Connecting from a PPTP VPN client just times out. Nothing is logged on the t1n1wall side. After some trial and error (and searching on the Internet) I changed the ruleset in /var/etc/pf.ip.conf. I know very little about pf rules, but the following changes worked for me.
From:
# PPTP rules #pass in quick on le1 inet proto gre from any to 192.168.132.128 keep state #pass in quick on le1 inet proto tcp from any to 192.168.132.128 port = 1723 flags S/SA synproxy state
To:
# PPTP rules pass in quick on le1 inet proto { tcp udp } from any to 192.168.132.128 port { 47 1723 } pass in quick on le1 inet proto { tcp } from any to 192.168.132.128 port { 5005 5006 }
Patch is attached.
FYI, the origional rules on the top are not commented. Also replace
192.168.132.128
with the WAN IP. Also, the second line for ports 5005 and 5006 are probably not needed.Last edit: Daniel Morante 2019-06-21
Here's a corrected patch without the extra rule.
I'm travelling for another week , but those changes seem unusual. is t1n1wall the pptp server or are you running a separate server ?
The PPTP server is the t1n1wall. . My OP is perhaps a bit confusing, I copy/pasted from a test VM using internal addressing and I can't seem to figure out how to edit OP's here on SF. The actual change is in my latest patch.
I don't claim I actually know what I am doing in regards to pf rules. The above just happened to work for me when I used it. :-)
pptp is supposed to auth on tcp 1723 then establish a gre tunnel from what I remember. gre is IP protocol 47, which makes port 47 look suspicious... what client are you using ?
I agree having TCP port number 47 does seem like it's unnecessary. I'll test it without that rule while keeping the UDP version (which I belive is required for PPTP to work).
Clientwise I've tried it on Andriod and Windows.
After a bunch of trial and error runs I was able to figure out what was wrong with your origional rules. It looks like PPTP doesn't seem to like it when you proxy the tcp handshake as directed by the
synproxy state
keyword in the second rule. https://www.openbsd.org/faq/pf/filter.html#synproxy. It also seems unnecessary to manually put inflags S/SA
since that gets added automatically.The working rules end up being
Updated patch file attached.
that's great I'll update t1n1wall when I get back thanks for working on the problem
i've put this in r153, but kept state tracking (without synproxy)