pptpd Internet routing troubles
I've configured pptpd to allow incoming VPN connections from the native Windows VPN clients. I wish to let these VPN clients connect to the Internet through the ppp connection on the Linode. I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.
I've setup what I believe to be the appropriate routes on iptables, but, Internet browsing behavior is erratic. I'm hoping that there's just something wrong with my iptables rules–any advice on troubleshooting?
Thanks.
[root@linode ppp]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
OPEN-UDP udp -- anywhere anywhere state NEW
OPEN-TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN state NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
fw-interfaces all -- anywhere anywhere
fw-open all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain OPEN-TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
Chain OPEN-UDP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain fw-interfaces (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain fw-open (1 references)
target prot opt source destination
[root@linode ppp]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.16.0.0/12 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
6 Replies
@vonskippy:
So is the VPN tunnel working - but not forwarding - or what? The VPN tunnel seems to be working. The forwarding works at times, but not consistently. I can load small webpages through the forwarding, and ping/lookup external hosts. However, after attempting to open up a few webpages the forwarding just dies. Hostname lookups fail, and nothing will connect out to the Internet. When that happens the VPN tunnel is still good, as I can ping the Linode's local VPN address from the remote Windows machine.
@yawn:
I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.
SSH tunnelling works fine for flash, SSH to your linode with the DynamicForward option (might be named differently on windows), then set your internet options to use a socks 5 proxy to 127.0.0.1 and the port your set on dynamic forward. I've used it to connect to country specific content while out of the country.
@obs:
@yawn:I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.
SSH tunnelling works fine for flash, SSH to your linode with the DynamicForward option (might be named differently on windows), then set your internet options to use a socks 5 proxy to 127.0.0.1 and the port your set on dynamic forward. I've used it to connect to country specific content while out of the country. I was under the impression that flash on Windows ignored all proxy settings..? I had a functioning Squid install which I used as a proxy as a first go at this, but while browsers would obey the proxy setting, flash would ignore it and bypass the SOCKS to connect directly.
@obs:
I've never had issues, maybe you have some weird setting in your flash or something is corrupt? With a little more digging, it looks Flash will use the Windows machine's proxy settings if and only if a direct connection fails. References:
and http://www.coolminiornot.com/forums/sho … r&p=529138">http://www.coolminiornot.com/forums/showthread.php?36719-Help-getting-flash-player-to-work-amp-proxy-server&p=529138 http://forums.isaserver.org/m_200207537 … 2002075404">http://forums.isaserver.org/m2002075370/mpage1/key_/tm.htm#2002075404
So it sounds like I could pull off an SSH tunnel or just plain normal proxy if I were to configure iptables on my home router to block normal web traffic. I'd still like to get the VPN up and working, though, as then I wont have to deal with toggling settings on the router whenever I'd like to tunnel..