No pptp pass-through with 18.06.4

SteveNewcomb · August 22, 2019, 4:04pm

I installed kmod-nf-nathelper-extra on my Archer C7 V5 running 18.06.4 but it didn't make any difference. I still can't connect to VPN using Windows 7 unless I take the router out of the circuit and connect my Windows box directly to the ISP's modem. Then I can connect easily, so I surmise something about the router is the problem.

Otherwise the router is working great under pretty heavy loads.

jeff · August 22, 2019, 4:06pm

Which kind of VPN? Something Windows-specific, OpenVPN, WireGuard, IPSec, ... ?

Edit:

So still need a bit more information as to which flavor of PPTP you're using. A bit of a challenge as well as Windows 7 was EOLed for mainstream customers in 2015.

Reading that it uses GRE, have you enabled forwarding of GRE (proto 47) through the router?

SteveNewcomb · August 22, 2019, 4:12pm

As the title of my note says: PPTP,.

Other info: optional encryption, allowed protocols are unencrypted password (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAP v2, IPV6, IPV4. I'm not sure which of the foregoing are actually used.

I only need this VPN for one occasional purpose -- rebuilding a remote server -- and I'm attempting to avoid the Microsoft Tax as long as possible. The remote server owner says only Microsoft will work (not sure about that).

How, exactly, does one enable forwarding of GRE? I bet that's the problem.

jeff · August 22, 2019, 5:36pm

I’m unfortunately not an iptables user, so perhaps changing the title of the thread might catch the attention of someone with that expertise.

It’s probably similar to the IPSec rule.

SteveNewcomb · August 22, 2019, 5:44pm

Ah. I changed the title per your suggestion (thanks). I'm guessing that host-specific GRE forwarding instructions might work, but it would be nicer if it could be made to work for any LAN host, or for multiple LAN hosts.

jeff · August 22, 2019, 5:50pm

Add a new port forward (traffic redirection) rule. Set source zone to wan, destination zone to lan, destination ip to your internal lan vpn client.
Set the protocol to "-- custom --" and then enter "gre" as value, hit save & apply.

I think you may need the "reverse" of that, where GRE can be forwarded from any host in the LAN zone to any host in the WAN zone (no source/destination IP needed).

Edit: I don't know the direction of the initiation of the connection. My comment above assumes that your "inside" Windows box initiates the GRE tunnel.

trendy · August 22, 2019, 6:33pm

By default all traffic from LAN to WAN should be allowed. This means that outgoing pptp connections will work (tcp/1723 and ip/47)
Can you verify that the connection is outbound?
Have you changed anything in the firewall settings? (paste here the output of uci show firewall )

SteveNewcomb · August 22, 2019, 6:58pm

Well, that didn't work, but it was interesting. The original error report was:

"Disconnected" Error 619 (in Windows-land)

When I forwarded WAN:1723 to [LAN host]:1723, the error became:

Connecting to [IP] using "WAN Miniport (PPTP)'... Error 807 (in Windows-land)

#The following stanza from /overlay/upper/etc/config/firewall made that difference:
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        proto '47'
        option src_dport '1723'
        option dest_ip '192.168.4.88'
        option dest_port '1723'
        option name 'sybilwl0-pptp'

## The following stanza made the router unable to handle ordinary web traffic (I don't know why):
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        proto 'udp'
        option src_dport '1701'
        option dest_ip '192.168.4.88'
        option dest_port '1701'
        option name 'sybilwl1-pptp'

SteveNewcomb · August 22, 2019, 7:05pm

#Output of uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
#[ 70 miscellaneous redirects omitted.  
#  By the way, luci can't manage them all and silently 
#  omits the rest, but they all work since I edit the file directly with nano.]

Lucky1 · August 22, 2019, 7:24pm

you are 1/2 way there
you need to add


# OpenWrt 18.06 additional step
cat << EOF > /etc/sysctl.d/20-nf-conntrack-helper.conf
net.netfilter.nf_conntrack_helper = 1
EOF
service sysctl restart

check the page below

https://openwrt.org/docs/guide-user/services/vpn/pptp/nat_traversal