Forwarding PPTP traffic to Internet

Hi,

I've set-up for myself VPN (PPTP) access to my Linux server, and am
trying to set-up the routing etc. so that I can see the Internet when
connected. But can't figure it out. Can anyone help? I have
RH Linux Server (runs PopTop PPTP)
|
Router (has proxy through to PPTP service, so outside world can
see it)
|
ISP
:
My Laptop

I'm successfully VPNing to the server, so that's good. I figure I want
the server to route traffic that isn't targetted at the Server's
network back out again. So, here's my configuration:

Server IP Address: 192.168.0.132
Router IP Address: 192.168.0.2
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0

/etc/pptp.conf
--------------------
(stuff deleted)
localip 192.168.0.132
# N.B. The remoteip range must be co-ordinated with the IP
routing rules in the iptables.
remoteip 192.168.0.234-238

/proc/sys/net/ipv4/ip_forward
------------------------------------------
1


What I've tried is to create an IPTables entry, thus:
/sbin/iptables -t filter -A FORWARD -i ppp0 -s 192.168.0.232/29 -d '!'
192.168.0.0/24 -j ACCEPT


/etc/pptp.conf
--------------------
(stuff deleted)
localip 192.168.0.132
# N.B. The remoteip range must be co-ordinated with the IP
routing rules in the iptables.
remoteip 192.168.0.234-238

/proc/sys/net/ipv4/ip_forward
------------------------------------------
1


What I've tried is to create an IPTables entry, thus:
/sbin/iptables -t filter -A FORWARD -i ppp0 -s 192.168.0.232/29 -d '!'
192.168.0.0/24 -j ACCEPT

Now,
(a) my server can see outside happily: ping 64.233.287.99 (i.e.
Google) works happily.
(b) my server is receiving traffic from the laptop happily: when doing
the same ping on the laptop, if I run 'tcpdump -i ppp0', then I get
lots stuff:
tcpdump: listening on ppp0
15:00:56.787427 10.1.89.18.netbios-ns > 10.1.3.10.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
15:00:56.787630 192.168.0.235.netbios-ns > 192.168.0.132.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
15:00:56.787822 192.168.0.132.netbios-ns > 192.168.0.235.netbios-ns:
NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST (DF)
15:00:56.801589 192.168.0.235.netbios-ns > 255.255.255.255.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:00:57.552458 192.168.0.235.netbios-ns > 255.255.255.255.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:00:58.283306 10.1.89.18.netbios-ns > 10.1.3.10.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
15:00:58.303555 192.168.0.235.netbios-ns > 255.255.255.255.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:00:59.785476 10.1.89.18.netbios-ns > 10.1.3.10.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
15:01:02.295347 192.168.0.132.netbios-ns > 192.168.0.235.netbios-ns:
NBT UDP PACKET(137): REGISTRATION; NEGATIVE; RESPONSE; UNICAST (DF)
15:01:02.299424 192.168.0.235.netbios-dgm >
255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
15:01:02.299616 192.168.0.235.netbios-dgm >
255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
15:01:03.791644 192.168.0.235.netbios-dgm >
255.255.255.255.netbios-dgm: NBT UDP PACKET(138)

(c) but nothing seems to be coming out of eth0 on the server; i.e.
when doing the same ping on the laptop, if I run 'tcpdump -i eth0', I
get nothing.

Help!

Cheers,

Gus.

hey

don't really get what your'e trying to do, but may this'll help anyway.
if you have a router that acts as a gateway(xDSL) you need to add a
default route to it. to add ure gateway to the routing table, #route
add default gw *router ip*

ei.
route add default gw 192.168.0.1

I don't understand what your'e trying to do. What connection have you
got?? ppp can be dial-up or PPPOE(dsl), what type of router is it? etc.
More details plz.

Gus wrote:
> Hi,
>
> I've set-up for myself VPN (PPTP) access to my Linux server, and am
> trying to set-up the routing etc. so that I can see the Internet when
> connected. But can't figure it out. Can anyone help? I have
> RH Linux Server (runs PopTop PPTP)
> |
> Router (has proxy through to PPTP service, so outside world can
> see it)
> |
> ISP
> :
> My Laptop
>
> I'm successfully VPNing to the server, so that's good. I figure I want
> the server to route traffic that isn't targetted at the Server's
> network back out again. So, here's my configuration:
>
> Server IP Address: 192.168.0.132
> Router IP Address: 192.168.0.2
> Subnet Mask: 255.255.255.0
> Subnet Mask: 255.255.255.0


If you want to get out to the Net, you have to
translate (NAT, IP-Masquerade) the RFC 1918
addresses (here: the 192.168.x.y range) to
some publicly routable address range.

Google for NAT. The Rusty Russell's guides are pretty good.

--

Tauno Voipio
tauno voipio (at) iki fi

OK, thanks, let me try and explain better.

- I'm talking broadband connections from the laptop through to ISP to
router.
- the router is a DLink 824-vup. That said, I'm not trying to use its
built-in VPN connections support - from the outside world's
perspective, it's merely proxying the appropriate ports from the
server. Yes, at the end of the day, it's the server's LAN's gateway.

The problem is a bit of a "chestnut" problem: the PPTP-over-broadband
VPN connection to the server works just fine, and does everything I
want, EXCEPT that I want to be able to also see the rest Internet (e.g.
Websurf) while the VPN connection is active. I'm aware of the
so-called "split-tunnelling" solution, which allows the client machine
to directly see the 'Net by an appropriate configuration at the client
end. But I don't want to do that due to the security issues it raises.


So I figure I need to get the Linux server to route things
appropriately i.e. traffic from that laptop via the VPN that is
destined for the server's LAN stays with the server's LAN, while
traffic that isn't so destinated gets forwarded through to the "Big
Wide World" (which would therefore go via the router).

Hence, I've thrown in the iptable rule as per my prior posting, but
this doesn't seem to be working, and I don't really see why not, or how
to diagnose it.

What I do have so far is:
(a) a working VPN connection, with traffic happily emerges at the
server end through ppp0.
(b) the ability for the server itself to see the Internet - I can
happily websurf using the server's web browser.

So the problem just seems to be making that 'bridge' between the two.

BTW, (bit of a newbie comment coming!) I thought routing was done with
iptables - hence my solution in the preceding posting. So what's the
difference between the kernel's routing tables (as manipulated with the
route utility) and the iptables (as manipulated with the iptables
utility)?

Thanks in advance for your help.

Gus.