PPTP VPN blocked by Turris Omnia

Blacky83 · May 28, 2020, 9:15pm

Hello, I upgraded from a Fritz!Box to a Turris Omnia (TOS5). Now I can’t connect to external PPTP Servers any more. I know it is not safe, but currenty the only option.

I added a rule to the firewall to allow external access to port 1723, but it doesn’t work.
I know that the problem is because of turris, as I connected my laptop with my smartphone to the internet and then it works.

Can you help me?
Best regards, Martin

anon82920800 · May 28, 2020, 9:27pm

Which pptp packages are installed opkg list-installed *ppp* ?
Is the pptp server up and running, ps -aux | grep pptp ; ss -tulpn | grep 1723 ?

peci1 · May 29, 2020, 8:11am

There was a Czech post about the same problem in this forum: Turris MOX odchozí VPN spojení - #9 by Cheta - SW pomoc [CZ] - Turris forum .

The takeway was to add a firewall rule for incoming connections via gre protocol

Any gre
From IP XXX.XXX.XXX.19 in wan
To any router IP on this device
ACCEPT INPUT

Blacky83 · May 29, 2020, 2:12pm

*root@turris:~# opkg list-installed ppp
kmod-ppp - 4.14.162-1-0a66bb0316b4402bf65555c64ceed313.16
kmod-pppoe - 4.14.162-1-0a66bb0316b4402bf65555c64ceed313.15
kmod-pppox - 4.14.162-1-0a66bb0316b4402bf65555c64ceed313.0
luci-proto-ppp - git-20.016.50399-e1df28d-1.0
ppp - 2.4.7-12.36
ppp-mod-pppoe - 2.4.7-12.0
root@turris:~# ps -aux | grep pptp ; ss -tulpn | grep 1723
root 473 0.0 0.0 1104 504 pts/0 S+ 16:09 0:00 grep pptp
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported

I have the problem that my outgoing traffic is blocked.
doesn’t work:
Windows10 -> Turris (Telekom) -> Internet -> bintec.beip -> SynologyPPTP

works:
Windows10 -> Smartphone(o2)-Tethering -> Internet -> bintec.beip -> SynologyPPTP

anon82920800 · May 29, 2020, 2:28pm

What seems to be potentially missing is the kmod-pptp package installation.

That was not clear from your initial post, particularly the firewall rule is somewhat misleading. It would only be required for ingress traffic to the router or the network behind the router. For egress it should not require a firewall rule, should be managed through the kernel’s netfilter conntrack.

peci1 · November 13, 2020, 10:40pm

Got this problem after migration from 3 to 5. Somehow, module kmod-nf-nathelper-extra got uninstalled. This module is needed on the router to allow your client devices to connect to PPtP VPNs. So just install this module, reboot the router, and you should be up and running