Topic: PPTPD iptables/routing problems

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Tobias

24 Apr 2008, 18:16

Hi!

I have a pptpd running on OpenWRT and clients can connect to it from the Internet. What I don't get working is, that a client that is connect via VPN to the router has access to the routers LAN. I followed the instructions at http://wiki.openwrt.org/PPTPDHowto, but can't get it working.

Here's how it is configured at the moment:

Router LAN: 192.168.1.1
Client's IP via chap-secrets: 192.168.2.10
pptpd-IP: 192.168.1.200 (via localip in /etc/pptpd.conf, because "192.168.1.200:" in /etc/ppp/options.pptpd seems to be ignored)

/etc/firewall.user:

## Allow PPTP control connections from WAN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT

## Allow GRE protocol (used by PPTP data stream)
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT

### VPN Section
iptables        -A forwarding_rule -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
# allow VPN connections to get out WAN interface (to internet)
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

When the client connects, he gets the IP 192.168.2.10 and the routers pptpd gets 192.168.1.200.
The clients routing table looks like this:

226.120.9.213.d fritz.fonwlan.b 255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 ppp0
192.168.30.0    *               255.255.255.0   U     0      0        0 eth0
default         fritz.fonwlan.b 0.0.0.0         UG    0      0        0 eth0

So everything for 192.168.1.0/24 should be routed to ppp0.

From the client I can ping 192.168.1.1 and 192.168.1.200, but not 192.168.1.50, which is a computer in the routes LAN.

From the router I can ping 192.168.2.10 and 192.168.1.50.

What am I doing wrong? How do I get access to 192.168.1.50 from the client connected as 192.168.2.10 via VPN to the router?

Tobias

Post #2

conmarti

25 Apr 2008, 18:36

Hi Tobias,

Your iptables rule
iptables -A forwarding_rule -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
doesn't allow traffic to to be forwarded to 192.168.2.10 because it's another subnet.

I would suggest to configure the pptpd-ip to 192.168.2.200 and add the following 2 rules

iptables        -A forwarding_rule -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables        -A forwarding_rule -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT

This works on my router.

Conny

Post #3

dominiquefortin

17 Jun 2008, 08:23

if your client IP is going to be 192.168.2.10, make the pptpd address 192.168.2.1 in /etc/ppp/options.pptpd and use the following firewall rules:

### VPN Section
iptables -A forwarding_rule                 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A output_rule             -o ppp+ -s 192.168.2.1    -d 192.168.2.0/24 -j ACCEPT
iptables -A input_rule      -i ppp+         -s 192.168.2.0/24 -d 192.168.2.1    -j ACCEPT
# allow VPN connections to get out WAN interface (to internet)
iptables -A forwarding_rule -i ppp+ -o $WAN -s 192.168.2.0/24                   -j ACCEPT

The discussion might have continued from here.

Page 1 of 1