PPTP dial-up fail on OpenWrt 21.02

masososo · October 20, 2022, 11:03am

hi,

After using Openwrt 21.02 with nf_conntrack_pptp and nf_ct_proto_gre enabled, pptp failed to dial-up to server while firewall WAN input policy was REJECT. (PPTP worked normally when changed WAN input policy to ACCEPT.)

It seems that GRE conntrack was not setup properly, and always UNREPLIED.
Does anyone encounter some issue? Thanks!!!

root@OpenWrt:/# lsmod |grep pptp
gre                    16384  3 pptp,ip6_gre,ip_gre
nf_conntrack_pptp      16384  2 nf_nat_pptp
nf_nat                 40960 10 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_amanda
nf_nat_pptp            16384  0
ppp_generic            45056 10 pppoe,ppp_async,l2tp_ppp,pptp,pppox,ppp_mppe
pppox                  16384  3 pppoe,l2tp_ppp,pptp
pptp                   28672  2

root@OpenWrt:/proc/6903/net# cat nf_conntrack |grep  gre
ipv4     2 gre      47 29 timeout=30, stream_timeout=180 src=10.10.20.1 dst=10.10.20.254 srckey=0x0 dstkey=0x1 packets=1107 bytes=68301 [UNREPLIED] src=10.10.20.254 dst=10.10.20.1 srckey=0x1 dstkey=0x0 packets=0 bytes=0 mark=0 zone=0 use=2
ipv4     2 gre      47 29 timeout=30, stream_timeout=180 src=10.10.20.254 dst=10.10.20.1 srckey=0x0 dstkey=0x401f packets=1145 bytes=72183 [UNREPLIED] src=10.10.20.1 dst=10.10.20.254 srckey=0x401f dstkey=0x0 packets=0 bytes=0 mark=0 zone=0 use=2

patrakov · October 20, 2022, 12:19pm

You need to add a firewall rule that explicitly enables GRE packets coming in to this device. I.e., this /etc/config/firewall fragment:

config rule
	option name 'Allow-GRE'
	list proto 'gre'
	option src 'wan'
	option target 'ACCEPT'

masososo · October 20, 2022, 1:42pm

Hi @patrakov, thanks for your reply.

It does work after adding the GRE coming in rules, but what I'm curious about is that the GRE conntrack might work for the GRE coming in packets before the wan input chain.
And it seems the conntrack did not work, is that right??

patrakov · October 20, 2022, 1:50pm

I am not sure what happens here. The nf_conntrack_pptp module is indeed supposed to recognize that the GRE packets are related to the already established TCP control connection.

patrakov · October 20, 2022, 1:54pm

For debugging, we can check whether the firewall rules that apply the helpers exist at all.

On OpenWRT 22.03:

nft list ruleset | grep helper

On older versions:

iptables-save | grep helper

masososo · October 31, 2022, 10:56am

I finally found the solution in post
[Solved] Ar71xx Kernel 4.9 PPTP Passthrough not working (TL-WR942N v1).

But the root cause of this issue is that nf_conntrack_helper default is not enable for security issue.
Can check it from post below.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8f9872be6db939a75a075cd893a47ce5742cee00

And from kernel log, it suggests using CT firewall rule instead of enable nf_conntrack_helper for CT helper.

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Solution is either one of the three

Add a line to the file /etc/sysctl.d/99-pptp.conf (create this file)
"net.netfilter.nf_conntrack_helper = 1"
echo 1 > proc/sys/net/netfilter/nf_conntrack_helper
add firewall rule "iptables -I OUTPUT -t raw -p tcp --dport 1723 -j CT --helper pptp" (might be the best)

masososo · November 1, 2022, 6:44am

And if you use openwrt, you can just add "iptables -I OUTPUT -t raw -p tcp --dport 1723 -j CT --helper pptp" to the openwrt ui - Firewall - Custom Rules.

lleachii · November 1, 2022, 6:52am

(BTW iptables and the custom rule file don't exist by default in version 22.)

masososo · November 1, 2022, 7:02am

Thanks for the reminder!

system · November 11, 2022, 7:03am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.