mrkggg
By:
mrkggg

VPN Trouble - Unable to connect to internet via VPN

July 8, 2014 4.9k views

Hello:

I currently am running centos 6 and I followed the instructions found here (https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp
) To install a vpn on my droplet. I am able to connect to the vpn using PTPP however, when I am connected I am not able to connect to the outside internet?

If anyone knows of any quick fixes that would be wonderful or if you wouldn't mind taking a look at my box that would also be helpful feel free to email me at markg@codebluehost.com to contact me.

Thanks again so much!
Mark :)

6 Answers

What's the output of the two following commands?

sysctl net.ipv4.ip_forward
sudo iptables-save

The first one outputs this net.ipv4.ip_forward = 1

If your main purpose of setting up the VPN server is to access website, So traffic has to be forwarded out of the VPN server’s public network interface.Thus, kindly enable port forwarding by editing the sysctl.conf file. I assume “net.ipv4.ip_forward” is commented in the /etc/sysctl.conf file:

nano /etc/sysctl.conf

Add or find and comment out the following line

net.ipv4.ip_forward=1

Save, close the file and run the following command to make the changes take effect.

sysctl -p

The following iptables firewall rules allow port 1723, GRE and perform NAT

iptables -I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

In the last rule replace “eth0″ with the interface connecting to the internet on your VPN server. Finally the following rule is required to ensure websites load properly.

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

Replace 172.20.1.0/24 with the IP address range used in the “remoteip” option in the /etc/pptpd.conf this firewall rule is used to ensure a proper MTU value is used to prevent fragmentation.

Hope it could help.

  • Hmm.. Thanks so much for your help I followed your directions, however I am still having trouble is there any way you could maybe shoot me an email at mrkggg@gmail.com and I can throw you the login and you can take a look :) It would be greatly appreciated as I have been working at this for almost a month now without any luck.

    Thanks again so much for your help,
    Mark

  • Can you post the output of iptables-save?

Sure:

Generated by iptables-save v1.4.7 on Tue Jul 22 17:35:06 2014

*filter
:INPUT DROP [558:34182]
:FORWARD DROP [381:22925]
:OUTPUT DROP [0:0]
:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent --set --name ssh --rsource
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1025 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP
COMMIT

Completed on Tue Jul 22 17:35:06 2014
  • Try running

    sudo iptables -P FORWARD ACCEPT
    

    Does that fix it? If not, try running this command as well:

    sudo iptables -P OUTPUT ACCEPT
    

Hmm, unfortunately I am still having no luck after inputting those commands. Here is my full iptables file:

# Generated by iptables-save v1.4.7 on Mon Jun 23 17:55:04 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

#Logging Network Traffic

:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP

#SSH Logging and Brute Force Protection

-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent --set --name ssh --rsource
-A INPUT -p tcp -m tcp --dport 1025 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

#Mumble Server

-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT

#DOS protection on port 80

-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT

# Port 80 Outgoing Connections - Yum and other services

-A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT

# SSH Port

-A INPUT -p tcp -m tcp --dport 1025 -j ACCEPT

# Web Port (http and https)
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#Internal -> External Allowed and all requests from server

-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Established and Related Connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#VPN Port
-I INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
-I INPUT -p gre -j ACCEPT
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.0.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun 23 17:55:04 2014

This is the log after I input the file as well as restarted iptables.

Thanks again for your help I really appreciate it so much!

Mark

  • It doesn't look like the changes took effect. Try running service iptables save after running

    sudo iptables -P FORWARD ACCEPT
    sudo iptables -P OUTPUT ACCEPT
    

    Also make sure the NAT rule (Step 4 of How To Setup Your Own VPN With PPTP) is present:

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    

Thanks so much that worked!

Have another answer? Share your knowledge.