Link to home
Start Free TrialLog in
Avatar of re-searcher
re-searcherFlag for United States of America

asked on

route all traffic through pptpd on Ubuntu

Hello,

How it's possible which when I connect with PPTP VPN connection to my server it's route all traffic through it?
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

You need to make the VPN be the default route. That should only require that you add a line saying defaultroute to the relevant pppd conf file.
Avatar of re-searcher

ASKER

we don't have defaultroute option in pptpd.conf file.
just i want to be sure which command i should run at iptables (forwarding and masquerade).
Now I'm at work, I can see that we didn't use defaultroute   on our pptp VPN either. We did use iptables to do source natting
# Clear out old natting rules if any (there shouldn't be)
./iptables-nat-off

# Get gateway address (what ppp gave us)
gateway=$(/sbin/ifconfig ppp1|grep 'inet addr'|cut -d: -f2|cut -d' ' -f1)
[ -n "$gateway" ] ||
{
  logger -i -p local0.debug "ERROR: could not determine VPN gateway address"
  exit 1
}

# Mangle source addresses of all outgoing traffic
/usr/sbin/iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to $gateway

# Turn on packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Open in new window

The dynamic gateway code requires that the above lines be in a script invoked by ip-up for ppp1 (test if $1 is ppp1). If you are happy with a static gateway address, you can set up iptables any time - interfaces in iptables rules don't need to exist at time of rule creation.
We set the default route to be via ppp1 separately, with ip route command
The ppp0 connection went to the ISP (via 3G modem). You may only have 1 ppp connection
Thanks duncan_roe,

i justs want to check somethings before run your script.

+ you said in post #36989675 which i should append that script to ip-up which located at /etc/ppp right?
+ how can i get $1 which it's ppp1 or ppp0?
+ i don't understand what you said in post #36989680, would you mind explain more?
I used this article -> http://cviorel.easyblog.ro/2009/02/09/how-to-set-up-a-vpn-server-on-ubuntu/

but currently i can't browse internet after that connection established.
and new problem is i disconnect from pptp server after 14 sec.

it's happen most of times (around 90%).
When the link is established, pppd invokes /etc/ppp/ip-up with a number of positional parameters. The first parameter is the interface name.
I'll check at work tomorrow how we used ip route.
The article you used references ufw, with which I am not familiar. We only used iptables and other basic commands.
We were never able to gain Internet access through the poptop (ppp1) connection. That wasn't a problem, because we used the Internet (ppp0) connection. We did not default route to ppp1: we only routed the secure domain to which it gave access.
Could you post the file in /etc/ppp/peers that describes your connection? I can post ours (sensitive information overwritten, of course).
i have just providers file on peers folder:
/etc/ppp/peers# cat provider
# example configuration for a dialup connection authenticated with PAP or CHAP
#
# This is the default configuration used by pon(1) and poff(1).
# See the manual page pppd(8) for information on all the options.

# MUST CHANGE: replace myusername@realm with the PPP login name given to
# your by your provider.
# There should be a matching entry with the password in /etc/ppp/pap-secrets
# and/or /etc/ppp/chap-secrets.
user "myusername@realm"

# MUST CHANGE: replace ******** with the phone number of your provider.
# The /etc/chatscripts/pap chat script may be modified to change the
# modem initialization string.
connect "/usr/sbin/chat -v -f /etc/chatscripts/pap -T ********"

# Serial device to which the modem is connected.
/dev/modem

# Speed of the serial line.
115200

# Assumes that your IP address is allocated dynamically by the ISP.
noipdefault
# Try to get the name server addresses from the ISP.
usepeerdns
# Use this connection as the default route.
defaultroute

# Makes pppd "dial again" when the connection is lost.
persist

# Do not ask the remote to authenticate.
noauth

Open in new window


for more information i should say i authenticate poptop with freeradius-mysql. everythings ok and authentication works great. my problem is just i don't know how i should route on Ubuntu.
I will remove all ufw and other configurations with applied through that article.
ASKER CERTIFIED SOLUTION
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, i have.
# cat /etc/ppp/pptpd-options
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes 
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns xx.xx.xx.xx

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
ms-wins xx.xx.xx.xx

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp 

novj
novjccomp
nologfd
auth

noipx
mtu 1490
mru 1490

# plugins
plugin radius.so
#plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf

Open in new window

but i need to know how to route pptp traffic through iptables.

my problem is not pptpd-options and ppp configurations.
You need to do the source mangling as I indicated in http:#a36989675. Other than that, what are you trying to do? Are you setting up a VPN with some firewalled site somewhere, or are you anticipating that other sites will connect to your system in order to establish a VPN? At least for the former, you need a route, not an iptables rule. The function of the routing table is to direct an ip to the appropriate network interface. iptables rules work on frames that have already got to some interface
I just want to route all PPTP traffics to eth0.
we need add new iptables rules (I think), because it will block routing...
I just noticed you posted /etc/ppp/pptpd-options when I really wanted you to post the file in /etc/ppp/peers which connects with the remote peer (pptpd-equivalent in a Windows system). The pty directive in that file nominates a remote address to connect the other end of the tunnel. Normal routing will ensure that connection goes out through the right NIC - eth0 in your case. All connections to ppp0 will go through that tunnel - there is no need nor even possibility to route them anywhere else.
I have not used pptp in server mode but I guess it will be similar.
Thanks Duncan,

you mean I should using script which you sent in post #36989675 ?!
But you don't tell me where i should save this script? is it /etc/ppp/ip-up.d/ ? what's name of this script should be? and etc...
Duncan,

I fix it myself, without any script and other methods.

but my problem is connect automatically disconnect after 15-30 second.
Script went in /etc/ppp/peers.
Is the disconnection initiated by the ISP? Check pppd entries in /var/log/debug or maybe some other file in /var/log.
Also, how did you fix it yourself: what exactly did you do?
i just add rules on network interface and set IP gateway for range of IPs. i.e 192.168.1.0/24 -> 204.122.123.124

i will accept your 2nd post as solution here and for that question please, read this post: https://www.experts-exchange.com/questions/27408110/PPTP-Poptop-auto-disconnect-Problem-on-Linux.html