Unable to access LAN devices through VPN server

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Thu May 02, 2019 1:29    Post subject: Unable to access LAN devices through VPN server Reply with quote
Hi

I'm having issues with the VPN server on this setup.
I did search a lot and did not find any answer.

The problem:
I can connect to the VPN Server from an Android phone or another Windows PC from outside of the network but I cannot ping or access anything on the network.
The "Connected PPTP Clients" from the status page shows "None" even if the clients are "connected".

The setup:
Router Model: Linksys E1200 v1
Firmware Version: DD-WRT v3.0-r39469 mini (04/10/19)
Kernel Version: Linux 2.6.24.111 #7106 Wed Apr 10 01:14:37 CEST 2019 mips
Mode: Gateway

The VPN server configuration:
Services / VPN:
- PPTP Server : Enable
- Broadcast Support : Enable
- MPPE Encryption : Enable
- DNS1/2 : Router IP
- WINS1/2 : Router IP
- MTU : 1436
- MRU : 1436
- Server IP : Router IP
- Client IP : "Subrange of the DHCP range"

Security / VPN Passthrough:
- IPSec Passthrough: Enable
- PPTP Passthrough: Enable
- L2TP Passthrough: Enable

The history:
Everything started when I updagraded the firmware from build 21061. At that time everything was going well. So I used the same settings.

The tests:
- I tried "older" build (37305 and 39296) : Same results as the 32469 build
- I tried to uncheck every box on the security page : No results
- I tried disabling the SPI Firewall : Everything works fine ! So it seems related to the firewall...

The logs:
When I connect to the server, I get this from Syslog:
Code:
daemon.info pptpd[1669]: CTRL: Client XXX.XX.XX.XXX control connection started
daemon.info pptpd[1669]: CTRL: Starting call (launching pppd, opening GRE)
daemon.notice pppd[1670]: pppd 2.4.7 started by root, uid 0

Nothing looks bad from there...

Can anybody help me to get this working ?
Thanks!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 02, 2019 4:03    Post subject: Reply with quote
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.

Once the PPTP client is connected (or at least seems connected), dump the related data structures. And keep the firewall ON since that's the only secure solution.

Code:
ifconfig
route
ip route
iptables -vnL INPUT
cat /proc/net/ip_conntrack | grep 'dport=1723 '
cat /proc/net/nf_conntrack | grep 'dport=1723 '
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Fri May 03, 2019 2:31    Post subject: Reply with quote
eibgrad wrote:
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.


That makes sense, but I tried both ways with the same results.

Here are the results of the commands:

ifconfig

Code:
~ # ifconfig
br0       Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6829164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1773088540 (1.6 GiB)  TX bytes:3617998528 (3.3 GiB)

eth0      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9995920 errors:269 dropped:0 overruns:269 frame:269
          TX packets:26041612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:391934408 (373.7 MiB)  TX bytes:1306481702 (1.2 GiB)
          Interrupt:4 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E1
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21724388 errors:198 dropped:0 overruns:0 frame:4811653
          TX packets:5000249 errors:33215 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1701314270 (1.5 GiB)  TX bytes:823524271 (785.3 MiB)
          Interrupt:3 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:2188 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2188 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:246792 (241.0 KiB)  TX bytes:246792 (241.0 KiB)

vlan1     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3244079 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23088245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1459401090 (1.3 GiB)  TX bytes:145370104 (138.6 MiB)

vlan2     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E0
          inet addr:45.XXX.XXX.2  Bcast:45.XXX.XXX.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6738057 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2953367 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3045463207 (2.8 GiB)  TX bytes:1161111598 (1.0 GiB)


route

Code:
~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
45.XXX.XXX.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.88.0    *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         modemcable001.1 0.0.0.0         UG    0      0        0 vlan2


ip route

Code:
~ # ip route
45.XXX.XXX.0/24 dev vlan2 scope link  src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link  src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2


iptables -vnL INPUT

Code:
~ # iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
48155 5463K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    9   420 logbrute   tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    9   420 logaccept  tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    2   660 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
   60  5940 logaccept  47   --  *      *       0.0.0.0/0            0.0.0.0/0
    1  1500 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
   19  1089 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
  755 27180 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0
  165 10500 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
48842   10M logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
57992 6600K logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


cat /proc/net/ip_conntrack | grep 'dport=1723 ' and cat /proc/net/nf_conntrack | grep 'dport=1723 '

No results returned


Thank you for helping me out
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 03, 2019 4:20    Post subject: Reply with quote
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.

In brighter news, I can see packets coming in from the WAN (vlan2) on the PPTP port (1723), and the GRE protocol (47) being used as well (also part of the PPTP requirements). So I don't see where the firewall is preventing access. Yet you say disabling the firewall makes it work. Weird.

When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 03, 2019 6:10    Post subject: Reply with quote
In all honesty, if there is a bug that's causing the problem, the chances it will ever be addressed are mighty slim. I wouldn't be surprised if the PPTP server and client are actually removed from dd-wrt in the future. I know of at least one bug related to using a dd-wrt PPTP client w/ a dd-wrt PPTP server that's been around for YEARS. If you complain, everyone will tell you the solution is OpenVPN. IOW, for all intents and purposes, PPTP is effectively deprecated.

If you don't want to go the OpenVPN route, another option is to try tomato instead (my preference, FreshTomato). According to wikidevi.com, your Linksys E1200 v1 should be supported. That's what I always use for my primary router. And I know the PPTP server there works just fine (was testing it only just today for unrelated reasons).
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Fri May 03, 2019 11:47    Post subject: Reply with quote
eibgrad wrote:
When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.


It's enabled at the moment, but I tried in the past to remove every box from that firewall page one time but leaving the firewall ON and I got the same issue. I've disabled it now.
And I also set the IP range fot the PPTP server outside of the DHCP range.

eibgrad wrote:
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.

Oh I think I did the logs wrong then. I had no PPTP clients connected indeed !

Here's the same commands with PPTP client connected.

Code:
~ # ifconfig
br0       Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4651912 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7025534 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1811357469 (1.6 GiB)  TX bytes:3799616879 (3.5 GiB)

eth0      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10359438 errors:283 dropped:0 overruns:283 frame:283
          TX packets:27135533 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:597415726 (569.7 MiB)  TX bytes:2098437799 (1.9 GiB)
          Interrupt:4 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E1
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22730627 errors:198 dropped:0 overruns:0 frame:5072643
          TX packets:5218630 errors:33226 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2453534570 (2.2 GiB)  TX bytes:991842415 (945.8 MiB)
          Interrupt:3 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:2386 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:270531 (264.1 KiB)  TX bytes:270531 (264.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.88.1  P-t-P:192.168.88.40  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1392  Metric:1
          RX packets:181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:11230 (10.9 KiB)  TX bytes:106 (106.0 B)

vlan1     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3375174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24063598 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1480376120 (1.3 GiB)  TX bytes:909964653 (867.8 MiB)

vlan2     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E0
          inet addr:45.XXX.XXX.2  Bcast:45.XXX.XXX.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6968267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3071935 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3223162242 (3.0 GiB)  TX bytes:1188473146 (1.1 GiB)



Code:
~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.88.40   *               255.255.255.255 UH    0      0        0 ppp0
45.XXX.XXX.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.88.0    *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         modemcable001.1 0.0.0.0         UG    0      0        0 vlan2



Code:
~ # ip route
192.168.88.40 dev ppp0 scope link  src 192.168.88.1
45.XXX.XXX.0/24 dev vlan2 scope link  src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link  src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2



Code:
~ # iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1296  145K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    1    44 logaccept  tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    0     0 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    0     0 logaccept  47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    2    72 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0
    1    70 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
  320 38653 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  701 63879 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0



Code:
~ # cat /proc/net/ip_conntrack | grep 'dport=1723 '
tcp      6 3560 ESTABLISHED src=204.XXX.XXX.8 dst=45.XXX.XXX.2 sport=43447 dport=1723 packets=12 bytes=868 src=45.XXX.XXX.2 dst=204.XXX.XXX.8 sport=1723 dport=43447 packets=10 bytes=640 [ASSURED] mark=0 secmark=0 use=2



Code:
~ # cat /proc/net/nf_conntrack | grep 'dport=1723 '
ipv4     2 tcp      6 3595 ESTABLISHED src=204.XXX.XXX.8 dst=45.XXX.XXX.2 sport=43447 dport=1723 packets=14 bytes=968 src=45.XXX.XXX.2 dst=204.XXX.XXX.8 sport=1723 dport=43447 packets=12 bytes=736 [ASSURED] mark=0 secmark=0 use=2


Thank you, I hope this helps
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 03, 2019 16:43    Post subject: Reply with quote
Well that last posting actually looks promising. The fact you have an ESTABLISHED connection in connection tracking is a good sign. That usually means things are working.

I can see port 1723 is opened and has traffic. And GRE (protocol 47) is allowed through, but no traffic so far. The PPTP assigned IP is 192.168.88.40. So far, so good.

I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.

Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 1:56    Post subject: Reply with quote
eibgrad wrote:
I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.


Syslog only shows the same lines as fist post :
Code:
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Client 204.XX.XX.8 control connection started
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Starting call (launching pppd, opening GRE)
May 3 21:45:20 Maison daemon.notice pppd[3989]: pppd 2.4.7 started by root, uid 0


Nothing more after that.

eibgrad wrote:
Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.

That's a good idea. I looked for instance of the connectec PPTP IP shown in syslog and the only thing I saw is when I'm connecting the client, there's a line saying that the TCP request on port 1723 was Accepted. Other that this, if I try to reach for instance the router's http WebUI from the connected client, I cannot see any request for this IP.

Weird...

Do you think of another way to troubleshoot this ?

Thanks again!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 04, 2019 2:18    Post subject: Reply with quote
Is "Connected PPTP Clients" (Status->LAN) still showing no client? Given everything else looking just fine, that doesn't make sense. As I said, even connection tracking is showing an active, healthy connection, with significant numbers of packets.

Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)? When using any routed VPN, the local network of the PPTP client and PPTP server *must* be unique and non-overlapping (e.g., 192.168.1.x and 192.168.2.x). If they are the same or overlap, then the PPTP client will NOT route over the tunnel since it thinks the target IP is local.
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 12:09    Post subject: Reply with quote
eibgrad wrote:
Is "Connected PPTP Clients" (Status->LAN) still showing no client?


Yeah I still have no connected PPTP client from the status page. Sad

eibgrad wrote:

Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)?


The android phone I use for testing is on mobile data with Wifi Off to be sure I'm not on the home network.
It's the device with the 204.XX.XX.8 IP so it's not using the 192.168.88.x network I would think...

Thanks
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 12:20    Post subject: Reply with quote
I dug a little more on the IP of the Android phone...
In the "About" page, I can see the local IP i'm using which is 100.81.77.8

Using whatismyip.com I can verify this. I'm using this local IP and the 204.XX.XX.8 one as public IP.

So my local IP is very different from my home one, it shouldn't be a problem right ?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5126
Location: Akershus, Norway

PostPosted: Sat May 04, 2019 13:40    Post subject: Reply with quote
Adresses starting with 100, is Carrier Grade NAT.

https://tools.ietf.org/html/rfc6598
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 04, 2019 18:11    Post subject: Reply with quote
TorqueDelight wrote:
I dug a little more on the IP of the Android phone...
In the "About" page, I can see the local IP i'm using which is 100.81.77.8

Using whatismyip.com I can verify this. I'm using this local IP and the 204.XX.XX.8 one as public IP.

So my local IP is very different from my home one, it shouldn't be a problem right ?


Yes.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 04, 2019 18:12    Post subject: Reply with quote
Per Yngve Berg wrote:
Adresses starting with 100, is Carrier Grade NAT.

https://tools.ietf.org/html/rfc6598


Ok, but are you suggesting this is an issue w/ his current config? I could see it being an issue if the CGN was on the PPTP server side. But the CGN is on the PPTP client side.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5126
Location: Akershus, Norway

PostPosted: Sat May 04, 2019 20:32    Post subject: Reply with quote
It's not a problem. It explains why it's not the public IP.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum