PPTP VPN not working with Linux router
In order for NAT to work, you need to have a protocol-specific helper module loaded. By default, you're only going to have ones for TCP and UDP loaded.
That's why you're seeing your PPTP traffic (which is actually PPP over GRE) escaping without NAT. That module is nf_nat_proto_gre
, at least as of Linux 4.4.
A similar story applies to connection tracking (without which GRE packets aren't going to be considered part of an established or related connection). That's nf_conntrack_proto_gre
.
It turns out that PPTP requires special handling too (I'd guess it embeds IP addresses inside the PPP negotiation, but I haven't checked). That special handling is provided by nf_nat_pptp
and tracking of PPTP connections is provided by nf_conntrack_pptp
.
A modprobe ip_nat_pptp
should get your VPN working. Dependencies between the modules will wind up loading all four. To make it continue working across boot, add nf_nat_pptp
to /etc/modules
.
(No, I have no idea where this is documented, sorry!)
The answer by derobert is correct. But with the newer kernel versions there is another problem - the default value of net.netfilter.nf_conntrack_helper is changed to 0 for security reasons.
See related:
- https://bugzilla.redhat.com/show_bug.cgi?id=1369489
- https://forum.configserver.com/viewtopic.php?t=10475
The easy fix is to make it 1 again. Add at the bottom of /etc/sysctl.conf
net.netfilter.nf_conntrack_helper = 1
Then either reboot or run sysctl -p