthrough (NOT SOLVED)

mrmarkuz · January 15, 2019, 9:18pm

I could reproduce this issue by connecting to a server that does not exist. Please check if the VPN host is set correctly and the VPN port 1723 is open/reachable.

I used Nethserver 7 as firewall router and just forwarded port 1723 to my Windows server 2016 that provides a PPTP VPN server. I had to set VPN security to MSCHAPv2 only on the Windows server and on the Ubuntu 18.04 client I had to activate “MPPE”. Now VPN connection via mobile phone hotspot from outside is working.
No GRE forwarding or changes in shorewall are needed because a PPTP and GRE firewall helper module should be loaded.
I am not using any alias IP, maybe this is a problem?

NS6 should support GRE too:

[root@neth69 ~]# lsmod | grep pptp
nf_nat_pptp             4365  0
nf_nat_proto_gre        2772  1 nf_nat_pptp
nf_conntrack_pptp      11462  1 nf_nat_pptp
nf_conntrack_proto_gre     6619  1 nf_conntrack_pptp
nf_nat                 22708  12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_conntrack           79601  35 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

sgolastra · January 16, 2019, 7:20am

Hi @mrmarkuz thanks for your support, before this post i have test in lan vpn pptp client (mac osx) and server (winzoz 2016), in this case i can connect correctly, up and running, the problems is wan to lan.
When i read the your last message, i see the winzoz log files, the error is:

"A connection has been established between the server and the VPN client 127.0.0.1, but the VPN connection can not be completed. The most common cause of this problem is a firewall or a router between the server and the VPN client that is not configured to allow the transmission of Generic Routing Encapsulation (GRE) packets (protocol 47)."

I’m no using nethserver 7.0, maybe this is a problem?

Thanks,

SGOLASTRA

sgolastra · January 16, 2019, 8:11am

hi @pike thanks for reply… I answered already, see my quote below

LayLow · January 16, 2019, 9:30am

FYI https://lists.debian.org/debian-firewall/2004/04/msg00103.html

sgolastra · January 16, 2019, 1:00pm

hi @LayLow sorry but link article does not specify what I’m looking for, thank you so much.

DuNdI

sgolastra · January 16, 2019, 1:06pm

Anyone of team manager can suggest me solutions?

mrmarkuz · January 16, 2019, 1:15pm

Do you have another router in front of your Nethserver? Maybe it’s blocking the GRE protocol. In my router I set the Nethserver as DMZ host.
I am going to test it with NS6 but I assume it will work…

EDIT:

Tested following scenario:

Ubuntu PPTP VPN client -> WWW -> Cable router (using NS 7.6 as DMZ host) -> 192.168.0.0/24 -> NS7 (with port 1723 forwarded to NS 6.10) -> 192.168.1.0/24 -> NS6 (with port 1723 forwarded to Windows Server 2016) -> 192.168.2.0/24 -> Windows Server 2016 PPTP VPN server -> 192.168.11.0/24 (PPTP VPN network)

I can ping the Windows Server 2016 PPTP VPN IP 192.168.11.1 from the Ubuntu client via PPTP VPN.

GRE is definitely working on Nethserver 6 & 7. Only configuration to do is forwarding port 1723:

Windows Server notices the client:

Maybe ask the provider if GRE is supported?

pike · January 16, 2019, 3:57pm

Most of italian ISP are providing CPE devices with NAT enabled. But at least a couple of them allow the simple forward of PPTP port for enabling GRE.

Unfortunately @sgolastra did not provide useful info as Port Forwarding or network configuration.

mrmarkuz · January 16, 2019, 4:22pm

@sgolastra provided some info here.

Differences:

In my scenario the Windows server needed two interfaces to create a PPTP VPN and I didn’t use an alias IP.

sgolastra · January 17, 2019, 2:28pm

Thanks a lot @mrmarkuz your are a good support .

Now i translate all over OpenVpn and i have some problem.

I do not want to take advantage of your time but if want you can follow me in the next post

Thank you very much for your time.

The case is open for obsolete and not sure protocol

Regards,

Sgolastra!

Regards
@sgolastra