Remedy for PPTP VPN clients not able to browse several or any websites

in linux •  7 years ago 

For diagnosis of VPN clients that fail to browse several (or any) websites when connected to a PPTP VPN server that runs Linux, the following tips could be useful. Some of the tips may even apply to other types of VPN servers such as L2TP, IPSec, and OpenVPN.

General tips:

  • Does the VPN server allow IP forwarding? Make sure that it is enabled via kernel parameter: sysctl -w net.ipv4.ip_forward=1 for immediate effect. Placing the line net.ipv4_forward = 1 in /etc/sysctl.conf will persist the change across reboots.
  • Does VPN server's firewall perform NAT (masquerade)? Without NAT the most kinds of traffic will not find their way to VPN clients. As an example, this iptables command enables NAT for all PPP interfaces: iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE.
  • If the VPN clients are able to browse many websites, but with several strange exceptions, it may be caused by non-ideal condition for MTU discovery. Use this iptables command as remedy: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

PPTP specific:

  • Is there another client connected to the PPTP VPN server? If two clients are under the same NAT, they may not connect to the same PPTP VPN server at once. This is a limitation in PPTP as a protocol.
  • Are DNS server addresses correctly written down in PPTPD configuration? If VPN clients can ping IPs but cannot browse any website, it may be a DNS issue. Make sure that your preferred DNS server is correctly written down in options.pptpd file, in a line that looks like (example uses Google DNS): ms-dns 8.8.8.8.
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!