Why VPN (pptpd) works when connected from a desktop, but does not work when connected from mikrotik?

M

Misty Hedgehog2016-07-27 10:30:14

VPN

Misty Hedgehog, 2016-07-27 10:30:14

Hello again, %username%!
The situation is the following. There is a VPS on hetzner, it runs a pptpd daemon. When connected to it from the desktop (win) - everything works as it should - the traffic goes in both directions, without any complaints at all.
But it's worth connecting to it with mikrotik ( raise the connection over pppoe connection ) - how sites open 1 out of 10, although ICMP traffic (pings) go without problems to both domain names and IP addresses. Mikrotik is configured correctly, verified by creating a second connection to the hideme.ru server - when connected to it, everything works fine. And it's worth switching back to my VPS - immediately sadness.
I attach the daemon and iptables configs:

Name : pptpd
Arch : x86_64
Version : 1.4.0
Release : 2.el7
Summary : PoPToP Point to Point Tunneling Server
URL : poptop.sourceforge.net

Its settings:

localip 10.0.0.1
remoteip 10.0.0.10-50
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.4.4
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
noipx

iptables ( by default, no traffic is blocked, but the accept rules are still specified ):

*filter
:INPUT ACCEPT [3:349]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:46649]
-A INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80:90 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
-A INPUT ! -s 127.0.0.0/8 -p tcp -m tcp --dport 11211 -j REJECT --reject-with tcp-reset
-A FORWARD -i eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [57:2966]
:INPUT ACCEPT [57:2966]
:OUTPUT ACCEPT [14:910]
:POSTROUTING ACCEPT [1:60]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

Mikrotik settings:

/ip firewall nat add action=masquerade chain=srcnat comment="Private VPN masquerade" out-interface=pptp-private-vpn
/ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1

/interface pppoe-client add add-default-route=yes allow=chap,mschap2 comment=Provider default-route-distance=20 disabled=no interface=ether1-wan keepalive-timeout=disabled name=pppoe-out1 password=PASSWORD service-name=SERVICE_NAME user=USERNAME
/interface pptp-client add add-default-route=yes comment="Private VPN" connect-to=123.123.123.123 default-route-distance=10 name=pptp-private-vpn password=PASSWORD user=USERNAME

/ip route add comment="Private VPN route" distance=1 dst-address=123.123.123.123/32 gateway=pppoe-out1

Can you suggest what might be causing this behaviour? Which way to look? Maybe it's in MTU?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

H

HawK, 2016-07-31
@paramtamtam

Based on the symptoms, this is a Path MTU Discovery Black Hole .
On Windows, for VPN connections, the default MTU is 1400, so there are no problems with this. In Router OS, this problem is solved quite easily:
This creates dynamic rules in the firewall's mangle chain that sets the tcp-mss values in syn packets to 1410 if greater. Faced situations when 1410 was not enough. You can copy these dynamic rules into the mangle and change the settings to less than 1410 to resolve the issue. To prevent Router OS from creating these dynamic rules, you need to disable "Change TCP MSS" in the profile you are using.
In the src field. address specifies your local subnet, in out. interface - the name of your pptp connection.

G

Gregory, 2016-07-27
@Maxlinus

Where are the Mikrotik settings?