# [solved] pptpd/ppp: No ping and/or internet access...

## rowdy

I've searched and tried many howtos, but mostly the found information is for the client; pptp. My goal was to setup a simple VPN connection using my Gentoo box @ home as a server, and a Windows client on the other hand. (without installing any VPN software on my Windows client, so OpenVPN was a no-go).

I've managed (after trying almost every VPN howto) to setup a VPN connection between my Gentoo server @ home, and my Windows 7 client using pptpd and ppp. Connecting and all works just working fine. When connected, I can ping server -> client and client -> server.

However, I can't access any of the services on the server using the internal IP address of the server (10.1.1.1, samba, ssh etc). The client receives nicely the IP 10.1.1.201.

This is the, not entirely correct, output of ipconfig /all on my Windows client. (No default gateway?)

```
C:\>ipconfig /all

*snap*

PPP adapter Thuis:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Thuis

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv4 Address. . . . . . . . . . . : 10.1.1.201(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.255

   Default Gateway . . . . . . . . . :

   DNS Servers . . . . . . . . . . . : 208.67.222.222

                                       208.67.220.220

   Primary WINS Server . . . . . . . : 10.1.1.1

   NetBIOS over Tcpip. . . . . . . . : Enabled

*snap*
```

Output of route -n

```
prime ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.1.1.201      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 lan

84.29.xx.x      0.0.0.0         255.255.254.0   U     3      0        0 wan

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         84.29.xx.x      0.0.0.0         UG    3      0        0 wan
```

I've added these lines to my iptables script (found by the tutorial I've used)

```
# PPTPD

iptables -A INPUT -p gre -d 10.1.0.0/255.255.0.0 -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -d 10.1.0.0/255.255.0.0 -j ACCEPT

iptables -A PREROUTING -t nat -p gre -d 10.1.0.0/255.255.0.0 -j DNAT --to-destination 10.1.1.1

iptables -A PREROUTING -t nat -p tcp --dport 1723 -d 10.1.0.0/255.255.0.0 -j DNAT --to-destination 10.1.1.1:1723

```

/etc/pptpd.conf

```
option /etc/ppp/options.pptpd

logwtmp

connections 10

localip 10.1.1.1

remoteip 10.1.1.201-210
```

/etc/ppp/options.pptpd

```
name prime

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

ms-dns 208.67.222.222

ms-dns 208.67.220.220

ms-wins 10.1.1.1

nobsdcomp

novj

novjccomp

nologfd

```

/etc/ppp/chap-secrets

```
# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

rowdy           prime   PASSWORD                *

```

I've probatly did something stupid, or screwed up something, I'm sure, but I can't figure out what...   :Embarassed: 

Any help that can help me stopping chasing my tail would be greatly appreciated!

----------

## rowdy

Reply to myself... Bad, I know, but my guess this is the clearest way to express my findings (and leave the stupid stuff above...  :Wink: )

After some fiddling with the options and iptables, I've managed to get it working. (after some hints in this document) Basically I've added a few options and moved everything to another subnet. After that, I've adjusted my iptables script and added for each 'lan' rule an extra line for 'ppp0'.

This works for me. It might not be the nicest solution, and I'm going to try to put the iptables rules for the ppp adapter in a seperate file that's executed when the ppp adapter is brought up because my gues is that the second user will cause the system to create a ppp1 adapter and all is broken for that user, right?

I hope this might be helpfull...

/etc/pptpd.conf

```
option /etc/ppp/options.pptpd

logwtmp

bcrelay lan              # ADDED

connections 10

localip 10.1.11.1        # CHANGED

remoteip 10.1.11.11-20   # CHANGED

```

/etc/ppp/options.pptpd

```
name prime

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

ms-dns 208.67.222.222

ms-dns 208.67.220.220

ms-wins 10.1.1.1

proxyarp                # ADDED

lock

nobsdcomp 

novj

novjccomp

nologfd

```

./iptables.sh (my iptables script)

```
# Flush all current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Easy 

export LAN=lan

export WAN=wan

export PPP=ppp0                                                                  # ADDED

# Then we lock our services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i ${PPP} -j ACCEPT                                          # ADDED

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport bootps ! -i ${PPP} -j REJECT                    # ADDED

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${PPP} -j REJECT                    # ADDED

# Accept SSH from WAN

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Accept NTP  from WAN

iptables -A INPUT -i wan -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept FTP (passive) ports  from WAN

iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

# Accept (SSL) http traffic from WAN

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Accept ICMP/Ping from WAN

iptables -A INPUT -p icmp -j ACCEPT

# Accept All traffic from localhost

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# Drop TCP / UDP packets to privileged ports

iptables -A INPUT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p TCP ! -i ${PPP} -d 0/0 --dport 0:1023 -j DROP              # ADDED

iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${PPP} -d 0/0 --dport 0:1023 -j DROP              # ADDED

# Finally we add the rules for NAT

iptables -I FORWARD -i ${LAN} -d 10.1.0.0/255.255.0.0 -j DROP

iptables -I FORWARD -i ${PPP} -d 10.1.0.0/255.255.0.0 -j DROP                   # ADDED

iptables -A FORWARD -i ${LAN} -s 10.1.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i ${PPP} -s 10.1.0.0/255.255.0.0 -j ACCEPT                 # ADDED

iptables -A FORWARD -i ${WAN} -d 10.1.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Save and restart

/etc/init.d/iptables save

/etc/init.d/iptables restart

```

----------

