PPTP клиент на Oracle free VPS не подключается.

0

1

На впс у hetzner’а с этим же конфигом работает. Настройки оракловсокого фаервола: https://imgur.com/a/yBiSgMc

Я так понял, что он какие-то пакеты отправляет, но не может получить ответ. Какое правило и куда надо добавить?

Конфиг:

ubuntu@instance-20210504 /etc/ppp $ cat peers/example
pty "/usr/sbin/pptp pptp.example.com --nolaunchpppd"
name Username
remotename examplename
require-mppe-128
defaultroute
replacedefaultroute
unit 12
file /etc/ppp/options.pptp
lock
noauth
nobsdcomp
nodeflate
ipparam examplename
require-mppe-128
lcp-echo-failure 100
lcp-echo-interval 30

ubuntu@instance-20210504 /etc/ppp $ cat options.pptp | grep ^[^#].*                                                                                    [09:04:31.045]
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Лог:

ubuntu@instance-20210504 /etc/ppp $ sudo pon example nodetach debug
using channel 13
Using interface ppp12
Connect: ppp12 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x55572da3> <pcomp> <accomp>]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup
Waiting for 1 child processes...
  script /usr/sbin/pptp pptp.example.com --nolaunchpppd, pid 862513
Script /usr/sbin/pptp pptp.example.com --nolaunchpppd finished (pid 862513), status = 0x0

iptables-save:

# Generated by iptables-save v1.6.1 on Thu Jan 27 22:12:22 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [394:231824]
:InstanceServices - [0:0]
-A INPUT -i ppp12 -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o ens3 -p gre -j ACCEPT
-A OUTPUT -o ppp12 -p gre -j ACCEPT
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security i
mpact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan 27 22:12:22 2022

Ссылка

LCP: timeout sending Config-Requests

GRE не пропускает.

~~zemidius~~ ★
(28.01.22 01:35:34 MSK)

Ответ на: комментарий от zemidius 28.01.22 01:35:34 MSK

А как их пропустить? В iptables добавил, в настройки фаервола тоже.

vors
(28.01.22 02:39:23 MSK) автор топика

Ответ на: комментарий от vors 28.01.22 02:39:23 MSK

Либо с одной, либо с другой стороны зарезано.

Лучше использовать более современный vpn, например, wireguard.

~~zemidius~~ ★
(28.01.22 12:21:44 MSK)

Ответ на: комментарий от zemidius 28.01.22 12:21:44 MSK

То есть пакет или не выходят с моего сервера, или ответные пакеты не заходят на мой сервер? Как можно узнать точнее?

Я бы с радостью. PPTP на рабочем сервере, изменить нет возможности.

vors
(28.01.22 13:23:05 MSK) автор топика

Ответ на: комментарий от vors 28.01.22 13:23:05 MSK

Как можно узнать точнее?

tpdump на одном и другом сервере.

pptp-соединение состоит из 2х частей, аутентификация по 1734/tcp (который работает) и поднятие самого туннеля (gre/47)

У оракловой виртуалки реальный IP?

~~zemidius~~ ★
(28.01.22 13:34:29 MSK)

Ответ на: комментарий от zemidius 28.01.22 13:34:29 MSK

Да

vors
(28.01.22 13:43:51 MSK) автор топика

Похожие темы