mrkggg
By:
mrkggg

VPN Trouble - Unable to connect to internet via VPN

July 8, 2014 5.7k views

Hello:

I currently am running centos 6 and I followed the instructions found here (https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp
) To install a vpn on my droplet. I am able to connect to the vpn using PTPP however, when I am connected I am not able to connect to the outside internet?

If anyone knows of any quick fixes that would be wonderful or if you wouldn't mind taking a look at my box that would also be helpful feel free to email me at markg@codebluehost.com to contact me.

Thanks again so much!
Mark :)

Log In to Comment
6 Answers
kamaln7 MOD July 11, 2014

What's the output of the two following commands?

sysctl net.ipv4.ip_forward
sudo iptables-save
Reply
mrkggg July 15, 2014

The first one outputs this net.ipv4.ip_forward = 1

Reply
ra.abooali July 18, 2014

If your main purpose of setting up the VPN server is to access website, So traffic has to be forwarded out of the VPN server’s public network interface.Thus, kindly enable port forwarding by editing the sysctl.conf file. I assume “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file:

nano /etc/sysctl.conf

Add or find and comment out the following line

net.ipv4.ip_forward=1

Save, close the file and run the following command to make the changes take effect.

sysctl -p

The following iptables firewall rules allow port 1723, GRE and perform NAT

iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

In the last rule replace “eth0″ with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly.

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

Replace 172.20.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation.

Hope it could help.

Reply
  • mrkggg July 20, 2014

    Hmm.. Thanks so much for your help I followed your directions, however I am still having trouble is there any way you could maybe shoot me an email at mrkggg@gmail.com and I can throw you the login and you can take a look :) It would be greatly appreciated as I have been working at this for almost a month now without any luck.

    Thanks again so much for your help,
    Mark

  • kamaln7 MOD July 21, 2014

    Can you post the output of iptables-save?

mrkggg July 22, 2014

Sure:

Generated by iptables-save v1.4.7 on Tue Jul 22 17:35:06 2014

*filter
:INPUT DROP [558:34182]
:FORWARD DROP [381:22925]
:OUTPUT DROP [0:0]
:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent --set --name ssh --rsource
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1025 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP
COMMIT

Completed on Tue Jul 22 17:35:06 2014
Reply
  • kamaln7 MOD July 22, 2014

    Try running

    sudo iptables -P FORWARD ACCEPT

    Does that fix it? If not, try running this command as well:

    sudo iptables -P OUTPUT ACCEPT
mrkggg July 26, 2014

Hmm, unfortunately I am still having no luck after inputting those commands. Here is my full iptables file:

# Generated by iptables-save v1.4.7 on Mon Jun 23 17:55:04 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

#Logging Network Traffic

:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP

#SSH Logging and Brute Force Protection

-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent --set --name ssh --rsource
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

#Mumble Server

-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT

#DOS protection on port 80

-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT

# Port 80 Outgoing Connections - Yum and other services

-A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT

# SSH Port

-A INPUT -p tcp -m tcp --dport 1025 -j ACCEPT

# Web Port (http and https)
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#Internal -> External Allowed and all requests from server

-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Established and Related Connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#VPN Port
-I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
-I INPUT -p gre -j ACCEPT
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.0.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun 23 17:55:04 2014

This is the log after I input the file as well as restarted iptables.

Thanks again for your help I really appreciate it so much!

Mark

Reply
  • kamaln7 MOD July 27, 2014

    It doesn't look like the changes took effect. Try running service iptables save after running

    sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

    Also make sure the NAT rule (Step 4 of How To Setup Your Own VPN With PPTP) is present:

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
mrkggg July 31, 2014

Thanks so much that worked!

Reply
Have another answer? Share your knowledge.