Posted: Thu May 02, 2019 1:29 Post subject: Unable to access LAN devices through VPN server
Hi
I'm having issues with the VPN server on this setup.
I did search a lot and did not find any answer.
The problem:
I can connect to the VPN Server from an Android phone or another Windows PC from outside of the network but I cannot ping or access anything on the network.
The "Connected PPTP Clients" from the status page shows "None" even if the clients are "connected".
The setup:
Router Model: Linksys E1200 v1
Firmware Version: DD-WRT v3.0-r39469 mini (04/10/19)
Kernel Version: Linux 2.6.24.111 #7106 Wed Apr 10 01:14:37 CEST 2019 mips
Mode: Gateway
The VPN server configuration: Services / VPN:
- PPTP Server : Enable
- Broadcast Support : Enable
- MPPE Encryption : Enable
- DNS1/2 : Router IP
- WINS1/2 : Router IP
- MTU : 1436
- MRU : 1436
- Server IP : Router IP
- Client IP : "Subrange of the DHCP range"
The history:
Everything started when I updagraded the firmware from build 21061. At that time everything was going well. So I used the same settings.
The tests:
- I tried "older" build (37305 and 39296) : Same results as the 32469 build
- I tried to uncheck every box on the security page : No results
- I tried disabling the SPI Firewall : Everything works fine ! So it seems related to the firewall...
The logs:
When I connect to the server, I get this from Syslog:
Code:
daemon.info pptpd[1669]: CTRL: Client XXX.XX.XX.XXX control connection started
daemon.info pptpd[1669]: CTRL: Starting call (launching pppd, opening GRE)
daemon.notice pppd[1670]: pppd 2.4.7 started by root, uid 0
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.
Once the PPTP client is connected (or at least seems connected), dump the related data structures. And keep the firewall ON since that's the only secure solution.
The following is probably not your current problem, but it's not a good idea to make the PPTP client range a subset of the DHCP server range. The DHCP server will NOT respect the fact that some IP within its range has been assigned by some other process. So you *could* end up w/ two or more devices w/ the same assigned IP.
That makes sense, but I tried both ways with the same results.
~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
45.XXX.XXX.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.88.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default modemcable001.1 0.0.0.0 UG 0 0 0 vlan2
ip route
Code:
~ # ip route
45.XXX.XXX.0/24 dev vlan2 scope link src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.
In brighter news, I can see packets coming in from the WAN (vlan2) on the PPTP port (1723), and the GRE protocol (47) being used as well (also part of the PPTP requirements). So I don't see where the firewall is preventing access. Yet you say disabling the firewall makes it work. Weird.
When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.
In all honesty, if there is a bug that's causing the problem, the chances it will ever be addressed are mighty slim. I wouldn't be surprised if the PPTP server and client are actually removed from dd-wrt in the future. I know of at least one bug related to using a dd-wrt PPTP client w/ a dd-wrt PPTP server that's been around for YEARS. If you complain, everyone will tell you the solution is OpenVPN. IOW, for all intents and purposes, PPTP is effectively deprecated.
If you don't want to go the OpenVPN route, another option is to try tomato instead (my preference, FreshTomato). According to wikidevi.com, your Linksys E1200 v1 should be supported. That's what I always use for my primary router. And I know the PPTP server there works just fine (was testing it only just today for unrelated reasons).
When you have the firewall enabled, do you by chance also have the "Limit PPTP Server Access" option enabled on that same page (Security->Firewall)? If so, try disabling it.
It's enabled at the moment, but I tried in the past to remove every box from that firewall page one time but leaving the firewall ON and I got the same issue. I've disabled it now.
And I also set the IP range fot the PPTP server outside of the DHCP range.
eibgrad wrote:
According to the ifconfig and routing table dumps, at least as far as the PPTP server is concerned, there is no connected PPTP client. If there was, there would be an network interface defined like ppp0, or ppp1, etc.
Oh I think I did the logs wrong then. I had no PPTP clients connected indeed !
Here's the same commands with PPTP client connected.
~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.88.40 * 255.255.255.255 UH 0 0 0 ppp0
45.XXX.XXX.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.88.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default modemcable001.1 0.0.0.0 UG 0 0 0 vlan2
Code:
~ # ip route
192.168.88.40 dev ppp0 scope link src 192.168.88.1
45.XXX.XXX.0/24 dev vlan2 scope link src 45.XXX.XXX.2
192.168.88.0/24 dev br0 scope link src 192.168.88.1
127.0.0.0/8 dev lo scope link
default via 45.XXX.XXX.1 dev vlan2
Well that last posting actually looks promising. The fact you have an ESTABLISHED connection in connection tracking is a good sign. That usually means things are working.
I can see port 1723 is opened and has traffic. And GRE (protocol 47) is allowed through, but no traffic so far. The PPTP assigned IP is 192.168.88.40. So far, so good.
I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.
Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.
I'd be interested in what the syslog is reporting, particularly if its reporting read/write errors w/ GRE.
Syslog only shows the same lines as fist post :
Code:
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Client 204.XX.XX.8 control connection started
May 3 21:45:20 Maison daemon.info pptpd[3988]: CTRL: Starting call (launching pppd, opening GRE)
May 3 21:45:20 Maison daemon.notice pppd[3989]: pppd 2.4.7 started by root, uid 0
Nothing more after that.
eibgrad wrote:
Since you already have Log Management enabled in the firewall (and it should be set to High, w/ all options enabled), check to see if anything catches your attention in the incoming or outgoing log wrt to PPTP. I can't be more exact because I'm not sure what the problem.
That's a good idea. I looked for instance of the connectec PPTP IP shown in syslog and the only thing I saw is when I'm connecting the client, there's a line saying that the TCP request on port 1723 was Accepted. Other that this, if I try to reach for instance the router's http WebUI from the connected client, I cannot see any request for this IP.
Weird...
Do you think of another way to troubleshoot this ?
Is "Connected PPTP Clients" (Status->LAN) still showing no client? Given everything else looking just fine, that doesn't make sense. As I said, even connection tracking is showing an active, healthy connection, with significant numbers of packets.
Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)? When using any routed VPN, the local network of the PPTP client and PPTP server *must* be unique and non-overlapping (e.g., 192.168.1.x and 192.168.2.x). If they are the same or overlap, then the PPTP client will NOT route over the tunnel since it thinks the target IP is local.
Is "Connected PPTP Clients" (Status->LAN) still showing no client?
Yeah I still have no connected PPTP client from the status page.
eibgrad wrote:
Is it possible the local IP network on which the PPTP client is running is using the same IP network as your home network (192.168.88.x)?
The android phone I use for testing is on mobile data with Wifi Off to be sure I'm not on the home network.
It's the device with the 204.XX.XX.8 IP so it's not using the 192.168.88.x network I would think...
Ok, but are you suggesting this is an issue w/ his current config? I could see it being an issue if the CGN was on the PPTP server side. But the CGN is on the PPTP client side.