PPTP dial-up fail on OpenWrt 21.02


After using Openwrt 21.02 with nf_conntrack_pptp and nf_ct_proto_gre enabled, pptp failed to dial-up to server while firewall WAN input policy was REJECT. (PPTP worked normally when changed WAN input policy to ACCEPT.)

It seems that GRE conntrack was not setup properly, and always UNREPLIED.
Does anyone encounter some issue? Thanks!!!

root@OpenWrt:/# lsmod |grep pptp
gre                    16384  3 pptp,ip6_gre,ip_gre
nf_conntrack_pptp      16384  2 nf_nat_pptp
nf_nat                 40960 10 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_amanda
nf_nat_pptp            16384  0
ppp_generic            45056 10 pppoe,ppp_async,l2tp_ppp,pptp,pppox,ppp_mppe
pppox                  16384  3 pppoe,l2tp_ppp,pptp
pptp                   28672  2

root@OpenWrt:/proc/6903/net# cat nf_conntrack |grep  gre
ipv4     2 gre      47 29 timeout=30, stream_timeout=180 src= dst= srckey=0x0 dstkey=0x1 packets=1107 bytes=68301 [UNREPLIED] src= dst= srckey=0x1 dstkey=0x0 packets=0 bytes=0 mark=0 zone=0 use=2
ipv4     2 gre      47 29 timeout=30, stream_timeout=180 src= dst= srckey=0x0 dstkey=0x401f packets=1145 bytes=72183 [UNREPLIED] src= dst= srckey=0x401f dstkey=0x0 packets=0 bytes=0 mark=0 zone=0 use=2

You need to add a firewall rule that explicitly enables GRE packets coming in to this device. I.e., this /etc/config/firewall fragment:

config rule
	option name 'Allow-GRE'
	list proto 'gre'
	option src 'wan'
	option target 'ACCEPT'

Hi @patrakov, thanks for your reply.

It does work after adding the GRE coming in rules, but what I'm curious about is that the GRE conntrack might work for the GRE coming in packets before the wan input chain.
And it seems the conntrack did not work, is that right??

I am not sure what happens here. The nf_conntrack_pptp module is indeed supposed to recognize that the GRE packets are related to the already established TCP control connection.

For debugging, we can check whether the firewall rules that apply the helpers exist at all.

On OpenWRT 22.03:

nft list ruleset | grep helper

On older versions:

iptables-save | grep helper

I finally found the solution in post
[Solved] Ar71xx Kernel 4.9 PPTP Passthrough not working (TL-WR942N v1).

But the root cause of this issue is that nf_conntrack_helper default is not enable for security issue.
Can check it from post below.

And from kernel log, it suggests using CT firewall rule instead of enable nf_conntrack_helper for CT helper.

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Solution is either one of the three

  1. Add a line to the file /etc/sysctl.d/99-pptp.conf (create this file)
    "net.netfilter.nf_conntrack_helper = 1"
  2. echo 1 > proc/sys/net/netfilter/nf_conntrack_helper
  3. add firewall rule "iptables -I OUTPUT -t raw -p tcp --dport 1723 -j CT --helper pptp" (might be the best)

And if you use openwrt, you can just add "iptables -I OUTPUT -t raw -p tcp --dport 1723 -j CT --helper pptp" to the openwrt ui - Firewall - Custom Rules.

(BTW iptables and the custom rule file don't exist by default in version 22.)

1 Like

Thanks for the reminder! :grinning:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.