LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-06-2016, 09:06 PM   #1
haveacrack
LQ Newbie
 
Registered: Jun 2015
Posts: 2

Rep: Reputation: Disabled
VPN PPTP Internet and Samba Issues


Setup
Ubuntu Server 14.04.3
RAID 5 file server
Local IP addresses:
p13p1 Link encap:Ethernet HWaddr f8:32:e4:86:76:00
inet addr:10.0.0.121 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::fa32:e4ff:fe86:7600/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:239976 errors:0 dropped:0 overruns:0 frame:0
TX packets:98022 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40126964 (40.1 MB) TX bytes:28874150 (28.8 MB)




VPN Server Side Configuration:

pptpd.conf
localip 192.168.250.1
remoteip 192.168.250.100-105

pptpd-options

# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128


ms-dns 192.168.250.1
ms-dns 8.8.4.4

sysctl.conf
net.ipv4.ip_forward=1

rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 192.168.250.0/24 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

before.rules
-A INPUT -p 47 -j ACCEPT

ufw
DEFAULT_FORWARD_POLICY=ACCEPT

Client Side VPN Configuration:
Windows 10 Mainly but aslso used on Win 7 and win 8-
Point to point tunneling protocol
Microsoft chap version 2 (ms-chap v2)
challenge handshake authentication protocol (chap)
Use default gateway on remote network selected


Issue
When the client connects to VPN, internet access is via the VPN connection
Clients wants access to internet via there home router while connected to the server via VPN

The only fix I have attempted so far on win 10 8 and 7 is to unselect "Use default gateway on remote network' this does solve the VPN problem but now I have an issue with not been able to Map to samba network drives error stats windows cannot access file share.

Is there a way to configure the VPN server to over come this issue?
 
Old 02-06-2016, 09:44 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
First of all, you should seriously consider getting rid of PPTP altogether. Microsoft has acknowledged that the protocol is horribly insecure, but it's a design error which they won't/can't fix. Use SSTP instead; it's secure, supported in every Windows client OS from Win7 upwards, and it works well with NAT and restrictive firewalls. What's not to like?

Having said that, the fix for your routing problem is fairly straightforward, and not specific to VPN scenarios using PPTP. When you uncheck the box that says "use default gateway on remote network", you activate what is known as split tunneling, which means Internet traffic is routed via the regular gateway while the rest goes through the tunnel. So far, so good.

The problem is this: How does the client decide what should go through the tunnel, and what shouldn't? Since it has no way of knowing what the infrastructure looks like on the other end, and since the PPP interface doesn't even have a netmask, it ends up making a decidedly non-educated guess and adds a class-based route based on the interface IP address.

You're currently using the IP range 192.168.250.100 - 192.168.250.105 for your clients, and 192.168.250.0 is a Class C network with a default netmask of /24. As a result, in a split tunneling setup, the clients will route 192.168.250.0/24 to the PPTP server. Since the LAN side uses 10.0.0.0/24, you end up being unable to reach resources on that network.

Fortunately, since you're using a subnet of 10.0.0.0/8 on the LAN side, you can simply use another subnet of the same class A network for the VPN clients. A class-based route will then cover the entire 10.0.0.0/8 net, and everything should work fine.

For instance, you could change the localip and ms-dns settings to, say, 10.1.0.1, and use 10.1.0.100-105 as the remoteip range. Remember to alter the iptables rules accordingly.

One final point: You really do not want to use 8.8.4.4 (or any external DNS server) as the secondary DNS for your VPN clients. Should the internal DNS ever time out for any reason, the client in question will then switch to 8.8.4.4 and keep using it for as long as it's available, which will probably be forever. That will most likely result in it losing contact with the Samba server once the DNS cache expires, and the user will then have to disconnect and reconnect in order to reestablish communication.

Last edited by Ser Olmy; 02-06-2016 at 09:47 PM.
 
Old 02-07-2016, 02:55 AM   #3
haveacrack
LQ Newbie
 
Registered: Jun 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thankyou, you are a champion, explaination was top notch.
I did have to map the drive with an ip instead of the server name but thats ok

I will definalty look into using SSTP.

Is this a similar set up on the server as pptp?
 
Old 02-07-2016, 07:14 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
Since PPTP and SSTP are both basically PPP over an encrypted connection, the setup is indeed very similar.

The biggest difference is that SSTP requires a server SSL/TLS certificate, but nowadays those can be had for free and renewed automatically.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Connecting to VPN via pptp blocks my internet veggen Linux - Networking 3 05-25-2012 02:10 AM
[SOLVED] No Internet traffic through the PPTP VPN connection tghasemi Linux - Server 2 05-21-2012 10:40 AM
PPTP VPN --> No internet ! devilboy09 Linux - Server 2 02-17-2012 10:42 AM
LXer: Linux Configure point to point tunneling PPTP VPN client for Microsoft PPTP vpn server LXer Syndicated Linux News 0 06-13-2007 08:46 AM
unable to browse internet through pptp VPN maheshmahajan Linux - Networking 2 08-18-2006 07:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration