Unable to access LAN devices through VPN server

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Thu May 02, 2019 1:29    Post subject: Unable to access LAN devices through VPN server Reply with quote
Hi

I'm having issues with the VPN server on this setup.
I did search a lot and did not find any answer.

The problem:
I can connect to the VPN Server from an Android phone or another Windows PC from outside of the network but I cannot ping or access anything on the network.
The "Connected PPTP Clients" from the status page shows "None" even if the clients are "connected".

The setup:
Router Model: Linksys E1200 v1
Firmware Version: DD-WRT v3.0-r39469 mini (04/10/19)
Kernel Version: Linux 2.6.24.111 #7106 Wed Apr 10 01:14:37 CEST 2019 mips
Mode: Gateway

The VPN server configuration:
Services / VPN:
- PPTP Server : Enable
- Broadcast Support : Enable
- MPPE Encryption : Enable
- DNS1/2 : Router IP
- WINS1/2 : Router IP
- MTU : 1436
- MRU : 1436
- Server IP : Router IP
- Client IP : "Subrange of the DHCP range"

Security / VPN Passthrough:
- IPSec Passthrough: Enable
- PPTP Passthrough: Enable
- L2TP Passthrough: Enable

The history:
Everything started when I updagraded the firmware from build 21061. At that time everything was going well. So I used the same settings.

The tests:
- I tried "older" build (37305 and 39296) : Same results as the 32469 build
- I tried to uncheck every box on the security page : No results
- I tried disabling the SPI Firewall : Everything works fine ! So it seems related to the firewall...

The logs:
When I connect to the server, I get this from Syslog:
Code:
daemon.info pptpd[1669]: CTRL: Client XXX.XX.XX.XXX control connection started
daemon.info pptpd[1669]: CTRL: Starting call (launching pppd, opening GRE)
daemon.notice pppd[1670]: pppd 2.4.7 started by root, uid 0

Nothing looks bad from there...

Can anybody help me to get this working ?
Thanks!
Sponsor
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Fri May 03, 2019 2:31    Post subject: Reply with quote
eibgrad wrote:
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.


That makes sense, but I tried both ways with the same results.

Here are the results of the commands:

ifconfig

Code:
~ # ifconfig
br0       Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6829164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1773088540 (1.6 GiB)  TX bytes:3617998528 (3.3 GiB)

eth0      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9995920 errors:269 dropped:0 overruns:269 frame:269
          TX packets:26041612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:391934408 (373.7 MiB)  TX bytes:1306481702 (1.2 GiB)
          Interrupt:4 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E1
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21724388 errors:198 dropped:0 overruns:0 frame:4811653
          TX packets:5000249 errors:33215 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1701314270 (1.5 GiB)  TX bytes:823524271 (785.3 MiB)
          Interrupt:3 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:2188 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2188 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:246792 (241.0 KiB)  TX bytes:246792 (241.0 KiB)

vlan1     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3244079 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23088245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1459401090 (1.3 GiB)  TX bytes:145370104 (138.6 MiB)

vlan2     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E0
          inet addr:45.XXX.XXX.2  Bcast:45.XXX.XXX.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6738057 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2953367 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3045463207 (2.8 GiB)  TX bytes:1161111598 (1.0 GiB)


route

Code:
~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
45.XXX.XXX.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.88.0    *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         modemcable001.1 0.0.0.0         UG    0      0        0 vlan2


ip route

Code:
~ # ip route
45.XXX.XXX.0/24 dev vlan2 scope link  src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link  src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2


iptables -vnL INPUT

Code:
~ # iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
48155 5463K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    9   420 logbrute   tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    9   420 logaccept  tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    2   660 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
   60  5940 logaccept  47   --  *      *       0.0.0.0/0            0.0.0.0/0
    1  1500 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
   19  1089 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
  755 27180 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0
  165 10500 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
48842   10M logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
57992 6600K logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


cat /proc/net/ip_conntrack | grep 'dport=1723 ' and cat /proc/net/nf_conntrack | grep 'dport=1723 '

No results returned


Thank you for helping me out
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Fri May 03, 2019 11:47    Post subject: Reply with quote
eibgrad wrote:
When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.


It's enabled at the moment, but I tried in the past to remove every box from that firewall page one time but leaving the firewall ON and I got the same issue. I've disabled it now.
And I also set the IP range fot the PPTP server outside of the DHCP range.

eibgrad wrote:
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.

Oh I think I did the logs wrong then. I had no PPTP clients connected indeed !

Here's the same commands with PPTP client connected.

Code:
~ # ifconfig
br0       Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4651912 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7025534 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1811357469 (1.6 GiB)  TX bytes:3799616879 (3.5 GiB)

eth0      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10359438 errors:283 dropped:0 overruns:283 frame:283
          TX packets:27135533 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:597415726 (569.7 MiB)  TX bytes:2098437799 (1.9 GiB)
          Interrupt:4 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E1
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22730627 errors:198 dropped:0 overruns:0 frame:5072643
          TX packets:5218630 errors:33226 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2453534570 (2.2 GiB)  TX bytes:991842415 (945.8 MiB)
          Interrupt:3 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:2386 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:270531 (264.1 KiB)  TX bytes:270531 (264.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.88.1  P-t-P:192.168.88.40  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1392  Metric:1
          RX packets:181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:11230 (10.9 KiB)  TX bytes:106 (106.0 B)

vlan1     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3375174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24063598 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1480376120 (1.3 GiB)  TX bytes:909964653 (867.8 MiB)

vlan2     Link encap:Ethernet  HWaddr 58:6D:8F:BC:3D:E0
          inet addr:45.XXX.XXX.2  Bcast:45.XXX.XXX.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6968267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3071935 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3223162242 (3.0 GiB)  TX bytes:1188473146 (1.1 GiB)



Code:
~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.88.40   *               255.255.255.255 UH    0      0        0 ppp0
45.XXX.XXX.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.88.0    *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         modemcable001.1 0.0.0.0         UG    0      0        0 vlan2



Code:
~ # ip route
192.168.88.40 dev ppp0 scope link  src 192.168.88.1
45.XXX.XXX.0/24 dev vlan2 scope link  src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link  src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2



Code:
~ # iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1296  145K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    1    44 logaccept  tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    0     0 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    0     0 logaccept  47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    2    72 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0
    1    70 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
  320 38653 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  701 63879 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0



Code:
~ # cat /proc/net/ip_conntrack | grep 'dport=1723 '
tcp      6 3560 ESTABLISHED src=204.XXX.XXX.8 dst=45.XXX.XXX.2 sport=43447 dport=1723 packets=12 bytes=868 src=45.XXX.XXX.2 dst=204.XXX.XXX.8 sport=1723 dport=43447 packets=10 bytes=640 [ASSURED] mark=0 secmark=0 use=2



Code:
~ # cat /proc/net/nf_conntrack | grep 'dport=1723 '
ipv4     2 tcp      6 3595 ESTABLISHED src=204.XXX.XXX.8 dst=45.XXX.XXX.2 sport=43447 dport=1723 packets=14 bytes=968 src=45.XXX.XXX.2 dst=204.XXX.XXX.8 sport=1723 dport=43447 packets=12 bytes=736 [ASSURED] mark=0 secmark=0 use=2


Thank you, I hope this helps
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 1:56    Post subject: Reply with quote
eibgrad wrote:
I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.


Syslog only shows the same lines as fist post :
Code:
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Client 204.XX.XX.8 control connection started
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Starting call (launching pppd, opening GRE)
May 3 21:45:20 Maison daemon.notice pppd[3989]: pppd 2.4.7 started by root, uid 0


Nothing more after that.

eibgrad wrote:
Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.

That's a good idea. I looked for instance of the connectec PPTP IP shown in syslog and the only thing I saw is when I'm connecting the client, there's a line saying that the TCP request on port 1723 was Accepted. Other that this, if I try to reach for instance the router's http WebUI from the connected client, I cannot see any request for this IP.

Weird...

Do you think of another way to troubleshoot this ?

Thanks again!
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 12:09    Post subject: Reply with quote
eibgrad wrote:
Is "Connected PPTP Clients" (Status->LAN) still showing no client?


Yeah I still have no connected PPTP client from the status page. Sad

eibgrad wrote:

Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)?


The android phone I use for testing is on mobile data with Wifi Off to be sure I'm not on the home network.
It's the device with the 204.XX.XX.8 IP so it's not using the 192.168.88.x network I would think...

Thanks
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Sat May 04, 2019 12:20    Post subject: Reply with quote
I dug a little more on the IP of the Android phone...
In the "About" page, I can see the local IP i'm using which is 100.81.77.8

Using whatismyip.com I can verify this. I'm using this local IP and the 204.XX.XX.8 one as public IP.

So my local IP is very different from my home one, it shouldn't be a problem right ?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat May 04, 2019 13:40    Post subject: Reply with quote
Adresses starting with 100, is Carrier Grade NAT.

https://tools.ietf.org/html/rfc6598
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat May 04, 2019 20:32    Post subject: Reply with quote
It's not a problem. It explains why it's not the public IP.
TorqueDelight
DD-WRT Novice


Joined: 10 Apr 2019
Posts: 10

PostPosted: Wed May 08, 2019 2:56    Post subject: Reply with quote
Thanks for you help eibgrad.

I think for now I will forget about using VPN to get access to my local network.

One day I might try Fresh Tomato as you suggested.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum