Posted: Thu May 02, 2019 1:29 Post subject: Unable to access LAN devices through VPN server
Hi
I'm having issues with the VPN server on this setup.
I did search a lot and did not find any answer.
The problem:
I can connect to the VPN Server from an Android phone or another Windows PC from outside of the network but I cannot ping or access anything on the network.
The "Connected PPTP Clients" from the status page shows "None" even if the clients are "connected".
The setup:
Router Model: Linksys E1200 v1
Firmware Version: DD-WRT v3.0-r39469 mini (04/10/19)
Kernel Version: Linux 2.6.24.111 #7106 Wed Apr 10 01:14:37 CEST 2019 mips
Mode: Gateway
The VPN server configuration: Services / VPN:
- PPTP Server : Enable
- Broadcast Support : Enable
- MPPE Encryption : Enable
- DNS1/2 : Router IP
- WINS1/2 : Router IP
- MTU : 1436
- MRU : 1436
- Server IP : Router IP
- Client IP : "Subrange of the DHCP range"
The history:
Everything started when I updagraded the firmware from build 21061. At that time everything was going well. So I used the same settings.
The tests:
- I tried "older" build (37305 and 39296) : Same results as the 32469 build
- I tried to uncheck every box on the security page : No results
- I tried disabling the SPI Firewall : Everything works fine ! So it seems related to the firewall...
The logs:
When I connect to the server, I get this from Syslog:
Code:
daemon.info pptpd[1669]: CTRL: Client XXX.XX.XX.XXX control connection started
daemon.info pptpd[1669]: CTRL: Starting call (launching pppd, opening GRE)
daemon.notice pppd[1670]: pppd 2.4.7 started by root, uid 0
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.
That makes sense, but I tried both ways with the same results.
~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
45.XXX.XXX.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.88.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default modemcable001.1 0.0.0.0 UG 0 0 0 vlan2
ip route
Code:
~ # ip route
45.XXX.XXX.0/24 dev vlan2 scope link src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2
When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.
It's enabled at the moment, but I tried in the past to remove every box from that firewall page one time but leaving the firewall ON and I got the same issue. I've disabled it now.
And I also set the IP range fot the PPTP server outside of the DHCP range.
eibgrad wrote:
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.
Oh I think I did the logs wrong then. I had no PPTP clients connected indeed !
Here's the same commands with PPTP client connected.
~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.88.40 * 255.255.255.255 UH 0 0 0 ppp0
45.XXX.XXX.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.88.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default modemcable001.1 0.0.0.0 UG 0 0 0 vlan2
Code:
~ # ip route
192.168.88.40 dev ppp0 scope link src 192.168.88.1
45.XXX.XXX.0/24 dev vlan2 scope link src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2
I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.
Syslog only shows the same lines as fist post :
Code:
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Client 204.XX.XX.8 control connection started
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Starting call (launching pppd, opening GRE)
May 3 21:45:20 Maison daemon.notice pppd[3989]: pppd 2.4.7 started by root, uid 0
Nothing more after that.
eibgrad wrote:
Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.
That's a good idea. I looked for instance of the connectec PPTP IP shown in syslog and the only thing I saw is when I'm connecting the client, there's a line saying that the TCP request on port 1723 was Accepted. Other that this, if I try to reach for instance the router's http WebUI from the connected client, I cannot see any request for this IP.
Weird...
Do you think of another way to troubleshoot this ?
Is "Connected PPTP Clients" (Status->LAN) still showing no client?
Yeah I still have no connected PPTP client from the status page.
eibgrad wrote:
Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)?
The android phone I use for testing is on mobile data with Wifi Off to be sure I'm not on the home network.
It's the device with the 204.XX.XX.8 IP so it's not using the 192.168.88.x network I would think...