We've been struggling with some kind of network/routing issue with a PPTPD based VPN where the clients can't access certain internet domains/ips through the VPN. As an example, the user can browse hxxp://google.com, but not hxxp://microsoft.com.
The setup is as follows:
Client (same problem on Windows and Android, haven't tested others) (ip: x.x.x.x) -> Internet -> (y.y.y.y) dd-wrt router (192.168.1.1) -> Ubuntu Server 10.10 running PPTPD (192.168.1.125).
eirik@woserv:~$ cat /etc/pptpd.conf | grep -v '#'
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.1.125
remoteip 192.168.1.230-240
eirik@woserv:~$ cat /etc/ppp/pptpd-options | grep -v '#'
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.1.1
proxyarp
nodefaultroute
debug
lock
auth
nobsdcomp
noipx
mtu 1490
mru 1490
iptable rules (in /etc/rc.local) and verified is loaded using iptables -L
#!/bin/sh
# Flush all rules
iptables -F
iptables -X
iptables -Z
# Allow all VPN stuff
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
exit 0
We've enabled PPTP, IPSEC and L2TP passthrough on the dd-wrt router (under Security -> VPN Passthrough). Also, we've port forwarded 1723 and 47 to 192.168.1.125.
The VPN connection in Windows is setup with "Use default gateway on remote network" on IPv4 and uses MS-CHAP v2. If the clients access hxxp://www.whatismyip.com/ the correct VPN ip is reported (y.y.y.y) and not their normal internet IP, x.x.x.x.
So far we've identified the following problem domains:
microsoft.com
support.microsoft.com
no.yahoo.com
answers.yahoo.com
nrk.no
imgur.com
(And while working on describing this problem, I discovered that I could not load http://w.pastebin.ca/pb-g.gz.js when I tried to access hxxp://pastebin.ca via the VPN)
If the clients try to open these web pages when they are using the VPN, they get a timeout (Google Chrome Dev Tools under Networking says "Pending" for the requests until they timeout). Sometimes Chrome says the error is "Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.". Other services (besides http/https 80/443 also fail).
Most other sites work, like hxxp://google.com and hxxp://bing.com. The problems are consistent among many different windows and android clients from various locations. There are no proxies involved. Disabling Windows firewall and any anti-virus software does nothing.
tracert from the clients gives various results for the different domains, but they seem somewhat consistent between no VPN and VPN, here are some examples.
If I fire up lynx http://microsoft.com
directly on the Linux server running PPTPD it loads up fine. Same with the other sites …
Any ideas?
(sorry for the jsfiddle with the tracert links, could not post that many links here as a new user on ServerFault)
Best Answer
Since you changed the default MTU, this may be the cause. Try adding the following rule to your firewall, adjust as necessary:
EDIT: changed the rule to insert itself as first in the chain.