newbie cant connect to clients VPN through my NAT.

wachaca · 11-21-2008, 01:05 PM

Hello,
I have several XP work stations, behind an Ubuntu 8.04 server providing NAT for the office.

When we had the DLINK router providing NAT, we were able to connect to a clients VPN based on PPTP/PPP using the windows VPN client without any problems.

Now we can no longer connect to the clients VPN.

My nat.sh file looks like this:
(I came up with this from diferent tutorials and howtos)

Code:

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -F
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Any help would be apreciated.

Thanks

blackhole54 · 11-23-2008, 04:23 AM

Is it the ppp0 interface you want to MASQUERADE or some ethernet interface? (Is your Ubuntu box actively participating in the VPN trafic of the XP boxes or just passing through already encrypted traffic?)

A less important question (I think) is do you want to MASQUERADE or DNAT? MASQUERADE is designed for connections where the IP address is likely to change when an interrupted or dropped connection is re-established and DNAT is for stable IP addresses.

Also, let me give you a hint. The following commands (as root) are sometimes useful for troubleshooting:

Code:

iptables -nvL <optional chain name>
iptables -t nat -nvL <optional chain name>

The -v option on those commands will cause packet and byte counts to be shown with each rule. Each packet the rule processes that matches that rule will increase these counters. So if you your traffic is not too heavy you might get some clues what might be wrong.

mostlyharmless · 11-24-2008, 10:29 AM

On our DLINK router we had to open specific ports to allow a VPN to connect. Did you have a setting in your router that you need to duplicate in your iptables?

blackhole54 · 11-25-2008, 08:18 AM

Quote:

Originally Posted by mostlyharmless

On our DLINK router we had to open specific ports to allow a VPN to connect. Did you have a setting in your router that you need to duplicate in your iptables?

Are you describing a situation where a client is behind a DLINK router or where the server is behind the DLINK router? If it is the client, can you provide a link to info abou what needs to be opened? Thanks.

mostlyharmless · 11-25-2008, 01:17 PM

The client is behind the router. Here's a link that might be helpful:

http://blogs.technet.com/rrasblog/ar...nectivity.aspx

blackhole54 · 11-26-2008, 07:45 AM

Thanks for the link, mostlyharmless. The way I am reading it, that article is talking about ports that need to be opened for the server rather than at the client end. Am I missing something?

@wachaca,

Have you made any progress?

mostlyharmless · 11-26-2008, 08:00 AM

My understanding is that they had to be open on the client side as well. Certainly, we couldn't get a VPN connection until we did that, and closing them again (which I did inadvertantly once) stopped the VPN connection from working.

I didn't read the specific link closely; I was just looking for a generic list of ports. For our specific work related VPN we got a list of ports from work to open on our home router to allow the VPN to connect.

Hope that clarifies things.

blackhole54 · 11-26-2008, 08:32 AM

Thanks again, mostlyharmless.

I was inquiring because of my involvement with another thread with pptp problems. After doing some more Internet search and looking at the Wikipedia page I see that NAT and firewall can cause problems because both GRE and a TCP connection are involved. Indeed, I see that netfilter has a special module to track pptp connections. So after letting this digest in my own mind for a while, I'll try to pass on my partial understanding to the other poster in hopes of helping him.

Thanks again.