We've been struggling with some kind of network/routing issue with a PPTPD based VPN where the clients can't access certain internet domains/ips through the VPN. As an example, the user can browse hxxp://google.com, but not hxxp://microsoft.com.
The setup is as follows:
Client (same problem on Windows and Android, haven't tested others) (ip: x.x.x.x) -> Internet -> (y.y.y.y) dd-wrt router (192.168.1.1) -> Ubuntu Server 10.10 running PPTPD (192.168.1.125).
eirik@woserv:~$ cat /etc/pptpd.conf | grep -v '#'
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.1.125
remoteip 192.168.1.230-240
eirik@woserv:~$ cat /etc/ppp/pptpd-options | grep -v '#'
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.1.1
proxyarp
nodefaultroute
debug
lock
auth
nobsdcomp
noipx
mtu 1490
mru 1490
iptable rules (in /etc/rc.local) and verified is loaded using iptables -L
#!/bin/sh
# Flush all rules
iptables -F
iptables -X
iptables -Z
# Allow all VPN stuff
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
exit 0
We've enabled PPTP, IPSEC and L2TP passthrough on the dd-wrt router (under Security -> VPN Passthrough). Also, we've port forwarded 1723 and 47 to 192.168.1.125.
The VPN connection in Windows is setup with "Use default gateway on remote network" on IPv4 and uses MS-CHAP v2. If the clients access hxxp://www.whatismyip.com/ the correct VPN ip is reported (y.y.y.y) and not their normal internet IP, x.x.x.x.
So far we've identified the following problem domains:
microsoft.com
support.microsoft.com
no.yahoo.com
answers.yahoo.com
nrk.no
imgur.com
(And while working on describing this problem, I discovered that I could not load http://w.pastebin.ca/pb-g.gz.js when I tried to access hxxp://pastebin.ca via the VPN)
If the clients try to open these web pages when they are using the VPN, they get a timeout (Google Chrome Dev Tools under Networking says "Pending" for the requests until they timeout). Sometimes Chrome says the error is "Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.". Other services (besides http/https 80/443 also fail).
Most other sites work, like hxxp://google.com and hxxp://bing.com. The problems are consistent among many different windows and android clients from various locations. There are no proxies involved. Disabling Windows firewall and any anti-virus software does nothing.
tracert from the clients gives various results for the different domains, but they seem somewhat consistent between no VPN and VPN, here are some examples.
If I fire up lynx http://microsoft.com directly on the Linux server running PPTPD it loads up fine. Same with the other sites ...
Any ideas?
(sorry for the jsfiddle with the tracert links, could not post that many links here as a new user on ServerFault)
