Question

VPN Trouble - Unable to connect to internet via VPN

Posted July 8, 2014 8.4k views

Hello:

I currently am running centos 6 and I followed the instructions found here (https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp
) To install a vpn on my droplet. I am able to connect to the vpn using PTPP however, when I am connected I am not able to connect to the outside internet?

If anyone knows of any quick fixes that would be wonderful or if you wouldn’t mind taking a look at my box that would also be helpful feel free to email me at markg@codebluehost.com to contact me.

Thanks again so much!
Mark :)

Add a comment
mrkggg
By:
mrkggg

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
6 answers
kamaln7 July 11, 2014

What’s the output of the two following commands?

sysctl net.ipv4.ip_forward
sudo iptables-save
Reply Report
mrkggg July 15, 2014

The first one outputs this net.ipv4.ip_forward = 1

Reply Report
ra.abooali July 18, 2014

If your main purpose of setting up the VPN server is to access website, So traffic has to be forwarded out of the VPN server’s public network interface.Thus, kindly enable port forwarding by editing the sysctl.conf file. I assume “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file:

nano /etc/sysctl.conf

Add or find and comment out the following line

net.ipv4.ip_forward=1

Save, close the file and run the following command to make the changes take effect.

sysctl -p

The following iptables firewall rules allow port 1723, GRE and perform NAT

iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

In the last rule replace “eth0″ with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly.

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

Replace 172.20.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation.

Hope it could help.

Reply Report
  • mrkggg July 20, 2014

    Hmm.. Thanks so much for your help I followed your directions, however I am still having trouble is there any way you could maybe shoot me an email at mrkggg@gmail.com and I can throw you the login and you can take a look :) It would be greatly appreciated as I have been working at this for almost a month now without any luck.

    Thanks again so much for your help,
    Mark

    Reply Report
  • kamaln7 July 21, 2014

    Can you post the output of iptables-save?

    Reply Report
mrkggg July 22, 2014

Sure:

Generated by iptables-save v1.4.7 on Tue Jul 22 17:35:06 2014

*filter
:INPUT DROP [558:34182]
:FORWARD DROP [381:22925]
:OUTPUT DROP [0:0]
:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1723 -m state –state NEW -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -m state –state NEW -m recent –set –name ssh –rsource
-A INPUT -p tcp -m tcp –dport 1025 -m state –state NEW -m recent ! –rcheck –seconds 60 –hitcount 4 –name ssh –rsource -j ACCEPT
-A INPUT -p udp -m udp –dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -m limit –limit 25/min –limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -p tcp -m tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
-A OUTPUT -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
-A OUTPUT -m state –state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A accept-n-log -j LOG –log-prefix “accept-n-log:”
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG –log-prefix “drop-n-log:”
-A drop-n-log -j DROP
COMMIT

Completed on Tue Jul 22 17:35:06 2014

Reply Report
  • kamaln7 July 22, 2014

    Try running

    sudo iptables -P FORWARD ACCEPT

    Does that fix it? If not, try running this command as well:

    sudo iptables -P OUTPUT ACCEPT
    Reply Report
mrkggg July 26, 2014

Hmm, unfortunately I am still having no luck after inputting those commands. Here is my full iptables file:

# Generated by iptables-save v1.4.7 on Mon Jun 23 17:55:04 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

#Logging Network Traffic

:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP

#SSH Logging and Brute Force Protection

-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent --set --name ssh --rsource
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

#Mumble Server

-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT

#DOS protection on port 80

-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT

# Port 80 Outgoing Connections - Yum and other services

-A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT

# SSH Port

-A INPUT -p tcp -m tcp --dport 1025 -j ACCEPT

# Web Port (http and https)
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#Internal -> External Allowed and all requests from server

-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Established and Related Connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#VPN Port
-I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
-I INPUT -p gre -j ACCEPT
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.0.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun 23 17:55:04 2014

This is the log after I input the file as well as restarted iptables.

Thanks again for your help I really appreciate it so much!

Mark

Reply Report
  • kamaln7 July 27, 2014

    It doesn’t look like the changes took effect. Try running service iptables save after running

    sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

    Also make sure the NAT rule (Step 4 of How To Setup Your Own VPN With PPTP) is present:

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    Reply Report
mrkggg July 31, 2014

Thanks so much that worked!

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help