Linode Forum

[yawn]

Hello all,

I've configured pptpd to allow incoming VPN connections from the native Windows VPN clients. I wish to let these VPN clients connect to the Internet through the ppp connection on the Linode. I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.

I've setup what I believe to be the appropriate routes on iptables, but, Internet browsing behavior is erratic. I'm hoping that there's just something wrong with my iptables rules--any advice on troubleshooting?

Thanks.

Code: [root@linode ppp]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request state NEW
OPEN-UDP   udp  --  anywhere             anywhere            state NEW
OPEN-TCP   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN state NEW
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
fw-interfaces  all  --  anywhere             anywhere
fw-open    all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain OPEN-TCP (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp

Chain OPEN-UDP (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain fw-interfaces (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain fw-open (1 references)
target     prot opt source               destination

[root@linode ppp]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.16.0.0/12        0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[vonskippy]

So is the VPN tunnel working - but not forwarding - or what?

[yawn]

vonskippy wrote: So is the VPN tunnel working - but not forwarding - or what? The VPN tunnel seems to be working. The forwarding works at times, but not consistently. I can load small webpages through the forwarding, and ping/lookup external hosts. However, after attempting to open up a few webpages the forwarding just dies. Hostname lookups fail, and nothing will connect out to the Internet. When that happens the VPN tunnel is still good, as I can ping the Linode's local VPN address from the remote Windows machine.

[obs]

yawn wrote: I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.


SSH tunnelling works fine for flash, SSH to your linode with the DynamicForward option (might be named differently on windows), then set your internet options to use a socks 5 proxy to 127.0.0.1 and the port your set on dynamic forward. I've used it to connect to country specific content while out of the country.

[yawn]

obs wrote: yawn wrote: I am aware that SSH tunneling is usually the defacto standard for this, however, VPN seems to be the only way to redirect the traffic from flash player on Windows.


SSH tunnelling works fine for flash, SSH to your linode with the DynamicForward option (might be named differently on windows), then set your internet options to use a socks 5 proxy to 127.0.0.1 and the port your set on dynamic forward. I've used it to connect to country specific content while out of the country. I was under the impression that flash on Windows ignored all proxy settings..? I had a functioning Squid install which I used as a proxy as a first go at this, but while browsers would obey the proxy setting, flash would ignore it and bypass the SOCKS to connect directly.

[obs]

I've never had issues, maybe you have some weird setting in your flash or something is corrupt?

[yawn]

obs wrote: I've never had issues, maybe you have some weird setting in your flash or something is corrupt? With a little more digging, it looks Flash will use the Windows machine's proxy settings if and only if a direct connection fails. References: http://www.coolminiornot.com/forums/showthread.php?36719-Help-getting-flash-player-to-work-amp-proxy-server&p=529138 and http://forums.isaserver.org/m_2002075370/mpage_1/key_/tm.htm#2002075404

So it sounds like I could pull off an SSH tunnel or just plain normal proxy if I were to configure iptables on my home router to block normal web traffic. I'd still like to get the VPN up and working, though, as then I wont have to deal with toggling settings on the router whenever I'd like to tunnel..