Tuesday, January 6, 2009

PPTP Vpn through a Linux IpTables/Netfilter firewall

I spent some time configuring a pptp vpn for one of our offices yesterday, but it kept failing to connect during testing. Each failure generated these errors in the firewall (the one I was Vpn-ing too) log.

pptpd[9078]: GRE: Bad checksum from pppd.
pptpd[9078]: CTRL: Received PPTP Control Message (type: 15)
pptpd[9078]: CTRL: Got a SET LINK INFO packet with standard ACCMs
pptpd[9078]: GRE: read(fd=7,buffer=80505a0,len=8260)
from network failed: status = -1 error = Protocol not available
pptpd[9078]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
As my comp.sci instructor would say, "Bad Times".

The vpn connection worked from a direct-internet-connected host, so logically the VPN setup was probably right. Here in the office I am behind a Linux IpTables firewall, and I deduced that it was probably the issue. Nothing was set to block the GRE protocol though, so I was a little puzzled.

I found this TLDP post (Do not bother reading it...) on how to make pptp work through iptables. Ah-ha! It was the firewall. Then I realized that documentation was ancient. By Ancient I mean it refers to the 2.0 and "new" 2.2 kernel. The current Linux kernel is > 2.6! eep! It was probably translated from some obscure dead language it is so old.

Anyway, the solution is much simpler... Iptables has a module that allows pptp to pass through NAT. My tale of woe happily resolved with this command.

modprobe ip_nat_pptp

One more useful tidbit. You can see a list of available IpTables modules with this command..

locate netfilter | grep .ko

Good Luck,


Trenton D. Adams said...

Thanks for the post, I haven't used iptables in ages, as I have been using OpenBSD.

David said...

Thank you so much!

One more thing...

Some may have to run the command

modprobe ip_conntrack_pptp

After running this I was able to connect with VPN

Scott O'Brien said...

You would not believe how many hours I was trying to get this to work and find this solution.. Thank you so much!

PabloGo said...

Thanks you very much !

You save me a lot of time !

See you!

Anonymous said...

i was fighting with this all day until i saw this post thank you!

Anonymous said...

Yes, thanks a lot!
Obviously there had to be a solution - but I expected it to be far more complicated...

Anonymous said...

Thanks a lot man!
Spent >hour trying to understand why all usual TCP connections work but damn pptp-vpn doesnt.

Anonymous said...

You're a lifesaver

Thanks for your post

Will said...

This just saved me hours of faffing about. Thanks!

Night Elf said...

Thanks a lot !

Night Elf said...

Thanks a lot !

Anonymous said...

Still valid even years later! Saved me so much time!

Bradley White said...

Thank you.Good solution.