#37 PPTP VPN not accepting connections

[Daniel Morante]

Connecting from a PPTP VPN client just times out. Nothing is logged on the t1n1wall side. After some trial and error (and searching on the Internet) I changed the ruleset in /var/etc/pf.ip.conf. I know very little about pf rules, but the following changes worked for me.

From:

# PPTP rules
#pass in quick on le1 inet proto gre from any to 192.168.132.128 keep state 
#pass in quick on le1 inet proto tcp from any to 192.168.132.128 port = 1723 flags S/SA synproxy state

To:

# PPTP rules
pass in quick on le1 inet proto { tcp udp } from any to 192.168.132.128 port { 47 1723 }
pass in quick on le1 inet proto { tcp } from any to 192.168.132.128 port { 5005 5006 }

Patch is attached.

[Daniel Morante]

FYI, the origional rules on the top are not commented. Also replace 192.168.132.128 with the WAN IP. Also, the second line for ports 5005 and 5006 are probably not needed.

[Daniel Morante]

Here's a corrected patch without the extra rule.

[Andy White]

I'm travelling for another week , but those changes seem unusual. is t1n1wall the pptp server or are you running a separate server ?

[Daniel Morante]

The PPTP server is the t1n1wall. . My OP is perhaps a bit confusing, I copy/pasted from a test VM using internal addressing and I can't seem to figure out how to edit OP's here on SF. The actual change is in my latest patch.

 # PPTP rules
pass in quick on $wanif $inetfamily proto { tcp udp } from any to $pptpdtarget port { 47 1723 }

I don't claim I actually know what I am doing in regards to pf rules. The above just happened to work for me when I used it. :-)

[Andy White]

pptp is supposed to auth on tcp 1723 then establish a gre tunnel from what I remember. gre is IP protocol 47, which makes port 47 look suspicious...   what client are you using ?

[Daniel Morante]

I agree having TCP port number 47 does seem like it's unnecessary. I'll test it without that rule while keeping the UDP version (which I belive is required for PPTP to work).

Clientwise I've tried it on Andriod and Windows.

[Daniel Morante]

After a bunch of trial and error runs I was able to figure out what was wrong with your origional rules. It looks like PPTP doesn't seem to like it when you proxy the tcp handshake as directed by the synproxy state keyword in the second rule. https://www.openbsd.org/faq/pf/filter.html#synproxy. It also seems unnecessary to manually put in flags S/SA since that gets added automatically.

The working rules end up being

pass in quick on $wanif $inetfamily proto gre from any to $pptpdtarget keep state
pass in quick on $wanif $inetfamily proto tcp from any to $pptpdtarget port = 1723

Updated patch file attached.

[Andy White]

that's great I'll update t1n1wall when I get back thanks for working on the problem

[Andy White]

i've put this in r153, but kept state tracking (without synproxy)