Ipredator VPN PPP routing/firewall? problem

[dire]

My b3 is currently used as a server on my lan and I'm trying to set it up to use ipredator for Internet traffic.

I have managed to set up a ppp connection for ipredator. Connecting and disconnecting with debug looks fine and when connected I'm able to ping the vpn gateway (not sure about the correct terms here) but I have not managed to set up proper routes to get my "Internet access" working.

What I have tried so far is to follow guides for debian on how to set up routes automatically using scripts in ip-up.d and ip-down.d under /etc/ppp/ but I don't seem to understand enough about routing to get it working.

My test to verify that it's working is 'wget -qO- minip.no' but this far I have only managed to mess up my routes so that I am no longer able to access minip.no or it reports my public (non vpn) ip address.

Is this the way to go?
Is there anything special with the b3 setup one should know about when setting up ppp and routes?

/Dan

[Gordon]

Did you read THIS topic?

[dire]

Yes, including the referenced article. To me it sounds a bit advanced and I would first like to succeed doing something that should be much simpler, to route _all_ traffic through the vpn.

[Gordon]

It should be as simple as setting defaultroute in your PPP options. Verify by typing

Code: Select all

~# ip route
172.18.10.0/24 dev br0  proto kernel  scope link  src 172.18.10.254 
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3 
default via 192.168.2.254 dev eth0

* mine looks a bit weird because I'm behind my provider's router on 192.168.2.0/24, but luckily this is just what iproute2 is designed to handle.

Yours should have default (0.0.0.0/0) route set to use device ppp0. If it doesn't, you can change this (e.g. by using if-up/if-down scripts) with the command

Code: Select all

~# ip route replace default dev ppp0

[dire]

Thanks, I tried connecting to the vpn and manually change the default route (as suggested) with

Code: Select all

ip route replace default dev ppp0

After that ip route looks like this

Code: Select all

default dev ppp0  scope link 
93.182.149.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
93.182.151.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
93.182.187.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
93.182.188.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
93.182.188.2 dev ppp0  proto kernel  scope link  src 93.182.188.119 
93.182.189.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.17 
239.0.0.0/8 dev eth1  scope link  

(Me too behind isp's router)

So, default route looks ok I guess but I am not able to reach for instance minip.no, neither by name nor ip (194.63.248.32). Tried with wget and ping.

/Dan

[Gordon]

Hmmm...

Did you also try from a different machine in your LAN? The trouble with VPN's can be that your sending a bad return address when attempting connect from the machine that's hosting either side of the tunnel. The trouble in this case is that while you can in fact connect to the intended target, that target has no way of sending the response along the same route.

[dire]

Yes, I am able to use the vpn connection from my laptop running ubuntu 11.10.

Also, pinging the vpn gateway (93.182.188.2 in the example) is successful. So at least that machine can send me responses, not sure if it is over eth1 or ppp0 though.

But, pinging for instance minip.no either by name or address fails (hangs without response).

[Gordon]

If there's no route set to use eth0, then traffic should be handed to ppp0. To verify, you might try to trace what's happening using tcpdump (`apt-get install tcpdump`).

[dire]

As I mentioned earlier the vpn connections works fine from my laptop, where the the routes look like this during a session

Code: Select all

default dev ppp0  proto static 
93.182.187.2 via 192.168.0.1 dev wlan0  proto static 
93.182.187.2 via 192.168.0.1 dev wlan0  src 192.168.0.14 
93.182.187.2 dev ppp0  proto kernel  scope link  src 93.182.187.129 
169.254.0.0/16 dev wlan0  scope link  metric 1000 
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.14  metric 2

Using the "same routes" (different vpn gateway and ip) on my b3 as

Code: Select all

default dev ppp0  proto static 
93.182.146.2 via 192.168.0.1 dev eth1  src 192.168.0.17 
93.182.146.2 dev ppp0  proto kernel  scope link  src 93.182.146.19 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.17 
239.0.0.0/8 dev eth1  scope link 

192.168.0.14 is the local address of my laptop and 192.168.0.17 is the b3.

I'm still not able to reach anything other than the vpn gateway (93.182.146.2) from the b3 during the vpn session.

Running "tcpdump -i ppp0" on the b3 while pinging the gateway shows no traffic to or from the gateway (not using ppp0?).

There is some traffic on ppp0 according to tcpdump but none related to my pinging or wget attempts as far as I can see.

Having used the vpn for a couple of minutes ifconfig gives me

Code: Select all

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:93.182.146.19  P-t-P:93.182.146.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1496  Metric:1
          RX packets:3268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:206828 (201.9 KiB)  TX bytes:71324 (69.6 KiB)

So there is some traffic using the interface but I can not reach minip.no with the routes above.

[Gordon]

AFAIK this should be the correct setting.

I should have probably been a bit more clear about the try with a workstation suggestion. The objective is that you set up the PPTP connection on the B3 and with the workstation connected to the B3 LAN interface verify if internet access does work from that workstation.

Also make sure to add the following rule to your firewall

Code: Select all

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

(No web based service can ever return a reply to a private range address)

[dire]

To answer my own question about this setup, using the ip-ip/down scripts is probably not the way to go if you just want to route everything through the vpn, ppp0 has a replacedefaultroute option that does exactly that.

Also, I have copied the vpn configuration to a headless ubuntu machine and my vpn works fine from there. So, my guess is that it is not a routing problem but probably something with the b3 firewall, of which I don't know anything yet (just using my b3 as a server).

/Dan