For diagnosis of VPN clients that fail to browse several (or any) websites when connected to a PPTP VPN server that runs Linux, the following tips could be useful. Some of the tips may even apply to other types of VPN servers such as L2TP, IPSec, and OpenVPN.
General tips:
- Does the VPN server allow IP forwarding? Make sure that it is enabled via kernel parameter:
sysctl -w net.ipv4.ip_forward=1for immediate effect. Placing the linenet.ipv4_forward = 1in/etc/sysctl.confwill persist the change across reboots. - Does VPN server's firewall perform NAT (masquerade)? Without NAT the most kinds of traffic will not find their way to VPN clients. As an example, this iptables command enables NAT for all PPP interfaces:
iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE. - If the VPN clients are able to browse many websites, but with several strange exceptions, it may be caused by non-ideal condition for MTU discovery. Use this iptables command as remedy:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PPTP specific:
- Is there another client connected to the PPTP VPN server? If two clients are under the same NAT, they may not connect to the same PPTP VPN server at once. This is a limitation in PPTP as a protocol.
- Are DNS server addresses correctly written down in PPTPD configuration? If VPN clients can ping IPs but cannot browse any website, it may be a DNS issue. Make sure that your preferred DNS server is correctly written down in
options.pptpdfile, in a line that looks like (example uses Google DNS):ms-dns 8.8.8.8.