2015-09-23 - Re: [GRASE-Hotspot] VPN PPTP options

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 60317b1ed626cac0e76669f6554e18cfc9238623174b1c704eefb63dd47b6ffd
Message ID: <CAESLx0LdLSJgBFo95-HU5qECm6q7Xh64_dzAnJwn=Jxbp5MUHg@mail.gmail.com>
Reply To: <3DE5A5A7-FFC7-4724-9C02-F32693618043@argyle.com.au>
UTC Datetime: 2015-09-23 00:40:34 UTC
Raw Date: Wed, 23 Sep 2015 17:40:34 +1000

Raw message 

I'm currently away, so can't work on this ATM. If you can work out what
iptables rules are missing we can easily add them in. Feel free to open a
bug report with the tcpdumps and network testing you've done. That'll make
sure it doesn't get forgotten.

Regards

Tim
On Sep 23, 2015 5:36 PM, "David Wilson" <da***e@argyle.com.au> wrote:

> ok,
>
> yes I am getting similar.
>
> I did some basic testing too.
>
> My network is   {internet}  NAT-Router {DMZ}  Grase  {client}
>
> I can connect when client is in the DMZ network
>
> I replaced the Grase with a cheap TPLink NAT router to look like this
>
>  {internet}  NAT-Router {DMZ}  2ndNAT  {client}
>
> In this case the client sitting behind the 2dNAT router also works.
> I can connect when client is in the client network with double NAT
>
> So right now it is the Grase that is the thing that is causing the failure
> to connect.
>
> I got pretty much the same packet captures.
> Although I also did a capture at the 1st NAT and it clearly shows replies
> going back to Grase.
>
> 17:30:34.806077 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 4, ack 3, length 40: LCP, Conf-Ack (0x02), id 1,
> length 22
> 17:30:34.812038 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 5, length 45: LCP, Conf-Request (0x01), id 1, length
> 31
> 17:30:37.808626 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 6, ack 4, length 40: LCP, Conf-Ack (0x02), id 1,
> length 22
> 17:30:37.811755 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 7, length 45: LCP, Conf-Request (0x01), id 1, length
> 31
> 17:30:40.815302 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 8, length 45: LCP, Conf-Request (0x01), id 1, length
> 31
> 17:30:40.817424 IP zzz-xxx-yyy-115.xxxxxxxxx.net.au > 192.168.74.3:
> GREv1, call 49828, seq 9, ack 5, length 40: LCP, Conf-Ack (0x02), id 1,
> length 22
>
>
> I believe there are some issues with Linux not masquerading GRE correctly.
> Although this looks right to me.
>
> However I thought that it might be best to try a plain vanilla linux
> without any Grase configs (Just NAT) and see if that works.
>
>
> Dave
>
>
>
> On 22 Sep 2015, at 6:56 pm, Paul van Oijen <
> Pa***n@abnamrocomfin.com> wrote:
>
> Hai Dave.
>
> I have about the same setup here…. My hotspot is set to 10.1.0.x and the
> Inet LAN is 192.168.x.y
>
> I did some debugging and see this…. (I misformed the IP ‘s)
>
> root@hotspot:~# tcpdump -i tun0 src host 10.1.0.188 and dst host
> 211.21.34.180
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
> 16:44:56.119117 IP 10.1.0.188.43016 >
> myvpn.hostname.tld.1723: Flags [S], seq 1163617152, win
> 29200, options [mss 1460,sackOK,TS val 101773162 ecr 0,nop,wscale 6],
> length 0 16:44:56.195136 IP 10.1.0.188.43016 >
> myvpn.hostname.tld.1723: Flags [.], ack 1352138517, win 457, options
> [nop,nop,TS val 101773171 ecr 379982695], length 0
> 16:44:56.195393 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [P.],
> seq 0:156, ack 1, win
> 457, options [nop,nop,TS val 101773171 ecr 379982695], length 156: pptp
> CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA)
> MAX_CHAN(1) FIRM_REV(0) HOSTNAME(anonymous) VENDOR() 16:44:56.270717 IP
> 10.1.0.188.43016 >
> myvpn.hostname.tld.1723: Flags [.], ack 157, win 495, options [nop,nop,TS
> val 101773179 ecr 379982704], length 0
> 16:44:56.270748 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [P.],
> seq 156:324, ack 157,
> win 495, options [nop,nop,TS val 101773179 ecr 379982704], length 168:
> pptp CTRL_MSGTYPE=OCRQ CALL_ID(58649) CALL_SER_NUM(27438)
> MIN_BPS(1000) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E)
> RECV_WIN(8192) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
> 16:44:56.393730 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:44:56.393757 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [.],
> ack 189, win 495,
> options [nop,nop,TS val 101773191 ecr 379982711], length 0
> 16:44:59.375547 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 1, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:02.379858 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 2, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:05.386927 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 3, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:08.386710 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 4, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:11.388625 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 5, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:14.391496 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 6, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:17.392441 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 7, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:20.392662 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 8, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:23.396235 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq
> 9, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:45:26.438999 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags
> [F.], seq 324, ack 189, win 495, options [nop,nop,TS val 101776196 ecr
> 379982711], length 0
> 16:45:26.474772 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [.],
> ack 190, win 495,
> options [nop,nop,TS val 101776199 ecr 379985727], length 0
>
> 18 packets captured
> 19 packets received by filter
> 0 packets dropped by kernel
>
>
> root@hotspot:~# tcpdump -i eth0 dst host 211.21.34.180
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 16:46:00.139027 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags
> [S], seq 2938458965, win
> 29200, options [mss 1460,sackOK,TS val 101779564 ecr 0,nop,wscale 6],
> length 0
> 16:46:00.472091 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags
> [.], ack 1410137951, win 457,
> options [nop,nop,TS val 101779599 ecr 379989097], length 0 16:46:00.472194
> IP 192.168.1.69.43017 >
> myvpn.hostname.tld.1723: Flags [P.], seq 0:156, ack 1, win 457, options
> [nop,nop,TS val 101779599 ecr 379989097], length 156:
> pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA)
> MAX_CHAN(1) FIRM_REV(0) HOSTNAME(anonymous) VENDOR()
> 16:46:00.820329 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags
> [.], ack 157, win 495,
> options [nop,nop,TS val 101779634 ecr 379989134], length 0 16:46:00.820461
> IP 192.168.1.69.43017 >
> myvpn.hostname.tld.1723: Flags [P.], seq 156:324, ack 157, win 495,
> options [nop,nop,TS val 101779634 ecr 379989134], length 168:
> pptp CTRL_MSGTYPE=OCRQ CALL_ID(34279) CALL_SER_NUM(35707) MIN_BPS(1000)
> MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E)
> RECV_WIN(8192) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
> 16:46:01.189003 IP 10.1.0.188 > myvpn.hostname.tld: GREv1,
> call 16384, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:01.198823 IP 192.168.1.69.43017 >
> myvpn.hostname.tld.1723: Flags [.], ack 189, win 495, options [nop,nop,TS
> val 101779672 ecr 379989171], length 0
> 16:46:01.357825 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:01.507514 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:04.190027 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 1, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:04.507990 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:04.569061 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:07.192535 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 2, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:07.331277 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:07.372653 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:10.184899 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:10.200938 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 3, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:10.391521 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:13.198368 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 4, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:13.341953 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:13.376501 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:16.201978 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 5, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:16.333516 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:16.369908 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:19.202123 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 6, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:19.372734 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:19.392841 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:22.205338 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 7, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:22.412777 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:22.419452 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:25.209199 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 8, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:25.498702 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:25.508549 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:28.212143 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq
> 9, length 40: LCP, Conf-Request (0x01), id 1, length 26
> 16:46:28.241302 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69
> protocol 47 unreachable, length 73
> 16:46:28.244673 IP 192.168.1.69 > myvpn.hostname.tld: ICMP192.168.1.69
> protocol 47 unreachable, length 72
> 16:46:31.261534 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags
> [F.], seq 324, ack 189, win
> 495, options [nop,nop,TS val 101782678 ecr 379989171], length 0
> 16:46:31.468796 IP 192.168.1.69.43017 >
> myvpn.hostname.tld.1723: Flags [.], ack 190, win 495, options [nop,nop,TS
> val 101782699 ecr 379992209], length 0
>
> I guess the issues lies in the protocol 47 unreachable but why… If someone
> knows how to get further please let me know.
>
> Rgds..
>
> *Van:* David Wilson [mailto:da***e@argyle.com.au <da***e@argyle.com.au>]
> *Verzonden:* dinsdag 22 september 2015 1:07
> *Aan:* gr***t@grasehotspot.org
> *Onderwerp:* Re: [GRASE-Hotspot] VPN PPTP options
>
> Paul & Tim,
>
> I have exactly the same issue with a client where they have Grase guests
> that are trying to make a PPTP connection outbound to their work but
> cannot.
>
> In my environment I have a NAT firewall that connects the public IP from
> the ISP and provides an internal IP address range (DMZ) that the Grase
> public side connects to.
> And then Grase has a 2nd NIC that connects to the Guest wifi.
>
> Therefore there is a double NAT happening.
>
> ie:        The guests get a Grase IP and are NAT’ed to the public side of
> the Grase which is a DMZ address.
>             The public side of Grase is then NAT’ed to the internet.
>
>
> So far I have just created some NAT rules on the outer router to forward
> any PPTP stuff back to Grase (i.e. GRE and 1723) and that has not worked.
> Although I didn’t really expect it to, as the PPTP 1723 is outbound and
> should not have anything initiating back to the clients.
> I have checked that I have all replies catered for.
>
> As the customer is remote (and therefore almost impossible for me to test)
> I am now going to replicate the network here so I can fault find it.
>
> Paul, is your setup the same topology and my situation (i.e. double NAT)?
>
>
> Dave
>
>
>
>
> On 21 Sep 2015, at 10:32 pm, Paul van Oijen <
> Pa***n@abnamrocomfin.com> wrote:
>
> Hai Tim,
>
> I plugged in another router to work outside the Linux hotspot box and then
> the VPN tunnel works well.
> Once I use the hotspot again it always fails to connect to my VPN.
>
> As example I have a dd-wrt router with PPTP enabled on the outside and I
> would like to connect to that via the hotspot establishing a tunnel from my
> android phone to that network behind the dd-wrt router but that always
> fails.
> As mentioned not having the hotspot in between but another wireless device
> works well.
>
> So it's from the inside to the outside. What would you advise to check to
> see what the issue could be?
>
> Chrs Paul
>
> -----Oorspronkelijk bericht-----
> Van: Timothy White [mailto:ti***8@gmail.com <ti***8@gmail.com>]
> Verzonden: zondag 20 september 2015 12:42
> Aan: Grase Hotspot
> Onderwerp: Re: [GRASE-Hotspot] VPN PPTP options
>
> Hi Paul
>
> Can you please make it a bit clearer what you are asking. Are you wanting
> to allow users to make PPTP connections outgoing? Or do you want incoming
> connections to a client? Do you want clients to make a PPTP connection to
> the Hotspot?
>
> I believe, but can't test as I don't use PPTP anymore, that outgoing
> connections should work already.
>
> Regards
>
> Tim
>
> On Fri, Sep 18, 2015 at 7:01 PM, Paul van Oijen <
> Pa***n@abnamrocomfin.com> wrote:
>
> Hello,
>
>
>
> Small question what options does one have to allow a PPTP (VPN)
> connection to hotspot users?
>
>
>
> Either selective (ipbased / user based) or if not possible to all users.
>
>
>
> Chrs …
> http://www.abnamrocomfin.com/maildisclaimer
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/027DF0743282704CAFA3948002E2396601A79E7614%40HLVWDBACFEXC02.acfgroup.local
> .
>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/D0B1523B-85E5-4F3A-95C6-DE7B6E9C266A%40argyle.com.au
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/D0B1523B-85E5-4F3A-95C6-DE7B6E9C266A%40argyle.com.au?utm_medium=email&utm_source=footer>
> .
> http://www.abnamrocomfin.com/maildisclaimer
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/027DF0743282704CAFA3948002E2396601A79E7991%40HLVWDBACFEXC02.acfgroup.local
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/027DF0743282704CAFA3948002E2396601A79E7991%40HLVWDBACFEXC02.acfgroup.local?utm_medium=email&utm_source=footer>
> .
>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/3DE5A5A7-FFC7-4724-9C02-F32693618043%40argyle.com.au
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/3DE5A5A7-FFC7-4724-9C02-F32693618043%40argyle.com.au?utm_medium=email&utm_source=footer>
> .
>

Thread