# VPN client with a Gentoo Router

## kuteninja

First off, I'll explain my situation.

I have 4 network levels:

- 1: My ISP modem > 2: Gentoo Server (as Router / DHCP Server / UPNP) > 3: Gigabit Switch > 4: Computers

I'd like to be able to use a VPN connection from within my Computer.

I've already setup the Gentoo Router so the needed protocols can go thru it, but I'm not being able to connect properly using a Mac Client.

On another computer BTW I was able to connect to the VPN (that machine is using Windows XP).

Does Mac use another protocol / ports that I need to forward on my router ?

Here's my Iptables setup script on the Router, eth0 is the WAN interface connected to the modem, and eth1 is the LAN interface (connected to the switch). 

All computers are within the range 192.168.1.0/24 (192.168.1.0 > 192.168.1.255).

(WANIP has been masked for security.)

```
#!/bin/bash

# allow forwarding and dynaddr

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# networking setup

LANIP="192.168.0.0/16"

WANIP="xx.xx.xx.xx"

IFLAN="eth1"

IFWAN="eth0"

IPTABLES="/sbin/iptables"

DEBUG=""

#DEBUG="echo " # uncomment to view iptables lines

# iptables cleanup

$DEBUG $IPTABLES -F

$DEBUG $IPTABLES -t nat -F

$DEBUG $IPTABLES -X UPNP

$DEBUG $IPTABLES -P FORWARD DROP

# SYN output limit 1/s

$DEBUG $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# allow everything who's related

$DEBUG $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# lan > lan forwarding allowed

$DEBUG $IPTABLES -A FORWARD -i $IFLAN -o $IFLAN -j ACCEPT

$DEBUG $IPTABLES -A FORWARD -s $LANIP -d $WANIP -j ACCEPT

# wan > lan : allowed ** lan > lan : allowed

$DEBUG $IPTABLES -A FORWARD -i $IFLAN -o $IFWAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$DEBUG $IPTABLES -A FORWARD -i $IFWAN -o $IFLAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward adsl packages

$DEBUG $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# ssh port is open

$DEBUG $IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# don't filter lo interface

$DEBUG $IPTABLES -A INPUT -i lo -j ACCEPT

# 1/s ping

$DEBUG $IPTABLES -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# mask everything

$DEBUG $IPTABLES -t nat -A POSTROUTING -o $IFWAN -j MASQUERADE

$DEBUG $IPTABLES -t nat -A POSTROUTING -o $IFLAN -s $LANIP -d $WANIP -j MASQUERADE

# vpn setup

$DEBUG $IPTABLES -A INPUT -p udp -i $IFWAN --dport 500 -j ACCEPT

$DEBUG $IPTABLES -A OUTPUT -p udp -o $IFWAN --dport 500 -j ACCEPT

$DEBUG $IPTABLES -A INPUT -p 50 -j ACCEPT

$DEBUG $IPTABLES -A OUTPUT -p 50 -j ACCEPT

$DEBUG $IPTABLES -A INPUT -p 51 -j ACCEPT

$DEBUG $IPTABLES -A OUTPUT -p 51 -j ACCEPT

$DEBUG $IPTABLES -A FORWARD -p tcp --dport 1723 -j ACCEPT

$DEBUG $IPTABLES -A FORWARD -p udp --dport 500 -j ACCEPT

# upnp table

$DEBUG $IPTABLES -N UPNP

$DEBUG $IPTABLES -A FORWARD -j UPNP

# dhcp, upnp and pdnsd

$DEBUG /etc/init.d/dhcpd restart

$DEBUG /etc/init.d/upnpd restart

$DEBUG /etc/init.d/pdnsd restart
```

I can't see what I'm missing or what can be wrong in here.

----------

## Bigun

Does the router have some kind of X installed?

If so, you could install wireshark and see what is happening with the packets from the Mac.

----------

## kuteninja

 *Bigun wrote:*   

> Does the router have some kind of X installed?
> 
> If so, you could install wireshark and see what is happening with the packets from the Mac.

 

Nope, I can check it out with tcpdump but it have a "heavy ungrepable verbosity" by default.

----------

## Bigun

What kind of VPN tunnel are you establishing?

----------

## kuteninja

 *Bigun wrote:*   

> What kind of VPN tunnel are you establishing?

 

PPTP to a server on the US (I'm on Argentina)

I've opened the protocols 50 and 51 (esp and ah) and that fixed the windows vpn connection, but it seems that it's not enough for the mac client.

BTW: I've noticed that I was missing this two lines, although that didn't seemed to have made any difference.

```
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 1723 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -o eth0 --dport 1723 -j ACCEPT
```

----------

## Bigun

Is the VPN tunnel established with the Windows machine when you attempt to connect the Mac?

----------

## kuteninja

 *Bigun wrote:*   

> Is the VPN tunnel established with the Windows machine when you attempt to connect the Mac?

 

I dissconnected the VPN on the Windows machine before trying to connect on the Mac, although, it cannot be on both pc's simultaneously ?

----------

## Bigun

 *kuteninja wrote:*   

>  *Bigun wrote:*   Is the VPN tunnel established with the Windows machine when you attempt to connect the Mac? 
> 
> I dissconnected the VPN on the Windows machine before trying to connect on the Mac, although, it cannot be on both pc's simultaneously ?

 

In theory, yes.  Just making sure we got everything working.  Perhaps the Mac uses more than just the two standard ports?

A little googling about PPTP is showing that port 1723 needs to be opened, which I am seeing that you just added.    :Smile: 

Does the iptables service need to be restarted after changes?  It's been forever since I've used it.

----------

## kuteninja

 *Bigun wrote:*   

>  *kuteninja wrote:*    *Bigun wrote:*   Is the VPN tunnel established with the Windows machine when you attempt to connect the Mac? 
> 
> I dissconnected the VPN on the Windows machine before trying to connect on the Mac, although, it cannot be on both pc's simultaneously ? 
> 
> In theory, yes.  Just making sure we got everything working.  Perhaps the Mac uses more than just the two standard ports?
> ...

 

It seems that I was missing the gre protocol:

```
iptables -A INPUT -p gre -j ACCEPT

iptables -A FORWARD -p gre -j ACCEPT
```

I'll give it a try and update the thread if needed.

----------

## AngelKnight

Just for information: PPTP uses 1723/udp for session negotiation and IP-GRE (IP protocol #47) for data.

IPsec-ESP (IP proto 50) and IPsec-AH (IP proto 51) are what you opened.  Incidentally, IPsec typically requires 500/udp (IPsec initial negotiation) and possibly 4500/udp (IPsec NAT traversal optional port) or some other ports (such as 10000/tcp for Cisco's custom IPsec-over-TCP implementation, by default) to be able to pass traffic in at least one direction.

----------

## kuteninja

 *AngelKnight wrote:*   

> Just for information: PPTP uses 1723/udp for session negotiation and IP-GRE (IP protocol #47) for data.
> 
> IPsec-ESP (IP proto 50) and IPsec-AH (IP proto 51) are what you opened.  Incidentally, IPsec typically requires 500/udp (IPsec initial negotiation) and possibly 4500/udp (IPsec NAT traversal optional port) or some other ports (such as 10000/tcp for Cisco's custom IPsec-over-TCP implementation, by default) to be able to pass traffic in at least one direction.

 

I've changed the iptables setup on my script and used this information but I cannot connect to the VPN yet. 

This is what I've got so far and it works as Router / NAT:

PS: Yet again all my WAN ip's are being masked with x.x.x.x and x-x-x (on the tcpdump)

```
#!/bin/bash

# variables de network e interfaces

LANIP="192.168.1.0/24"

WANIP="x.x.x.x"

IFLAN="eth1"

IFWAN="eth0"

IPTABLES="/sbin/iptables"

DEBUG=""

#DEBUG="echo " # descomentar para imprimir las lineas

# Funcion NAT. Uso: NAT puerto-router protocolo ip-destino[:puerto-destino]

function NAT {

  $DEBUG $IPTABLES -t nat -A PREROUTING -i ${IFWAN} -p $2 --dport $1 -j DNAT --to $3

}

# vaciamos todo en el iptables filter y nat

$DEBUG $IPTABLES -F

$DEBUG $IPTABLES -t nat -F

$DEBUG $IPTABLES -X UPNP

$DEBUG $IPTABLES -P INPUT ACCEPT

$DEBUG $IPTABLES -P OUTPUT ACCEPT

$DEBUG $IPTABLES -P FORWARD DROP

# permitimos el forwarding e ip dinamicas

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Bloqueamos servicios para que funcionen via LAN

$DEBUG $IPTABLES -I INPUT 1 -i ${IFLAN} -j ACCEPT

$DEBUG $IPTABLES -I INPUT 1 -i lo -j ACCEPT

$DEBUG $IPTABLES -A INPUT -p udp --dport bootps ! -i ${IFLAN} -j REJECT

$DEBUG $IPTABLES -A INPUT -p udp --dport domain ! -i ${IFLAN} -j REJECT

# permitimos la redireccion de paquetes

$DEBUG $IPTABLES -I FORWARD -i ${IFLAN} -d ${LANIP} -j DROP

$DEBUG $IPTABLES -A FORWARD -i ${IFLAN} -s ${LANIP} -j ACCEPT

$DEBUG $IPTABLES -A FORWARD -i ${IFWAN} -d ${LANIP} -j ACCEPT

# bloqueamos paquetes a puertos privilegiados

$DEBUG $IPTABLES -A INPUT -p tcp ! -i ${IFLAN} -d 0/0 --dport 0:1023 -j DROP

$DEBUG $IPTABLES -A INPUT -p udp ! -i ${IFLAN} -d 0/0 --dport 0:1023 -j DROP

# enmascarar los paquetes salientes

$DEBUG $IPTABLES -t nat -A POSTROUTING -o ${IFWAN} -j MASQUERADE

# NAT (redireccion de puertos)

#####

# fix de MTU para el ADSL

$DEBUG $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# creamos la tabla de upnp

$DEBUG $IPTABLES -N UPNP && $DEBUG $IPTABLES -A FORWARD -j UPNP

# inicia dhcp, upnp y pdnsd (por si no estaban)

$DEBUG /etc/init.d/dhcpd restart && $DEBUG /etc/init.d/upnpd restart && $DEBUG /etc/init.d/pdnsd restart
```

This script generates the following iptables lines (eth0 is my WAN address and eth1 my LAN):

```
/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -X UPNP

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD DROP

/sbin/iptables -I INPUT 1 -i eth1 -j ACCEPT

/sbin/iptables -I INPUT 1 -i lo -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport bootps ! -i eth1 -j REJECT

/sbin/iptables -A INPUT -p udp --dport domain ! -i eth1 -j REJECT

/sbin/iptables -I FORWARD -i eth1 -d 192.168.1.0/24 -j DROP

/sbin/iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -d 192.168.1.0/24 -j ACCEPT

/sbin/iptables -A INPUT -p tcp ! -i eth1 -d 0/0 --dport 0:1023 -j DROP

/sbin/iptables -A INPUT -p udp ! -i eth1 -d 0/0 --dport 0:1023 -j DROP

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.1.214

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.1.214

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.1.214

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22022 -j DNAT --to 192.168.1.245:22

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 33062 -j DNAT --to 192.168.1.245:3306

/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

/sbin/iptables -N UPNP

/sbin/iptables -A FORWARD -j UPNP

/etc/init.d/dhcpd restart

/etc/init.d/upnpd restart

/etc/init.d/pdnsd restart

/etc/init.d/iptables save

rc-update add iptables default
```

I used this tutorial for the settings:

http://www.gentoo.org/doc/en/home-router-howto.xml

I tried to connect to any PPTP but it doesn't work. On tcpdump I can see that the connection is made, but I don't know how to see if it worked or where's the error.Last edited by kuteninja on Mon Dec 27, 2010 7:56 pm; edited 2 times in total

----------

## kuteninja

Yahoo! I was missing some FORWARD rules, but everything else was correct. I though that the FORWARD all protocols redirected the gre too, but it seems not. 

I've added this lines to my script:

```
$DEBUG $IPTABLES -N PPTP && $DEBUG $IPTABLES -A FORWARD -j PPTP

$DEBUG $IPTABLES -A PPTP -p 47 -i ${IFLAN} -o ${IFWAN} -j ACCEPT

$DEBUG $IPTABLES -A PPTP -p 47 -j ACCEPT
```

Which makes this iptables lines:

```
/sbin/iptables -N PPTP

/sbin/iptables -A FORWARD -j PPTP

/sbin/iptables -A PPTP -p 47 -i eth1 -o eth0 -j ACCEPT
```

If anyone is also having this issue; assuming you have eth1 for LAN, and eth0 for WAN, and you're using 192.168.1.0/24 as your LAN Network, you can use this iptables sentences right out of the box. If you don't maybe you'll need som editting before.

This is the full codelines for iptables:

```
/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -X UPNP

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD DROP

/sbin/iptables -I INPUT 1 -i eth1 -j ACCEPT

/sbin/iptables -I INPUT 1 -i lo -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport bootps ! -i eth1 -j REJECT

/sbin/iptables -A INPUT -p udp --dport domain ! -i eth1 -j REJECT

/sbin/iptables -I FORWARD -i eth1 -d 192.168.1.0/24 -j DROP

/sbin/iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -d 192.168.1.0/24 -j ACCEPT

/sbin/iptables -A INPUT -p tcp ! -i eth1 -d 0/0 --dport 0:1023 -j DROP

/sbin/iptables -A INPUT -p udp ! -i eth1 -d 0/0 --dport 0:1023 -j DROP

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

/sbin/iptables -N UPNP

/sbin/iptables -A FORWARD -j UPNP

/sbin/iptables -N PPTP

/sbin/iptables -A FORWARD -j PPTP

/sbin/iptables -A PPTP -p 47 -i eth1 -o eth0 -j ACCEPT

/etc/init.d/dhcpd restart

/etc/init.d/upnpd restart

/etc/init.d/pdnsd restart

/etc/init.d/iptables save

rc-update add iptables default

# example NAT redirection for port 22 tcp (ssh)

#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to XXXXXXX # 
```

PS: This scripts is assuming you've already setup dhcpd, upnpd, pdnsd and want to start using iptables.

----------

